I cant get the stupid routing tables to work right!!!!!
-
Hey Everyone!
I am a new user to pfSense but proficient in networking. For whatever reason, I cannot get my network just the way I want it. It all works and I have internet access but I do not have all of the right communication set up. This is where I hope you networking gurus can help me out. I have attached my visio diagram as a picture for easy viewing so that everyone can follow along. SchurrNet is a Asus router. There is nothing in the WAN port. In the switch ports are the switch and my pfSense box. I do not know if this box needs any routing tables set up. Mancave wifi is a ddwrt router as well. Once again there is nothing in the WAN ports. In the switch ports is the uplink/downlink cable from SchurrNET and the 3 host systems. Here are the issues that I am having:
192.168.1.71 cannot ping 192.168.1.51 as you can see the separation of the routers prevents these from communicating
192.168.1.51 can ping 192.168.1.71 for whatever reason, I can ping from the Asus network down to the ddwrt network but not vise versa
If I run a tracert from 192.168.1.71 to 192.168.1.6 the only hop is to 192.168.1.6 and vise versaAnother issue that I am having is that none of my machines can access the 192.168.2.1 gateway for me to administer the router. To circumvent this, on 192.168.1.71 I have a virtual machine set up with an IP of 192.168.2.15. With this VM I am able to log into the router. Not ideal but it works.
I am almost 100% sure that it is a routing table issue but I am not sure where to start because technically I have three routers (I think).
Here is my pfSense configuration
- Default Firewall
- Snort (Every fricken detection rule I can find on WAN interface)
- Squid and Squidguard
- DHCP Server
-
192.168.1.71 cannot ping 192.168.1.51 as you can see the separation of the routers prevents these from communicating
this contradicts your quote below, you say your "router" is in switch-mode and should not provide seperation:
Mancave wifi is a ddwrt router as well. Once again there is nothing in the WAN ports.
192.168.1.51 can ping 192.168.1.71 for whatever reason, I can ping from the Asus network down to the ddwrt network but not vise versa
this probably points out that, "previous quote", is probably a client-firewall issue and has nothing todo with routing-tables.
If I run a tracert from 192.168.1.71 to 192.168.1.6 the only hop is to 192.168.1.6 and vise versa
i would hope so, yes
Another issue that I am having is that none of my machines can access the 192.168.2.1 gateway for me to administer the router. To circumvent this, on 192.168.1.71 I have a virtual machine set up with an IP of 192.168.2.15. With this VM I am able to log into the router. Not ideal but it works.
talking to a different subnet requires a router with an adress in both subnets.
I am a new user to pfSensebut proficient in networkingreally ?
dictionary quote:pro·fi·cient (prə-fĭsh′ənt)
adj.
Having or marked by an advanced degree of competence, as in an art, vocation, profession, or branch of learning.
n.
A person who exhibits such competence; an expert.
[Latin prōficiēns, prōficient-, present participle of prōficere, to make progress; see profit.]
pro·fi′cient·ly adv.
Synonyms: proficient, adept, skilled, skillful, accomplished, expert
These adjectives mean having or showing knowledge, ability, or skill, as in a profession or field of study. Proficient implies an advanced degree of competence acquired through training: is proficient in Greek and Latin.
Adept suggests a natural aptitude improved by practice: became adept at cutting the fabric without using a pattern.
Skilled implies sound, thorough competence and often mastery, as in an art, craft, or trade: a skilled gymnast who won an Olympic medal.
Skillful adds to skilled the idea of natural dexterity in performance or achievement: is skillful in the use of the hand loom.
Accomplished bears with it a sense of refinement after much training and practice: an accomplished violinist who played the sonata flawlessly.
Expert applies to one with consummate skill and command: an expert negotiator who struck a deal between disputing factions.i'm trying very hard to be nice. but people claiming to be experts when in reality they are clearly NOT, annoy me, greatly.
i know i'll never be proficient or a guru in anything, and will never claim to be. -
"proficient in networking"
"I have three routers (I think)."
" In the switch ports are the switch and my pfSense box. I do not know if this box needs any routing tables set up"Clearly these statements are in complete contradiction of each other.
So you should of started off with something more along the lines I know what IP address is but have no clue what a network segment is or routing.
Your mancave "router' has what looks like 192.168.1 on both sides? But its IP is 192.168.2 ? What are the masks your using? I would assume you are natting there.. What exactly do you want to accomplish? Do you want your wifi on its own segment? What about your other locations do you want them all on the same segment?
More than happy to draw this out for you but what is it you want to do.. Normal home setup would be one segment 192.168.1.0/24 – Use your old wifi routers as AP (turn off their dhcp) and connect them to your network via LAN port and setup their IPs on your 192.168.1.0/24 network with pfsense being the gateway.
