Dual (2)WAN / Multi (9)LAN Routing Issue with Public IP's
-
first problem…
isp1,
204.101.*.208/29 subnet...
when connected to ip in that pool, i goto google and search whats my ip.... should show 204.101..209, but shows isp1 pfsense gw ip 67.69..254....
lan_bell = 204.101.*.208/29 subnet
-
With those NAT rules it would do that. Without them it should not. Did you clear states after deleting the NAT rules? You can clear only the states in question by filtering on 204.101.*.209.
I wouldn't have the Proxy ARP VIPs. I'd have type Other - if you need any at all. Out of curiosity, what is the IP address of the LAN_BELL interface?
-
With those NAT rules it would do that. Without them it should not. Did you clear states after deleting the NAT rules? You can clear only the states in question by filtering on 204.101.*.209.
I wouldn't have the Proxy ARP VIPs. I'd have type Other - if you need any at all. Out of curiosity, what is the IP address of the LAN_BELL interface?
my bad for typo… 204.101..209 should have been 204.101..208/29 meaning a ip from that pool....
ka i changed VIP to other... checked and is now working..... THANK YOU…. i swear i tried that once but must have over looked....
i will try changing the other isp2 vip setting in a minute and see if that changes the block between isp2's smaller subnets....
-
okay, so both VIPs are set to Other, and seem to be okay…. connected to different pools and whats my ip was correct in all tests from all pools....
while i was connected to pool 216.185..192/26 i tried to access email server in 216.185..160/27 pool with no success.... while connected to a pool fed from isp1, i could access with no prob... when tried from a pool feed by isp2 only time i could access email was while i was inside same pool as server....
here attached are the screenshots of firewall rules for both...
-
Check all your netmasks and gateways. What happens when it fails? Anything in your firewall logs?
-
all netmasks correct… doubled checked with online subnet calculator...
here ping resaults from 216.185..201/26 pool pinging 216.185.166/27
C:\Users\chrism>ping 216.185.*.166 Pinging 216.185.*.166 with 32 bytes of data: Reply from 216.185.*.1: TTL expired in transit. Reply from 216.185.*.1: TTL expired in transit. Reply from 216.185.*.1: TTL expired in transit. Reply from 216.185.*.1: TTL expired in transit. Ping statistics for 216.185.*.166: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
packet capture:
216.185.*.1 > 216.185.*.201: ICMP time exceeded in-transit, length 36 (tos 0x0, ttl 1, id 6454, offset 0, flags [none], proto UDP (17), length 56)
checked system logs / firewall, tried both source and Destination with ip 216.185.*.201, clear, nothing there…..
-
What routes have you put in System->Routing ?? You probably want to get rid of everything.
-
zero….
screen shot of gateways in post #10
-
When you traceroute it what IPs is it bouncing between?
-
now this is where it gets funny….
216.185.*.201 is from Canada(CA) in region North America TraceRoute from Network-Tools.com to 216.185.*.201 [*************] Hop (ms) (ms) (ms) IP Address Host name 1 Timed out Timed out Timed out - 2 19 22 20 4.69.158.145 ae-205-3605.edge4.chicago2.level3.net 3 25 19 19 4.69.158.145 ae-205-3605.edge4.chicago2.level3.net 4 24 24 24 4.28.68.22 - 5 49 49 49 199.212.168.186 ge8-2.hcap7-tor.bb.allstream.net 6 41 41 41 216.13.105.170 216-13-105-170.dedicated.allstream.net 7 42 42 42 66.207.112.74 bb1-core-bra-kaa-g11-v3983.fibrewired.ca 8 46 45 48 216.185.*.110 mercuri.ca 9 39 40 40 67.69.*.254 - 10 Timed out Timed out Timed out - 11 Timed out Timed out Timed out -
216.185..110 don't belong to me, but belongs to my isp2 upstream… 67.69..254 is my pfsense isp1 gw.....
used http://network-tools dot com to get this
isp2 should have went 216.185..110 then to 216.185..1 which is the isp2 gw i connect to... then 216.185.*.2 which is my pfsense box
-
No. I meant from inside. Usually when TTLs expire in your situation you have a routing loop.
Traceroute to .166 from .201
-
tracert from 201 to 166
C:\Users\chrism>tracert 216.185.*.166 Tracing route to ******************************** [216.185.*.166] over a maximum of 30 hops: 1 3 ms 29 ms 11 ms 216.185.*.1 2 2 ms 3 ms 3 ms 216.185.*.1 3 4 ms 5 ms 4 ms 216.185.*.1 4 5 ms 5 ms 4 ms 216.185.*.1 5 5 ms 4 ms 5 ms 216.185.*.1 6 12 ms 75 ms 34 ms 216.185.*.1 7 7 ms 8 ms 7 ms 216.185.*.1 8 6 ms 4 ms 7 ms ^C
just repeats till i ctrl c…
-
You have something configured wrong. What's your IPV4 routing table? What are all your interfaces configured like? I don't know how secret you think your IP address is but it's probably getting pretty tedious masking it.
What interface is configured as .1? What's its netmask? I'm guessing here. you're going to have to figure out why pfSense keeps routing back to .1.
-
Just referenced your diagram again. .1 is your ISP gateway. That doesn't make any sense because traceroute hop1 should be the pfSense interface facing that segment.
ETA: Hmm. pfSense is invisible in my traceroutes. But only when I NAT.
-
i hear ya… i've been poking away at this for some time too...
i don't think this will help... but when i did test at 5am using route only platform, all subnets could cross talk with no problems...
-
Just forget about Route only platform. It will not do what you need. It also turns off all firewalling and makes all your public IPs wide open. What you're doing isn't that complicated. I think you got a little clicky clicky and have something in there that's wrong - somewhere. What are your NAT rules currently? What's your IPv4 routing table?
-
ka… and yes... i give up on masking lol
heres screen shots
-
See those two routes for 216.185.64.6 and 216.185.75.161 with a gateway of 216.185.75.1?
Those (particularly the 161) are probably your problem. Somewhere pfSense has been told to send everything destined for 216.185.75.161 out to your ISP's .1 address.
-
the only places i can think of that happening would be system:gateways and/or firewall rule interface gateway set to netoptiks… with out that there it wanted to route out isp1...
-
Without that there it will route out whatever your default gateway is.