Route from pfSense to GL.iNet Slate not working
-
I'm pulling my hair out because I can't figure it out.
I have the WAN from a GL.iNet Slate connected to my switch and the WAN is getting the IP 10.143.130.4/23 from the pfSense DHCP server.
The LAN IP of the Slate is 10.143.150.1/24.
pfSense is 10.143.130.0/23
I can't reach a website (10.143.150.2:8000) on an RPi that is connected to the Slate and i can't open the Slates admin panel from my Workstation PC.
I did enable "Bypass firewall rules for traffic on the same interface" and this:
It was not possible to ping the RPi (10.143.150.2) until i also did set Gateway to "LISA_ROUTER" in the firewall rules.
Is it needed? Because its not mentioned here:
https://docs.netgate.com/pfsense/en/latest/routing/static.htmlI also tried port forward and DMZ on the Slate.
What I am missing? -
@mrglasspoole said in Route from pfSense to GL.iNet Slate not working:
I have the WAN from a GL.iNet Slate connected to my switch and the WAN is getting the IP 10.143.130.4/23 from the pfSense DHCP server.
What??
The Slate is your upstream gateway?
It was not possible to ping the RPi (10.143.150.2) until i also did set Gateway to "LISA_ROUTER" in the firewall rules.
Is it needed?No. Since you did already set a static route to this network pointing to the gateway, the policy route to the same gateway should change nothing.
-
@viragomann said in Route from pfSense to GL.iNet Slate not working:
What??
The Slate is your upstream gateway?I don't know what upstream gateway means and how to explain it simpler.
-
@mrglasspoole said in Route from pfSense to GL.iNet Slate not working:
I don't know what upstream gateway means
The internet / WAN gateway on pfSense.
Since you've hided the gateway IPs, I assume they are public?This line is absolutely unclear:
I have the WAN from a GL.iNet Slate connected to my switch and the WAN is getting the IP 10.143.130.4/23 from the pfSense DHCP server.
And the screenshot doesn't make it better at all.
According to your screenshots, the IP 10.143.130.4 is assigned to the LISA_Router (whatever the sense of it is) and hence cannot be pfSense WAN.
Please clarify and maybe you can post a network map for better understanding your setup. -
LISA_Router is my car router.
Sure the pfSense WAN is internet. -
@mrglasspoole
Ok, that's clear now so far.The term "WAN" for the Slate confused me.
It was not possible to ping the RPi (10.143.150.2) until i also did set Gateway to "LISA_ROUTER" in the firewall rules.
From where did you try this?
It should work from pfsense without the policy route, but not on other devices in pfSense LAN. They will send requests to pfSense, but they get not forwarded normally, since the both, the source and the router are within the same network segment anyway.You would need a static route on the LAN device itself.
-
@viragomann said in Route from pfSense to GL.iNet Slate not working:
You would need a static route on the LAN device itself.
You mean on RPi?
In the OpenWrt forum somebody wrote:
If your main router has the ability to specify static routes, you can set a > static route and use symmetric routing so that your second network > doesn't experience double-NAT.
I cant find something about symmetric routing. Do i need to do that in pfSense or Open Wrt (the Slate)?
-
@mrglasspoole
You need a static route on the device you want to access the RPi from, guess the workstation.Asymmetric routing is that what you actually have. This means request and respond packets go different ways.
request: client > pfSense > GL.iNet Slate > RPi
respons: RPi > GL.iNet Slate > clientThis may work for pings, but doesn't work for TCP, since it is a stateful protocol other than ICMP.
The proper way to set this up is to put the GL.iNet Slate into a separated network segment on pfSense (transit network).
Then you have to add a static route to pfSense for the 10.143.150.0/24 pointing to the Slate IP in the transit network. And on the Slate you need a static route for 10.143.130.0/23 pointing to the pfSense IP.If that's not possible another workaround (a bad one) apart from the static route on the client would be to masquerade (NAT) the packets on pfSense.
-
A static route on every client (workstation) in the network?
I don't get it.
Whats the purpose of tutorial like this if you can't reach the services on the other machines:
https://www.youtube.com/watch?v=XdzfgapJYqwI'm pulling my hair out after hours googling and the pfSense doc.
-
@mrglasspoole said in Route from pfSense to GL.iNet Slate not working:
A static route on every client (workstation) in the network?
I don't get it.As I see it the WAN interface from the Slate (Lisa) is
blocking the entire traffic coming from elsewhere if
there will be not opened some portsThe Slate is shown in the WAN set up, but it is placed
inside of the LAN area. So you could use the LAN port
of the Slate and all is fine, but then you have two
routers in one LAN! That causes often problems or
ending up with a network that is not able to use.You can do many thinks here, but we should know more
about the use case and/or some other things, first to
help you out and bring it to the point all is running
fine for you later!-
Is the Slate even present inside of the network or
do you carry it around (car router)? -
Must the RAPI able to be reached from outside
(Internet)? Or only from the WS at the LAN? -
Is the Slate sorted with a modem (USB) or not?