Or you could breakup the network into segments/vlans by location or function. I would suggest if you want to actually get "proficient" with networking you get some real switches that support vlans. And then possible multiple nics for your pfsense. And then we can get all fancy like with your network ;)
-
Alright. Apparently we have some issues here. I will try to be nice but heper thank you for nothing you conceited douche. Johnpoz thank you for the reply although I could have done without the zing. Let me give y'all a little bit of background that might help iron things out here. I am a recent graduate, I have a degree in Network Administration. I apparently used a single word wrong which is "proficient". I think a better phrase would be that I am capable when it comes to networking. I shall respond point by point for clarity and hopefully this will help me get somewhere and y'all will be able to point me in the right direction. I apologize for my errors. It was early in the morning, I was tired and frustrated and may have missed some points.
Johnpoz - Thank you for trying to work with me here:
- Proficient in networking - I apologize I shall rephrase as capable with networking. I meant to convey that I am not a newcomer, if you want to break down TCP/IP and transmission protocols I would be glad to but I do not think that is necessary.
2) I have three routers - pfSense is one, the Asus is a router but it is not configured as such, the DD-WRT router is a router as well but I am not sure what it should be used for. So yes, I have three devices that are capable of routing. I can change any settings as necessary.
3) Yes the Asus router is a router and devices are plugged into the switch ports. I am not able to communicate to my 192.168.1.71 computer so I am not sure where they are getting lost but I would assume that it would be the router ManCave
-
Here is where we are getting somewhere, ideally, I would like to make the ManCave on its own subnet. The network would be 192.168.2.1/24 but I couldn't get the routing correct. This is the only network that I would like to be separate. I would still like to access my network shares hosted on 192.168.1.51 though. Even with my current setup I cannot access my network shares from 192.168.1.71 to 1.51.
-
I understand that I misused the work proficient, like I said it was early, I was tired and frustrated, the issue that I am having is that I am not dealing with routers and switches, I am dealing with these all in one devices and I for whatever reason have a hard time logically breaking it down in my head. If I had actual routers, managed switches, and switches I think I would be okay. These all in one devices have too many options and that is where I get jumbled up
Heper - Why did you even bother to reply? The entire purpose of this forum is to get help. You literally (yes literally) provided no help at all so I am wondering why you felt the need to reply.
1) I did not say my router was in "switch mode" I also was throwing out the idea that maybe the ManCave router was preventing my 192.168.1.71 network from communicating with others.
2) Firewalls are not the issue. I have ICMP correctly set up to allow a ping to go through. My 192.168.1.51 box can ping 192.168.1.71 but not vise versa. I need to be able to access a network share from 1.71 to 1.51.
3) Physically, a tracert, would be going from 1.71, to the DD-WRT router (1 hop) to the asus router (2 hops) to the pfSense box (3 hops). That is why I thought it was strange I was only seeing one hop.
4) talking to a different subnet requires a router with an adress in both subnets - Correct me if I am wrong but if routing is set up correctly this is not the case. Ideally I would be able to access a 192.168.2.0/24 network from my 192.168.1.0/24 network.
- Yes I touched on the fact that I used a single word wrong. I apologize for this misconception please forgive me. I was not claiming to be an expert which is exactly why I was asking from help from "gurus". If I were an expert I would not need help. So go ahead and be annoyed however I find it more annoying that you come on here high and mighty and literally do not provide any guidance and direction. You bash me for a page and quite frankly I do not appreciate this as it was not constructive.
Thank you all for your help I await your replies.
-
Heper - Why did you even bother to reply? The entire purpose of this forum is to get help. You literally (yes literally) provided no help at all so I am wondering why you felt the need to reply.
1) I did not say my router was in "switch mode" I also was throwing out the idea that maybe the ManCave router was preventing my 192.168.1.71 network from communicating with others.
2) Firewalls are not the issue. I have ICMP correctly set up to allow a ping to go through. My 192.168.1.51 box can ping 192.168.1.71 but not vise versa. I need to be able to access a network share from 1.71 to 1.51.
3) Physically, a tracert, would be going from 1.71, to the DD-WRT router (1 hop) to the asus router (2 hops) to the pfSense box (3 hops). That is why I thought it was strange I was only seeing one hop.
4) talking to a different subnet requires a router with an adress in both subnets - Correct me if I am wrong but if routing is set up correctly this is not the case. Ideally I would be able to access a 192.168.2.0/24 network from my 192.168.1.0/24 network.
- Yes I touched on the fact that I used a single word wrong. I apologize for this misconception please forgive me. I was not claiming to be an expert which is exactly why I was asking from help from "gurus". If I were an expert I would not need help. So go ahead and be annoyed however I find it more annoying that you come on here high and mighty and literally do not provide any guidance and direction. You bash me for a page and quite frankly I do not appreciate this as it was not constructive.
