I won't reach the subnet

gusto

I need to reach 192.168.10.0/24 from LAN (192.168.1.0/24).
On pfSense

System --> Routing --> Gateways +Add

System --> Routing --> Static Routes +Add

I'll try ping from PC 192.168.1.1 to 192.168.10.1

ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
From 192.168.1.1: icmp_seq=1 Redirect Host(New nexthop: 192.168.1.156)
From 192.168.1.1: icmp_seq=295 Redirect Host(New nexthop: 192.168.1.156)
From 192.168.1.1: icmp_seq=321 Redirect Host(New nexthop: 192.168.1.156)

Where am I making a mistake?

Gertjan

@gusto said in I won't reach the subnet:

Where am I making a mistake?

Why would you want to introduce a 192.168.10.x/24 behind pfSense ?
Instead using the WAN interact on your ASUS? use a LAN plug.
Now you've created a router after router setup.

I presume you want to use the Wifi capabilities of the ASUS, and in that case, the DNS/DHCP/firewall.routing/etc. should be turned of on the ASUS.

Btw :

Static routing : https://docs.netgate.com/pfsense/en/latest/routing/static.html#managing-static-routes
Looks like you've did what needs to be done.
That is : on the pfSense side.

You should add a description here :

Now you can select a gateway on the static route edit page.

But : again : the asus is a router, and probably also a firewall : it blacks everything that comes into it's WAN interface. Now you have to add firewall rules, NAT rules etc.

gusto

@gertjan
I just want to learn how routing works.
it was necessary to turn off the firewall in asus and ping to subnet 192.168.10.0/24 worked.

johnpoz

@gusto Lets take any firewall or natting out the equation for your downstream asus router.

Your still asymmetrical.. So yeah your going to get
From 192.168.1.1: icmp_seq=1 Redirect Host(New nexthop: 192.168.1.156)

To not be asymmetrical you need to use a transit network. between your routers. A transit network is a network that connects routers that has no hosts on it. In your scenario you 192.168.1.2 device would need a route on it saying hey to get to 192.168.10/24 talk to 192.168.1.156

gusto

@johnpoz said in I won't reach the subnet:

@gusto Lets take any firewall or natting out the equation for your downstream asus router.

Your still asymmetrical.. So yeah your going to get
From 192.168.1.1: icmp_seq=1 Redirect Host(New nexthop: 192.168.1.156)

To not be asymmetrical you need to use a transit network. between your routers. A transit network is a network that connects routers that has no hosts on it. In your scenario you 192.168.1.2 device would need a route on it saying hey to get to 192.168.10/24 talk to 192.168.1.156

I don't know if I understand that well.
In my case, I don't need to do routing?
How do I get from 192.168.1.2 to 192.168.10.0/24?

johnpoz

@gusto from your drawing.. Your downstream router almost promise you is doing natting, so you would need to setup a port forward on it, and access the services via the 1.156 IP that it would forward behind it.

If it was routing, then you would need a host route on your device on the 192.168.1 network.

gusto

@johnpoz
I understand
When I was looking for static routing information, I found this guide.
Scenario 1
I think it's also better to use NAT than routing in this case.

?

johnpoz

@gusto their scenario is crap.. And again asymmetrical, should never be setup that way ever in the first place. And if it was - then you would create the route on the client on how to get to that 172.30.30 network.

Gertjan

I still didn't see the reason why the ASUS must be a router.
Convert it onto a real AP, and all your issues are gone.
No more need to define routs, no need for NAT.
Just stop using the WAN port - hook up pfsense to a LAN port. Define the gateway in the router as the IP of the LAN interface of pfSense, shut down DHCP, firewall, DNS etc and done.

gusto

@gertjan
Now I understand the routing.
Routing is applied if there are 2 or more routers on the path.
I just wanted to learn more about routing, so I set the device to router mode and not AP.

johnpoz

@gusto said in I won't reach the subnet:

Routing is applied if there are 2 or more routers on the path.

Routing is way more than that.. What you were doing is not really routing, its a icmp redirection by 1 router.. Its a work around fix when you want to tell a client where to go to get somewhere, but you can not actually route on the client.

What they show in that example you linked to is just crap, it really should never be setup that way.. While icmp redirection can work, not always. You need to make sure the client will actually accept them and leverage them, and then they will only be used for some specific amount of time, there is a cache set for the length of this "temp" route on the host, etc.

They show such an example because their soho router can not really do multiple networks/vlans that would allow for proper routing.

edit: If you want your wifi on a different network and you want to route from pfsense lan to this new network, then as mentioned used that device as a AP and just connect it to another interface on pfsense on a different network.. Now pfsense is routing between these networks.

If you want to play with routing, then use another pfsense box, or something that can actually do routing where you can setup transit networks, etc.. So your not asymmetrical and do not have to use icmp redirection to tell a client where to go to get somewhere..

gusto

@johnpoz
This procedure takes a bit to look like this.

johnpoz

@gusto again what they are showing is a horrible example of working with their limited devices.

That first link goes over what you can do to get around using asymmetrical routing, but asymmetrical should not be something you would actually setup on purpose..

If your wanting to learn about routing - I sure wouldn't start with what amounts to a shit show ;)

Your downstream router should use a transit network to connect to the upstream router.

Here is a diagram that should help with doing routing on pfsense for multiple network, and adding a downstream router into the mix.