@kiokoman said in Do I need a static router for my network?:

ndeed you need a static route to the wireless router

No not really, but if was going to create routes to the network behind the router, he would need to do it on all the hosts on his lan network

Or he is going to run into asymmetrical traffic..

I really don't see the point of letting that old access point do any nat.. Just use it as an AP and put it on another segment on your pfsense be it physical or vlan..

Running some downstream nat router is just going to be problematic.. And there is no rules you could do on pfsense to stop these clients connected to that wifi router from talking to anything on pfsense lan.. That would have to be done on that router, and guest normally stop wifi from talking to the wifi lan, but not its wan, etc..

You be much better off just doing it correctly via another segment on pfsense and using it as just an AP.. Or if your not actually worried about communication between lan and your wifi, then just use it as AP and put on the same pfsense lan network.

@andres-asm as a follow-up, while at the beginning what I did was bridge two virtual ethernet interfaces so I could give my internal VMs public IP addresses, I ended up switching to virtual IPs attached to the wan interface and 1:1 NAT.

But I get it, clients usually don't want to deal with NAT.

@Happydog
Having multiple interfaces within the same subnet is not a supported setup and makes not sense at all.

You can assign additional IP addresses as virtual (IP alias or Proxy ARP) to a single interface, however.

All Ports of the 2100 are 1G, if you want 10G you need a 6100, who are two 10G Ports.

@viragomann

Yes... thought so .. Guess it will have to come to that after all...
Thanks !

@viragomann

Arg!!! this is a client routing "issue"

With route in local route table on RHEL host to the gateway of subint:

ash-4.4# ip route add 9.9.9.9/32 via 192.168.20.1 ash-4.4# ip route get 9.9.9.9 from 192.168.20.100 9.9.9.9 from 192.168.20.100 via 192.168.20.1 dev bond0.20 cache ash-4.4# ping -I bond0.20 9.9.9.9 PING 9.9.9.9 (9.9.9.9) from 192.168.20.100 bond0.20: 56(84) bytes of data. 64 bytes from 9.9.9.9: icmp_seq=1 ttl=50 time=19.7 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=50 time=17.9 ms 64 bytes from 9.9.9.9: icmp_seq=3 ttl=50 time=21.0 ms ^C --- 9.9.9.9 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 5ms rtt min/avg/max/mdev = 17.911/19.525/21.007/1.277 ms

without route in local route table on RHEL host to the gateway on the subint:

ash-4.4# ip route delete 9.9.9.9/32 via 192.168.20.1 ash-4.4# ip route get 9.9.9.9 from 192.168.20.100 9.9.9.9 from 192.168.20.100 via 192.168.1.1 dev bond0.1 cache ash-4.4# ping -I bond0.20 9.9.9.9 PING 9.9.9.9 (9.9.9.9) from 192.168.20.100 bond0.20: 56(84) bytes of data. ^C --- 9.9.9.9 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1ms

Now to tshoot in that direction.

Thanks!

@johnpoz I did go thorough port forward method. Initially i believed that setting the specific networks (172.x.x.x, 192.x.x.x, etc), in Virtual IPs, would be the only thing i need to do.
My first NTP server ran CHRONY but for some reason it was not able to provide time to the embedded linux devices. My Windows computer synced pretty fast.
Now, I switched to NTP daemon under Ubuntu. All embeded linux devices are syncing.
I also disabled the port forward and... the devices sync. Maybe it was because of the Ubuntu minimal server that i use.
The test device is not running firewall so i would pin point to the NTP server.

Guys, sorry for this but i am new in this area... Thank you for guiding and having patience with me. I'll test more tomorrow and if i can get away with networks defined in Virtual IPs, this is the best solution that i need.

Thank you, once again !
Best regards,
J.

@identitypaul Answering my own question, after many days of battling with this...

Resetting the state table fixed it instantly.

@hyperman35 Now I do remember what you shouldn't do, maybe this helps. Don't put any upstream gateway on the interface tab, it has to be None there for multiple gateways.

@Cool_Corona there’s this: https://docs.netgate.com/pfsense/en/latest/network/ipv6/nat.html

@gjaltemba
On the ISP router there should be an option to set pfSense WAN as "exposed host" or DMZ, so that all incoming traffic is forwarded to it.

Ensure that the router does not masquerading on forwarded traffic.

Hi @keyser,

Thanks for taking the time to reply.

That is technically also better network design

Yeah, that's the conclusion I came to after I figured it out and implemented it :) I'm a bit disappointed I hadn't figured it out before I originally posted.

But you could have made it work by simply enabling the bullet called “Static Route Filtering” in SYSTEM -> ADVANCED -> Advanced Options on A1 and B1.
That makes pfsense stop firewalling packet received on LAN that should be rerouted to A2/B2

I did try that as part of my troubleshooting prior to posting.. it was mentioned in my paragraph which starts My research suggests the route cause of this will almost certainly be something to do with asymmetric routing.... For reasons I don't understand it didn't have the desired effect.

With the benefit of hindsight I do believe some sort of firewalling that the root cause of my problem, because when I was migrating the configuration to what I've outlined in my second post I noticed some blocked traffic in the logs. I had however decided by that point that the configuration I was moving towards was a better solution and decided not to investigate further why the original configuration didn't work as expected.

I hope this post someone else in the future.

Thanks

Steve

@viragomann I disabled this and now everything works. I fail to really understand what is the point of this rule.

24871e26-cf50-408b-97dd-d2cf66025b92-image.png

@johnpoz said in ISP handed me a block of IP's confused as how to configure as worded:

He would be better off buying a 20$ gig switch and using that vs software bridging on his "router"..

on that we can maybe agree. would need to see actual throughput comparison though. i doubt it's material enough (if at all) to justify another piece of hardware. perfectly capable XG-1537 OP is working with here.

You know what kluge is, trying to leverage discrete interfaces as switch ports via software bridge..

subnetting for the sake of subnetting certainly strikes as inelegant. bridging would allow all "LAN" interfaces to exist on the single 71.100.8.232/29 subnet.

and as to your shot earlier about whether i need "separate" defined for me—you gotta think bigger picture, John. what do you think is gonna be on the inside of each UDM?

kluge

*kludge. i didn't make this word up.

@viragomann Thank you very much, such small detail and I just couldn't see it.
I was allowing only the SVI for that vlan not the whole subnet.

Have a wonderful christmas and a happy new year sir!