Thank you all for your help I await your replies.
SchurrNet is a Asus router. There is nothing in the WAN port. In the switch ports are the switch and my pfSense box. I do not know if this box needs any routing tables set up. Mancave wifi is a ddwrt router as well. Once again there is nothing in the WAN ports.
most home-use routers by cisco/dlink/… can only route between WAN <--> LAN. so without using the wan port, there is no routing. If you don't disable the builtin dhcp, you have a switch that sends out dhcp-leases.
Also the same type of routers generally don't allow you to turn OFF NAT ... and also have very few options to deal with routing.-
if you are sure that there are no firewalls then there is a different, more serious issue going on. ( no clue what without more detail about how exactly the shurnet/mancave routers are behaving)
-
a hop will only show up when you go through a router. by schematic & 1 it appears you only use the switch part of the devices … generally no hops on layer2 switches.
-
you are wrong. to route you do need an address in each subnet. it shouldn't be a problem to get from 192.168.2.1/24 --> 192.168.1.1/24 if you use the wan port on the bat-cave-router. (
unless your dd-wrt is running on better then average hardware that allows all the ports to be configured individually ... you'll end up being forced to use the same 192.168.2.1/24 subnet in "wils room' unless you change your wiring or devices -
3/4 of the page was (atleast intended) guidance and direction and constructive, only 1/4 of the page was venting my annoyances .... but don't let it bother you too much, cuss i'm just a "conceited douch' anyhow
-
Sorry about the frustration I was just having an issue finding out what was going on and I interpreted your remarks as snide and unhelpful. What you said about layer 2 made a lot of sense and helped me see why I was only getting one hop. As I mentioned before I have a hard time when they make these routers/switches/gateways/modems/VPN/proxy devices that aren't built to do even that much. I get lost in the options. If I were to configure the WAN port to connect to the Asus "switch" will I then need a route put into the ManCave router? Once again I really am sorry that I annoyed you with my question however I did get defensive. This was my first post on a forum like this, I was honestly looking for help, and the first reply back was slamming me. I look forward to more interactions.
-
" If I were to configure the WAN port to connect to the Asus "switch" will I then need a route put into the ManCave router? "
A down stream router like your network is currently somewhat drawn, is really not anyway optimal. You would be hairpining connections or you would have to setup host routes, or you would have to continue to nat, etc. Or you going to create an asynchronous routing issue.
So when devices on 192.168.1.0/24 want to go to 192.168.2.0/24 what is there default route? Well that is pfsense IP on 192.168.1.6 So how does pfsense get to 192.168.2.0/24 Well have to send to mancave routers IP on the 192.168.1.0/24 network. So client now on 192.168.2.0/24 sending traffic back does what.. Well he sends it back the mancave routers 192.168.2.x address, mancave says oh look at that you want to go to 192.168.1x – I have that directly connected. And will just send that direct to host IP.. Now that traffic did not go through pfsense and is going to cause you out of state issues with firewalling and just wrong.
If you want to use a downstream router then you should use a transit network to get to that network, but this is still hairpinning if you only have 1 interface in pfsense.
You did not go into a lot of detail of what your wanting to accomplish other than mancave being on 192.168.2.0/24 -- How I would do it is get a 2nd nic for pfsense and create the segment there. So you have first drawing. This is 2 segments, wireless on 1 of them. Pfsense is your only "router" and allows you to firewall between segments.
Better yet would be to break it out into multiple segments where wireless is on its own segment and your different rooms or types of devices are all on their own segments.
If you really have your heart set on a downstream router then you need.. Why is beyond me, it is pointless to do such a thing in such a small setup and over complicates it. You would either have to nat which is really a double nat when going to the internet and makes access a pain since you have to forward ports, etc.
Or you need to setup a transit network so you don't have asynchronous routing.. See 2nd drawing with downstream and transit segment
So for example with transit network pfsense would have IP of 172.16.0.1/30 and Asus interface in the transit network would have say 172.16.0.2/30
Or you can just put your asus into normal NAT wifi router mode and then if you want to get to 192.168.2.0/24 network you really go to asus IP in 192.168.1.0/24 and forward traffic to what you want behind it. When devices from 192.168.2.0/24 talk to devices on 192.168.1.0/24 they look like they are coming from asus wan IP.. Just like what happens when your natting to the internet from your private to your public IP.