Whats the purpose of tutorial like this if you can't
reach the services on the other machines:You are using pfSense in a VM? If you put the Slate away
and connect the RAPI alone to the Switch you don´t need any route!If you put the Slate in AP mode and only use him to be
a Wifi AP, and the RAPI will be also connected to the
Zyxel switch you get WiFi and can connect the RAPI.You may also connect the SLate to the Zyxel with a LAN port (on the Slate site).
There many different ways you could walk on, but we should be provided with more informations from your
site. -
-
@dobby_ I carry the Slate around. Its main purpose is a portable music player.
I connect a smartphone via WiFi (Slates WiFi) to it to control the player.
But i also want to USB tether (smartphone) or use a USB modem when not at home.At home I want to connect it to my switch so i can work on the player (settings/programming) and copy music to it from my workstation or any other PC.
AP mode would mean the RPi is getting its IP from pfSense.
But i would like to have the RPi always the same IP/Subnet.I also don't like the idea that a would have to change settings on the Slate everyday to switch between router and AP mode.
My pfSense box has just one WAN. A second NIC would mean more power consumption and i would need to run another 20 meters of cable to where i need it and maybe another switch if i need more places.
My first idea was to connect the first NIC of the Slate to my switch and the second NIC to the RPi.
I thought its possible to disable the Slates DHCP server on the first NIC and let it get the IP from pfSense.
But that seems not to be possible. -
@mrglasspoole said in Route from pfSense to GL.iNet Slate not working:
I carry the Slate around. Its main purpose is a portable music player.
If so, why do you run it as an additional router in your network?
Why don't you simply connect the RPi to the switch with pfSense LAN? What is the sense of having it behind the Slate?
If you just want to separate it from the LAN you can configure a VLAN between pfSense and the switch and attach the device to it. I guess, your switch is capable of this. -
@viragomann said in Route from pfSense to GL.iNet Slate not working:
Why don't you simply connect the RPi to the switch with pfSense LAN? What is the sense of having it behind the Slate?
Because i don't want to handle/switch different IPs (home or not home) on the phone.
And everything will be in one box. I don't want to replug cables.
Just one cable i can connect to the switch and not unplugging the cable inside the box from the RPi.Also it would be nice the settings UI from the Slate would be reachable from the workstation (pfSense LAN).
-
@mrglasspoole
So put the GL.iNet Slate into a transit network, as already suggested above and all routing should work properly. -
@viragomann Yep i already googled "transit network" when you first mentioned it but found nothing.
-
I carry the Slate around. Its main purpose is a
portable music player.Ok this is more better to know first for us. Thnx.
If I would in your or situation I would really consider
one of the next solutionsSolution 1
DMZ Switch- Netgear GS105Ev3 ~25 € (5 Port)
- Netgear GS108Ev3 ~35 € (8 Port)
- Or an equivalent TP-Link model for less money
Another PCIe NIC
- Intel i350-T4 - cheap on eBay (4 GB Ports)
- Intel i340-T4 - Cheap on eBay (4 GB Ports)
-- 4 GB LAN Ports
-- Supported well in pfSense
-- Not the need of one more PCIe slots or Card
-- 2 x WAN | 1 x DMZ | 1 x LAN port are available
-- You may add the Slate in front of the pfSense
WAN too (If needed)
A WiFi card
- A cheap wireless N card for 12 €
- Antennas for less then for 10 €
Soition 2
Building Vlans might be cheaper and faster was to
work around, but even connecting the Slate into the
LAN and perhaps one day later into the WAN makes
the things not much more easy.With the first solution you let the Slate in the bag and connect only here and there the RAPI, but you own
WiFi and nothing must be changed on top of all also
perhaps the VLANs must not really be! And if really
needed you could set up (connect) the Slate into
the second available WAN Port if you will use it. -
@mrglasspoole
That's nothing special than an additional network segment between pfSense (default gateway in the network) and the GL.iNet Slate, segregated from your LAN.You can leave the hardware as it is and do this with a VLAN.
Configure a VLAN on the pfSense LAN port and as well on the switch, both tagged and assign the respective switch port to it as untagged. Here connect the Slate.Configure the static route on pfSense for the network behind it.
-
@viragomann sorry i can't figure it out.
100 tutorials later and they are all different.Some use routing, some not, some have 100 Firewall settings, some have both, one says "VLAN routing is automatically configured" if you create a VLAN...
The VLAN interface has its own IP, the routing gateway has one, also the VLAN has its own DHCP server.
I don't look through :-(
-
@mrglasspoole
The transit network is simply a segregated network segment. You have to configure two devices: pfSense and the switch:
Are there any difficulties?VLAN routing might be a term of virtualization. As I got your setup, there is no one involved.
DHCP? The Slate should have a static IP. If it needs DHCP, because you want to attach it also to other networks then use static mapping, since it needs a static IP as you want to route traffic to it.
-
@viragomann sure there are difficulties because I'm trying to make sense of all this:
https://www.linuxsysadmins.com/setup-vlan-on-pfsense/
https://www.wundertech.net/how-to-setup-vlans-in-pfsense/
https://techexpert.tips/pfsense/pfsense-vlan-configuration/I never did setup VLANs before.