Routing between two LANs

Derelict

@ebdjimenez:

I agree. The problem here is that the routers in place do not have 3 interfaces or additional card slots and the owners are very "frugal" to say the least. We figured it would be more expensive to replace them then it would be to add a cheap PFS box.

Add two cheap pfSense nodes with three interfaces and ditch the gear that doesn't have the interfaces to do what you need to do.  Or investigate a couple cheap managed switches and use VLANs for LAN and TRANSIT.

I assumed a static route (i.e. 192.168.2.0/24 to 192.168.1.3) on each GW would take care of the problem with hosts sending traffic to their default GW. And traffic does get routed between the two buildings as I can ping. However, I took a look at the firewall logs and it appears that traffic between the two subnets is being blocked by a "Default deny rule IPv4". I've gone over the firewalls rules (there aren't many) and do not see anything that would cause such blocked traffic. Attached is a picture of the Firewall logs.

Unsound design.  Route your traffic properly, not hairpinning in then back out of the same interface.

If you simply MUST do it that way:

System > Advanced > Firewall/NAT tab

Enable this: Static route filtering - Bypass firewall rules for traffic on the same interface

ETA - That will have to be done using whatever mechanisms the two existing routers have.  It is unclear whether those are pfSense.

Guest

If that's the case then I will try to convince ownership to transition to Ubiquity dishes,
as I have some experience with those.

This would be the right way as I see it right, there fore nothing can be going false.
UBNT is offering Point-to-Point bridges easy to configure with 150 MBit/s, 300 MBit/s and 450 MBit/s throughput.

johnpoz

I don't know what country these people are in talking about equal electric potential in the building from running a ethernet cable between them..  I think they are high on something to be honest, have never in my life heard of such a thing.. Please point to sources where this is an issue with fire harzard or insurance.. Clearly this should be plainly document everywhere if that was the case.. You know how many buildings have network connections between them!!

How exactly did you connect these 2 buildings.  I would assume if part of the same company and area they share electrical connections and water connections, etc. etc..  Or is the cable laying on the ground?  Who installed this cable?  I would assume you get a certified installer, etc. Or did you run it?

If you can not get a 3rd nic in each pfsense - so there are no slots? nics can be had for $10 for gosh sake..  Dual port nics can be had for like < $50 to replace the nic in there now so you have an extra port.  Then run vlan off your current pfsense lan interfaces and use that as your transit network.

There is no freaking way your putting in a unifi point to point bridge for cheaper than adding a couple of nics ports.  Who is going to install them for you correctly - that sure is not FREE ;)  Unless your going to do it yourself and not charge the customer..  Them being so cheap and all.  Even if you went for the ptp 450mbps setup – you could buy 2 new screaming direct from pfsense routers with enough interfaces so that you could do it for less than the cost of that setup and now you would have gig between the building..

You already have the wire run right - how long is this run?  Since you say ethernet and not fiber it has to be short less than 100m

Guest

I don't know what country these people are in talking about equal electric potential in the building from running a ethernet cable between them..

This is no special network knowledge, but more common electric knowledge over this electric potential equalization or shielding and if both sites get connected to the entire electric shielding of the buildings
(16 mm min.) this theme could be really easy sorted or right handled. I am from Germany and if those
work is not done by peoples who learned this job ended with a given certification, insurances in Germany
would not pay for problems generated by or based on this cabling and I am pretty sure that in many
other European countries the same situation would be exactly like that!

I think they are high on something to be honest, have never in my life heard of such a thing.

But this can not be our problem that you never heard from something!

Please point to sources where this is an issue with fire harzard or insurance..

Easily call any German insurance and ask them, for this special case; that a non learnt electrician
is doing a cabling between two buildings, if they would pay for any problems resulting on this cabling.

Clearly this should be plainly document everywhere if that was the case.. You know how many buildings have network connections between them!!

