Two subnets
-
@johnpoz So can leave 192.168.11.1/24?
-
@Antibiotic sure.. keep in mind a transit network shouldn't have any "hosts" on it - so not sure why would would "need" a /24.. but sure you can use it as long as doesn't overlap with other networks. When you put hosts on a transit network your most likely going to run into asymmetrical routing problems.
-
@johnpoz So you mean better do not put any devices in LAN of Wireless router?or what it mean hosts?
-
@Antibiotic yeah a device.. be it a phone or pc or anything that is going to talk to anything.. Ie not a router.. These devices do not belong on a "transit/connector" network..
-
@johnpoz So , again misunderstanding, I can use LAN of Wireless router to connect devices but this devices should belong to transit network. Is it correct? Should be in network for example 192.168.11.0/24
-
@Antibiotic dude if your going to use your 11 network to connect your router.. Then those should be the only thing on that network pfsense and your downstream router.
Put your stuff on either the 10 network or the 12 network behind your router...
-
@johnpoz So LAN of Wireless router should set for example 192.168.50.1 , Its correct?
-
@Antibiotic what? Yes you can use any network you want, as long as its doesn't overlap with yoru lan (10 network) or your lan 2 (11 network)...
-
@johnpoz Thank you very much)))
-
@Antibiotic
pfSense LAN static 192.168.11.1/29 DCHP POOL 192.168.11.1-192.168.11.6
Wireless router WAN :
IP Address static 192.168.11.2
Subnet Mask 255.255.255.0
Default Gateway 192.168.11.1
DNS 192.168.11.1
Wireless router LAN:
IP Address192.168.13.1
Subnet Mask 255.255.255.0
DCHP POOL 192.168.13.1-192.168.13.5
Wireless router NAT and Firewall disabled, router itself have internet but Laptop and Phones, no any internet, please what I'm doing wrong? -
@Antibiotic why are you changing the IP ranges to /29?? Just leave all your networks /24, not like you have a limted amount of space to work with..
And you have a mask mismatch, you have /29 on pfsense and /24 on your 2nd routers wan????
Did you setup the gateway and route in pfsense for this downstream network? All of the info you need on how to do a downstream router is right there on drawing..
This is perfect example of why you don't complex this up.. Even if you get it working, its clear your not going to have any idea "why" its working.. Or how..
-
@johnpoz Did back to /24 no result, see on picture" pfSense interface rules must pass traffic from downstream subnets not just the interface subnet. Should me create some firewall rule?
-
-
@johnpoz Please calm down))) Where should to create on pfsense router or Wireless router? Static routes? from where to where. Lets say I'm a seaman and if you start asking how to load a vessel may be also going to crazy))) Please step by step
-
@Antibiotic I have given you all the info any person could ask for..
But how can you not understand you would need to create a firewall rule to allow a downstream network? It right there in the drawing to remind you..
If you do not understand basic concepts of networking - your going to have a really hard time..
-
@johnpoz Ok, we can close this discussion, went to forum not for IT courses but for assistance. Yes I'm not a network engineer and only have a desire to create my new home network. Bye, have a good day!
-
@Antibiotic hey there,
no need to close in my opinion.
I feel @johnpoz is indeed trying to give you assistance. BUT: considering you (same here, I am no IT guy, no professional background, just for the fun of it) have some lacking knowledge about the how-tos and whys...well it needs some lecturing, taking some courses (networking for beginners ;)). Sure: just go to youtube, watch a "how-to" vid and repeat those settings...will work for now (maybe), but without at least a basic understanding it will not really help you.
As with many things in life: basics are important.
Now, me being a newbie as well, I give it a try:
An information packet (iE PING) is sent from LAN 1 (172.28.0.0/22, set for LAN BEHIND L3 switch /WLAN Router) to LAN 2 (172.29.1.0/24).
It goes like this:
Host A (172.28.1.100/24) sends to host C with 172.29.1.100/24...>>>> Host A sees: Upsie, in my network there is no 172.29.1.100, don't even know any 172.29.0.0 for I only know 172.28.1.0/24 addresses...so, sends it to the default gateway (L3 switch with 172.28.1.1/24, host A knows THAT).
Packet is now at L3 switch which knows 172.28.1.0/24 and 172.28.2.0/24 and transfer net 172.26.1.0/29. Nothing else. BUT the needed address is for 172.29.100/24 (host C)...so again, doesn't know it, sends it to its default gateway >>>> pfsense with 172.26.1.1/29.
Pfsense gets that ping packet to 172.29.100/24. And pfsense DOES know that network >>> sends it to L2 switch (which knows 172.29.1.100/24 as well) so finally the ping packet reaches host C. YEAH!
BUT...to see a successful PING on host A...host C needs to send some information back. Damn...
Ok, host C sends back to 172.28.1.100/24....does not know that one, so via L2 switch back to gateway (pfsense on 172.29.1.1/24).
Pfsense receives that answer...BUT, damn it, does not know 172.28.1.0/24, for (as stated) only knows 172.26.0/29 and 172.29.1.0/24. So without a static route as info WHERE to send it...it would be sent to its default gateway and off to WAN it goes to the internet...but wait, its a private address, so it gets discarded and your Ping will show an error.
Buhu.
SO: you need to tell PFSENSE that packets to 172.28.0.0/22 must NOT go to its default gateway BUT instead to that L2 switch on 172.26.1.0/29...THAT is why you need to set that static Route on pfsense.
With that wisdom, pfsense sends the answer to your PING NOT out to the WAN, but knows that this should go out to L3 switch.
L3 switch now gets that answer packet...and it knows that network!! So it is handed down to host A....and you see that PING is working...Now, this is written by a noob. So all you pros out there: sorry, way to simple, in reality way more to it. But I just wanted to show WHY it (static route) must be set on pfsense in this setting (and not somewhere else).
@johnpoz explained just that (with lesser words but nevertheless absolutely correct) > we noobs always use more words for our lack of professional terms and language
.
You can chose ANY private network address space you want...as long as you do it consistently: one for transfer network (/29), one for LAN1 behind L3 switch (another router), one for LAN 2 behind L3 switch. And, of course one for LAN 3 behind pfsense (including that L2 switch and host C). You should make sure, that those are not overlapping. Meaning: use different networks.
So, hopefully you see: understanding how packets travel behind the scenes helps understanding how it works making it much easier to set it right. Just telling "put 172...here, and check here...then put 172.1 there..." might look like a solution, but only for a few moments.
Or to put it with that saying:
โIf you give a man a fish, you feed him for a day. If you teach a man to fish, you feed him for a lifetime.โ And (in my understanding) that's what @johnpoz tried to do.
hopefully I did not f**** it up...
Happy Easter everyone!
-
@johnpoz
what is the software you use for the info graphic. -
@flat4
although I was not the one asked: it looks like draw.io for my tired eyes... ;) -
@flat4 that drawing - that is not mine.. Believe Derelict is the author, I just saved it because its a great drawing to show use of downstream L3 with L2 switches as well.
Pretty sure that is just old copy of visio.. Or at least old icon set.. Could prob create a prettier looking one ;)
