I had it configured correctly.
So correct FW rules and outbound nat (SNAT) disabled.
Problem was on cisco router where network guys forgot to allow my traffic (even when they say they did, well doublecheck) :)
@awebster said in Routing from LAN to WAN Upstream Gateway not working:
Now my brain has melted. However, on johnPOZ's suggestion I've now got VyOS running, relaying DHCP correctly and allowing bi-directional comms between my two test subnets, and from both subnets to the downstream gateway and on to the web.
I thank you for your help. Even if the result was to point me at another product to try :-)
Not effectively. LACP only load balances based on the source and destination MACs, which will always be the upstream gateway going to the LAGG interface on the firewall. So you can have failover, but not bonded bandwidth. You'll need a 10G interface on the firewall (or, I suppose a 2.5G interface and compatible switch...)
@azmodeuz said in Routing 2 Router LANs under a Third Router:
Firewall Rules > LAN:
PASS - Source: LAN NET - Destination: 192.168.8.0/24 - Gateway: 192.168.88.7
No. You need to pass sources 192.168.2.0/24 and 192.168.3.0/24 into LAN. Do NOT set a gateway on those rules.
Imagine yourself sitting in one of the routers. You say "I have a packet for 192.168.X.X. What next hop do I need to send it to? Consult my routing table. I have a route for 192.168.X.X - I send that traffic to next-hop Y.Y.Y.Y (the route's gateway)."
If you are unfamiliar with all of this why are you making it so complicated?
Please get it working with one then move to the second. Far less to look at and communicate.
What is the point of this? Your wanting to load share to 2 different vpn connections off the same physical interface? And the same TUN interface as well?
Have no clue to what is the use case here... What is the point of the complexity - what does it get you? Your worried that r44 or r45 go down? What is the point of the loadsharing across the connection..
NHRP - with just the 2 connections.. With GRE and IPsec involved as well??
Is this some sort of class work - seems like nonsense waste of time, I see no real world application here. And down the rabbit hole we go...
I have (hopefully) solved my immediate problem by marking the Tier 2 gateway in the group that we use most as "Disable Gateway Monitoring Action" so that if the Tier 1 gateway is down pfSense will never take the Tier 2 gateway down. This should be fine for our most used gateway group but it is inappropriate for other groups that we occasionally use. If/when we switch to using another gateway group I'll have to remember and change that setting on that gateway.
It seems to me that the various monitoring and threshold settings should be defined in the gateway group and would override those on the gateway, when the gateway is used as part of a group. That would allow me to configure each group as it makes sense and then switch between them with ease.
sound like you have asymmetrical mess if your gateway is going to be out your lan interface. Why don't you draw up your network and point out exactly what your trying to do..
ption use non-local gateway through interface specific route
How is it you would be hitting a "gateway" that is not on the same network?
On pfSense02 you have to remove the check at "Block private networks" in the WAN interface settings, since the WAN net you want to provide access is a private address range.
Additionally you have to add a route to the 172.10.10.x network devices for the 192.168.10.x network pointing to 22.214.171.124. You may do this on your DHCP.
Further you have to add a firewall rule on pfSense02 to the WAN interface to allow the wanted access.
Assuming you still have the default allow-any rule on the LAN interface in place.
@kpa said in Routing table with policy-based routing:
It's more like that the routing process uses information tagged on to the packets traversing the system to detect if a set of packets need special handling and bypasses the normal routing table when it sees those special tags. The firewall rules that match the incoming traffic apply these special tags to the incoming packets.
Gotcha, that makes more sense. Thanks for the explanation!
If I understand you correctly, you want users hitting the external link to be directed to the internal.
This is usually handled by a DNS service.
In pfSense if you are using the DNS Resolver, a host override should suffice.
Services -> DNS Resolver -> General Settings -> Host Overrides -> Add
IP Address: 192.168.88.88
Description: my site override
Of course this will redirect not only that page, site, http, but any request to that host incl https and any other protocol trying to hit that host name.
With above info from you I contacted again the ISP and it's finally clear... Had indeed to install LACP ( LAGG ) on OPT3 and OPT4 and all is working now in my test environment.
They do the VRRP on their side and just bring 2 cables to our rack (aggegration and redundancy in case of cable problem). So problem solved thanks to your help!
Highly appreciated @Derelict !
@kpa said in Domain/hostname based routing?:
All correct but the document makes no mention of policy based routing on the outgoing direction which is not possible in pfSense, normal rules or floating rules. PBR on the inbound direction works just fine with floating rules just like it does with normal rules.
Oh I just assume that PBR is just a firewall action like pass/drop so if you can apply firewall you can PBR. Looks like things are a bit more complex.
Anyway if Proxy2 is setup on a dedicate VM instead of pfsense then it should work? It might be a bit too complicated though.
@gr1pen said in OpenVPN routing issue?:
After comparing these two setups I found that pfSense seems to create a "client to server" config and not a "site to site" config when selecting "Peer to peer (SSL/TLS)" in the GUI. I have tried to recreate it and confirmed this...
Not a bug. As @kpa mentioned it creates a site-to-multi-site configuration by default in SSL/TLS mode.
If you want a basic site-to-site config with SSL/TLS you can do that, but you must manually define a tunnel network that has a /30 subnet mask so that it only includes two endpoints (pfSense and VyOS in this case).
not sure if im supposed to manually create an SA for the bearer traffic (between 192.168.0.0/22 and 192.168.255.0/24) to go along with the SA I created between the BGP peer IPs?
I noticed I was not getting any encrypted traffic out my wan interface when trying to ping from 192.168.0.0/22 to 192.168.255.0/24, so I did add an additional SA between 192.168.0.0/22 and 192.168.255.0/24 in pfsense, and now I do see encrypted traffic when I ping, but still no routes in netstat -nr, so this leaves me a bit concerned as to whether/not Ill have good BGP routing resilience in the first place...
no problem glad you got it sorted.. See how short threads can be when decent amount of info and drawing to show how all connected given ;)
Wish more posts were like yours for detailed information when asking for help.