The first drawing is your best option. You just need another nic in pfsense, which can be had for less than 20$ I am sure for gig.
edit: as to "and the first reply back was slamming me" welcome to the harsh mistress of the internet ;) You will find many people willing to help, but if your going to call yourself "proficient" in a field that many of us here do professionally and for years and years and work everyday trying to stay current, etc. etc.. You better not come off like an idiot or your going to get slammed every single time! To be honest from your statements I find it unlikely you understand tcp at the bit level.. If so you went completely backwards.. Normally you would understand basics like routing and switching, natting, etc before you start looking at what makes up a frame for example ;)
-
I have no idea why I did not think of adding another NIC to pfSense. That is clearly the better solution. Thank you for your time and patience. Sorry we got off to a bad start. Like I mentioned I am a recent graduate so still getting feet wet. There are certain things that I haven't had experience with yet so your last explanation there made the world of a difference to me. I have purchased a new NIC card and will be adding it to my box. Thank you for the help I will work on my terminology for next time.
~Wil
-
Dry feet and wet behind the ears…
We have all been there.
Is the stupid routing table working yet?
-
I think I will be good to go. I am going to go with johnpoz's suggestion here and add another NIC to my PFSense box and route it all that way. I can handle it all from here. Thank you for the help.
-
Alright. Apparently we have some issues here. I will try to be nice but heper thank you for nothing you conceited douche. Johnpoz thank you for the reply although I could have done without the zing. Let me give y'all a little bit of background that might help iron things out here. I am a recent graduate, I have a degree in Network Administration. I apparently used a single word wrong which is "proficient". I think a better phrase would be that I am capable when it comes to networking. I shall respond point by point for clarity and hopefully this will help me get somewhere and y'all will be able to point me in the right direction. I apologize for my errors. It was early in the morning, I was tired and frustrated and may have missed some points.
Johnpoz - Thank you for trying to work with me here:
- Proficient in networking - I apologize I shall rephrase as capable with networking. I meant to convey that I am not a newcomer, if you want to break down TCP/IP and transmission protocols I would be glad to but I do not think that is necessary.
2) I have three routers - pfSense is one, the Asus is a router but it is not configured as such, the DD-WRT router is a router as well but I am not sure what it should be used for. So yes, I have three devices that are capable of routing. I can change any settings as necessary.
3) Yes the Asus router is a router and devices are plugged into the switch ports. I am not able to communicate to my 192.168.1.71 computer so I am not sure where they are getting lost but I would assume that it would be the router ManCave
-
Here is where we are getting somewhere, ideally, I would like to make the ManCave on its own subnet. The network would be 192.168.2.1/24 but I couldn't get the routing correct. This is the only network that I would like to be separate. I would still like to access my network shares hosted on 192.168.1.51 though. Even with my current setup I cannot access my network shares from 192.168.1.71 to 1.51.
-
I understand that I misused the work proficient, like I said it was early, I was tired and frustrated, the issue that I am having is that I am not dealing with routers and switches, I am dealing with these all in one devices and I for whatever reason have a hard time logically breaking it down in my head. If I had actual routers, managed switches, and switches I think I would be okay. These all in one devices have too many options and that is where I get jumbled up
Heper - Why did you even bother to reply? The entire purpose of this forum is to get help. You literally (yes literally) provided no help at all so I am wondering why you felt the need to reply.
1) I did not say my router was in "switch mode" I also was throwing out the idea that maybe the ManCave router was preventing my 192.168.1.71 network from communicating with others.
2) Firewalls are not the issue. I have ICMP correctly set up to allow a ping to go through. My 192.168.1.51 box can ping 192.168.1.71 but not vise versa. I need to be able to access a network share from 1.71 to 1.51.
3) Physically, a tracert, would be going from 1.71, to the DD-WRT router (1 hop) to the asus router (2 hops) to the pfSense box (3 hops). That is why I thought it was strange I was only seeing one hop.
4) talking to a different subnet requires a router with an adress in both subnets - Correct me if I am wrong but if routing is set up correctly this is not the case. Ideally I would be able to access a 192.168.2.0/24 network from my 192.168.1.0/24 network.
- Yes I touched on the fact that I used a single word wrong. I apologize for this misconception please forgive me. I was not claiming to be an expert which is exactly why I was asking from help from "gurus". If I were an expert I would not need help. So go ahead and be annoyed however I find it more annoying that you come on here high and mighty and literally do not provide any guidance and direction. You bash me for a page and quite frankly I do not appreciate this as it was not constructive.
Thank you all for your help I await your replies.
U Dutch by any chance?
( ;D )
Two people who know things, albeit perhaps not with a 'degree in networking', are kind enough to try to help you, even 'though they could have gone watch TV and zipping beer too.
And yes, some people, when somebody comes in who claims to sit on a high horse yet, despite his degree in networking, asks for rather basic stuff, will respond to that the way John & Heper did. People are different, it is called 'diversity'.
That's why I asked if you by any chance are Dutch, if you catch me :P
It often helps not to call people bad names if you need their kind and generous free help.
-
I saw the title and knew id be getting a laugh out of this post.