I really don´t know your country but if I am using Google.de for sure I am a naturally german speaking
person and I get something around ~19.200 hits over this theme it might be that you get also some hits
over your Google.xyz and in your language! One of the best links I found and also I am often linking to
is this one 2 buildings with LAN connection

Search words in german were: "Potentialausgleich zwischen Gebäuden Netzwerk" this is in english like
"electric potential equalization between buildings network"

By the way with the search words "electric potential equalization between to buildings" I got
3.950.000 so nearly ~4 million hits on this theme over Google.co.uk and with the search words
"electric potential equalization network between to buildings" are nearly ~600.000 hits will be
shown on this theme.

So documents are out there and if an electric weather strike hits a coper cable that is lightening
this power in one or more buildings might be not coming true every day and yes this building must
not burn really down, but that there is a potential danger that this is able to come true should not be
discussed in a firewall forum as I see it right.

There is no freaking way your putting in a unifi point to point bridge for cheaper than adding a couple of nics ports.

• coper cable
• fiber cable
• WLAN
• VPN

So if the coper is not earthed or grounded proper, fiber cable is to high in price, vpn is to lame or slow
the or one accurate choice will be WLAN for sure why not?

jahonix

With different ground potentials between buildings you will create hum loops, leading to slow or unreliable data transmissions. This is physically given, not an option.
And that's when isolation by fibre or air-waves is to be used.

My home has an old and a new building, both with their own power distro. (Don't ask, was done before I married in).
Uplinks between switches in different parts of the building are isolated by fibre because of this very reason.

ebdjimenez

@Derelict:

@ebdjimenez:

I agree. The problem here is that the routers in place do not have 3 interfaces or additional card slots and the owners are very "frugal" to say the least. We figured it would be more expensive to replace them then it would be to add a cheap PFS box.

Add two cheap pfSense nodes with three interfaces and ditch the gear that doesn't have the interfaces to do what you need to do.  Or investigate a couple cheap managed switches and use VLANs for LAN and TRANSIT.

I assumed a static route (i.e. 192.168.2.0/24 to 192.168.1.3) on each GW would take care of the problem with hosts sending traffic to their default GW. And traffic does get routed between the two buildings as I can ping. However, I took a look at the firewall logs and it appears that traffic between the two subnets is being blocked by a "Default deny rule IPv4". I've gone over the firewalls rules (there aren't many) and do not see anything that would cause such blocked traffic. Attached is a picture of the Firewall logs.

Unsound design.  Route your traffic properly, not hairpinning in then back out of the same interface.

If you simply MUST do it that way:

System > Advanced > Firewall/NAT tab

Enable this: Static route filtering - Bypass firewall rules for traffic on the same interface

ETA - That will have to be done using whatever mechanisms the two existing routers have.  It is unclear whether those are pfSense.

Thanks for all the replies and guidance. This solved my problem temporarily. I've learned quite a bit while researching the comments in this thread.

We are going to replace the two routers with ones that have 3 interfaces, we would only need 1 more at this point. I've spoken with ownership and they are not concerned about the possible electrical issues, as the lines were installed underground by Verizon. (Can't say I didn't warn them)

Thanks again.

jahonix

@ebdjimenez:

I've spoken with ownership and they are not concerned about the possible electrical issues, as the lines were installed underground by Verizon.

That's funny because owners usually are not technically savvy to a point where they may decide this - because it's beyond their knowledge.

Anyway, if a company like Verizon installed the cables then chances are that they grounded both ends properly. You should examine this.
Code says you must use one common ground per building and only one.
Good luck with nearby lightning, maybe you should have a spare NIC handy…

chpalmer

Please point to sources where this is an issue with fire harzard or insurance..

A lightning strike nearby might change your position on this.

Look up Motorola R56 standards. Its stated there for my line of work.

Derelict

Motorola. What do they know.

Great document. Thanks. Filed so it'll come up in spotlight searches.

jahonix

Thanks, chpalmer, great document to read and keep as reference.
I am born, raised and based in Germany so not everything applies here. But the basics are always right.