Subnet to subnet routing
-
Hi guys.
I'm using pfsense 1.2.3 multiwan setup. 3 nics.
WAN->PPPoE ISP DHCP address (public)
LAN-> Internal lan 192.168.5.0/24
OPT1-> connected to a dd-wrt enabled router in bridge client mode which is connected to a AP with internet access on subnet 192.168.1.0/24So far, I have successfully used OPT1's internet access with no problem. I can even access the clients on the 192.168.1.0 network no problem.
Problem is that I can not access clients on my LAN from OPT1 clients. I am using RIP broadcasts and checking routing tables on both routers indicates that the routes exist (pfsense box and the OPT1 AP)
Pings time out. Pinging the pfsense box itself times out (from a client connected to the AP, with address say 192.168.1.110)I enabled traffic via firewall rules (allow any any) on both OPT1 and LAN interface but still doesn't work!
Any suggestions?
TY
BR
Marko -
Are you running a DHCP on the OPT1 interface?
Or are you using the DHCP of the AccessPoint itself?
Are you assigning the correct default gateway?
Are you allowing client-to-client communication on the AccessPoint (since the pfSense is actually a client as well)? -
DHCP is on the AP itself.
Yes, PFsense is a client itself with an address 192.168.1.254
Client 2 client is enabled (laptops share files over AP)the problem is that there are now 2 gateways in the subnet. 192.168.1.1 for public networks (internet) and 192.168.1.254 (Pfsense NIC) for 192.168.5.0/24 network
what needs to be configured for such setup?
-
Create a static route on your AP pointing to 192.168.1.254 for 192.168.5.0/24
-
Like I said… I am using RIP on both routers (pfSense and the AP)
And routing tables show the routes exist. I am guessing this is a firewall problem... -
How does your any-any rule look like?
Are you allowing TCP/UDP or "any" as protocol?
If you are pinging: Do you have ICMP allowed? -
For OPT1: alow any any coming in interface opt1
for LAN: alow any any coming in from OPT1 subnet (191.168.1.0/24)I disabled RIP and added a static route to the AP router.
Maybe I'm doing smth wrong. What exactly does my firewall rule must look like?
-
Nothing?
Here is a (very bad) picture of the setup for better understanding:
The goal is to enable network communication between OPT1 clients and LAN clients.
PfSense is in the multiwan setup and load balancing/fail-over for LAN clients work flawlessly
-
Ok now i know the whole setup.
The key-missing information for me was that the AP is used as WAN for the pfSense as well and you're loadbalancing the LAN.You need on the LAN above the loadbalancing-rule another rule allowing access to the AP for the additional subnet.
The gateway for this rule above the balancing rule has to be default (*).So LAN:
Rule1: protocol: any, source: LAN-subnet, srcport: any, destination: AP-subnet, destport: any, gateway: default
Rule2: protocol: any, source: LAN-subnet, srcport: any, destination: any, destport: any, gateway: balancerOPT:
Rule1: protocol: any, source: AP-subnet, srcport: any, destination: LAN-subnet, destport: any, gateway: default -
Thank you!
Will try that and report back!
-
Just to be sure…
on the AP router I have to configure a static route to the network 192.168.5.0/24 using the gateway 192.168.1.254 (the ip of my pfsense interface)?Because I did that and still nothing. Ping times out...
-
Yes your static route should look the way you describe.
Did you debug this step by step?
1: Can you ping 192.168.1.254.
2: If 1 was yes: if you ping 192.168.5.1 (pfSense IP on it's LAN), do you see this logged in the pfSense firewall-log?
3: Enable logging for the allow-rule. If the packet is getting to the pfSense it should show either allowed or blocked up.
4: If this you cannot see it in the firewall log: did you TCP-dump on the pinging machine to see how the ARP-requests get answered? where the packets are actually sent to? -
1. yes. pinging 192.168.1.254 works
2. no. ping times out
3. allow rule displays like this: 192.168.1.100:54675 192.168.1.254:2189 TCP:S (on the opt1 interface)
also get this in the log :192.168.1.100:58840 239.255.255.250:1900 UDP (uPnP this is ok, I will allow it)
4. when pinging 192.168.5.5 (a machine on my 192.168.5.0 subnet) i get:From 192.168.1.1: icmp_seq=2 Redirect Host (new nexthop:192.168.1.254) so I'm guessing the AP router actually knows where to send the packets.
The weird thing is it just stands there (no host unreachable or timeout errors) Cursor just blinks and nothing happens (using ubuntu 9 here)
EDIT: after some time (minutes) i get: network unreachableAlso tried manually adding route using the route add command (on another windows 7 client). No luck….
loosing my mind here...
EDIT:
nmap output:
ddwrt router:Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
MAC Address: 00:25:9C:CF:BA:9D (Cisco-Linksys)opt1 interface:
Interesting ports on 192.168.1.254:
Not shown: 996 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
1723/tcp open pptp
MAC Address: 00:25:9C:CF:BA:9D (Cisco-Linksys)as shown the MAC addresses are the same for 2 different IP addresses but I am assuming this doesn't matter
-
Not sure i read that right.
Are you telling that the MAC of the pfSense and of the AP are the same?
This matters very much.
You cannot resolve ARP requests like this. -
no, no…
pfsense box->ddwrt router->AP
pfsense box and ddwrt router have same MAC. AP has another.
Talking about client bridge mode here.... something like this:
http://www.dd-wrt.com/wiki/index.php/Image:Standard_bridge_large.jpg
-
Well if you connect the pfSense box to the ddwrt box and both have the same MAC on the interfaces to each other they are not able to talk.
First they do an ARP lookup and find out that they have this MAC themself
–> Traffic never gets sent out.Try to set a different MAC for both devices and they should be able to talk to each other.
-
ok.. some of the logs of my opt1 interface:
Apr 7 16:35:44 opt1 192.168.1.102:51072 192.168.1.254:53 UDP
Apr 7 16:35:44 opt1 192.168.1.102:58188 192.168.1.253:53 UDP
Apr 7 16:35:44 opt1 192.168.1.102:53841 192.168.1.254:53 UDP
Apr 7 16:35:44 opt1 192.168.1.102:59647 192.168.1.254:53 UDPObviously DNS queries. So i can confirm the packets reach OPT1 interface. If I enable vpn, the 192.168.1.0/24 clients actually can connect to my 192.168.5.0/24 clients (thru vpn but slow as hell)
Problem is that… well packets are not routed between subnets... Smth is wrong in my pfsense config....
