Setup Router behind Router for Testing
-
I current have pfSense setup as my main house router and its working fine, however I need to provision and setup a second pfSense to go into a datacenter environment.
I tried to assign another interface on router 1 as a gateway and directly connect to router 2's wan port. I assigned the ip address given to my by the data center for testing XXX.XXX.XXX.176/29 to Router 1's interface and assigned the ip of XXX.XXX.XXX.180 as its static IP as I was told that will be my gateway. I then assigned XXX.XXX.XXX.177 to Router 2's wan. However I cannot get the two to talk to each other as it seems that they are both dropping ARP request between each other.
Is there a better way to setup this second router?
-
Not really clear, what you try to achieve, but this
@whinis said in Setup Router behind Router for Testing:I assigned the ip address given to my by the data center for testing XXX.XXX.XXX.176/29 to Router 1's interface
might be a bad idea. This is the network address. It must not be assigned to an interface.
Do you want to set up a public subnet behind your router?
If so, is it routed to your WAN address?What's the goal of this all?
-
@viragomann Effectively this public address will be assigned to this router in the datacenter. To make sure I have it as correct as possible I am trying to mimic it in my home network setup before I move everything into the datacenter so I don't spend 5 hours in the datacenter trying to debug rules
This address is not routed to my WAN but I attempted to assign it to a third interface I have on the pfSense box and then set its IP as static to X.X.X.180/27 and gave it a new gateway.
-
@whinis
I see.
So assign XXX.XXX.XXX.180/29 to router 1 internal interface, since this is the gateway IP, which router 2 should use.
And XXX.XXX.XXX.177/29 to router 2 with the .180 as gateway. -
@viragomann I have done that however neither seem to be able to ping each other
-
@whinis
Should work, however.
Why do you think, the machines are dropping ARP packets?
Something in the system log? -
@viragomann I did packet capture on each side and the Home Router keeps asking who has .177 and the data center router keeps asking who ask .180. Neither seem to see the others ARP
-
@whinis
And you don't see the ARP replies on either device?
If not, I think, there might be something wrong on layer2. -
@viragomann So after much debugging yesterday and plugging and unplugging cables and ensuring both pfsense were detecting the correct port I came up with nothing. Finally I just power cycled both boxes and they could suddenly see each others ARP request. My problem now seems to be they are not "accepting" them for lack of a better word.
I can see the request and response via tcpdump however router 1 still has the ARP table as incomplete.
-
I forgot to mention this earlier but I was vlan tagging on both sides, remove the tag on router 1 allowed it to see the ARP request, even though they were tagging it won't see them if the gateway is on the vlan.
-
@whinis
What's the sense of configuring a VLAN on these interfaces, which need to provide a single subnet only, if I understood the requirement correct? -
@viragomann Honestly I am not 100% sure myself, I am just replicating what I was given by the datacenter and vlans are outside of my wheelhouse. Specifically I was told
Transit Network Information
A Transit network is delivered directly to network equipment via a Public-facing VLAN.The following network has been provisioned for your use:
VLAN ID Subnet & Mask Gateway Bandwidth Cap
270 XXX.XXX.XX.176/29 XXX.XXX.XXX.182 XXX Mbps -
@whinis
I see. So the router should have its public subnet on a VLAN later.Note that certain network adapters have issues with VLAN when running pfSense. As far as I remember this applies at least to some Realtek NICs and recent pfSense versions.
-
@viragomann Router 2 has 3 Intel X540 on the motherboard for 6 10gbe ports and Router 1 has Intel I350/X520 combo card with 2 10gb sfp and 2 1gb ports. Currently router 1 is using a I350 port for communication with Router 2. As far as I can tell vlans are supported for both chipsets
-
@viragomann It ended up being some hardware vlan I setup on Router 2 that was somehow conflicting with whatever I set in pfSense.
-
Could have potentially been this: https://redmine.pfsense.org/issues/13381
Steve
