Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interface Route to local IP

    Scheduled Pinned Locked Moved Routing and Multi WAN
    24 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DaHai8
      last edited by

      Ok, normally Lan3 would go out the WAN to get to the internet, right?
      Instead, it would work something like this:
      Lan3 -> Lan1 (computer) -> WAN

      I'm Sorry I'm not being very clear.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Your being clear – but there is ZERO point to do this... WHY would you want/need to do this - is freaking pointless!!!  Are you wanting to run some sort of proxy on this box on lan 1?

        What is the point of sending traffic to lan 1 computer to just get to the same internet connection??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • D Offline
          DaHai8
          last edited by

          There is a point, but that's not the issue. Can this be done? How? Where can I find out how to do this?
          Thanks.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Find out how to do what.. Are you running a proxy, are you running a vpn on this box.  You have to run something on this box or even if you send it traffic its not going to do anything with it.

            Without some understanding of what your trying to accomplish no its not possible…

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • B Offline
              BluBoy
              last edited by

              Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.
              LAN1 host would then need to be able to forward those packets on to the internet after you have done whatever you are trying to do.

              If you are looking at an IDS type solution, I'd highly recommend looking into a switch that can mirror ports (SPAN PORTS) instead.

              1 Reply Last reply Reply Quote 0
              • D Offline
                DaHai8
                last edited by

                Thanks!
                I will give that a try.
                I was thinking it was a custom Route, but your suggestion sounds logical.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  instead of being evasive how about telling us what you are trying to do? Routing to the LAN1 host is easy. What it does with the traffic might not be.

                  Create a gateway on LAN called LAN1_HOST with the IP address of LAN1 Host.

                  Policy route LAN3 traffic to LAN1 host.

                  I want it to be routed to the computer on LAN1, and then go to the Gateway.

                  The and then go to the gateway part is up to that host. What it does with the traffic is outside the scope of the firewall.

                  Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.

                  No because the LAN1 host is not on the same subnet as the LAN3 hosts. They will have no idea where to send the traffic to get to LAN3 even if they do accept that as the gateway.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    DaHai8
                    last edited by

                    Under System / Routing / Gateways:
                    Enabled: LAN1_Host / LAN1 / 192.168.1.4

                    In Firewall / Rules / LAN2, there is no option to specify the Gateway.
                    :(

                    1 Reply Last reply Reply Quote 0
                    • KOMK Offline
                      KOM
                      last edited by

                      It's under the Advanced options for the rule, I believe.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Where did LAN2 come from?

                        Match the traffic coming into LAN1 and set the gateway under advanced on that rule.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          DaHai8
                          last edited by

                          Sorry about that - meant to say LAN3

                          I thought using numbers instead of my assigned names would make it easier for everyone, but instead its just got me confused.
                          From now on in all my posts (hopefully not many more :)…) I will refer to them by the assigned names so I don't get confused and muck up everything...again.
                          LAN1 = SIF
                          LAN2 = THOR
                          LAN3 = LOKI

                          I seem to be having lots of problems with SIF since I changed it from 192.168.1.x to 192.168.4.x as I was doubled-NAT'd. I've since removed that other NAT device and now single NAT'd with pfSense. Therefore, I've set SIF back to 192.168.1.x, but it still seems to be messed up.

                          The DHCP service on SIF is not talking to anyone. I've posted a message in the HDCP/DNS forum asking for help as I cannot seem to get it working now
                          https://forum.pfsense.org/index.php?topic=121772.0

                          Maybe once I get that sorted out, my route from LOKI to 192.168.1.4 (Wormhole) will work.

                          I'm also building a new Wormhole to test with because I can't even PING the old Wormhole no matter what Interface I put it on (if different than the Ping Sender's)
                          https://forum.pfsense.org/index.php?topic=121748.0

                          Ugh, what I mess I've made…I really do very much appreciate everyone's help!

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            What are you doing dude.. Completely agree with you here

                            "Ugh, what I mess I've made.."

                            Do you understand the hairpining that would be going on in this network??  So in going to the internet. Follow your path..

                            lanPC
                            To
                            langw
                            outlan3gw
                            Inwormhole
                            Outwormhole
                            inlan3gw

                            How does your traffic expect to get back now??  Because if you don't go through your wormhole its asymmetrical and your firewall will kill any states it sees not traffic on once it hits is timeout, etc..

                            So yeah what a mess..

                            Lets try this again - if you actually explain what you want to accomplish we can go over the options of doing it is whatever it is your wanting to do..  Without a borked up pile of crap!!

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              DaHai8
                              last edited by

                              So, two steps forward, one step backwards

                              My Pi VPN/SSL Client in working on 192.168.1.4 and connects to the VPN/SSL Server just fine.
                              But…you knew there'd be a 'but'...

                              When I enable the Policy Route and Upstream Gateway, it (the Pi) cannot connect to the VPN/SSL Server anymore.
                              It just initiates, and then gets a soft reset, and tries again - infinitely...

                              So here's how I implemented Derelict's instructions (the Route was Enabled before when I did the test, as was the upstream gateway):

                              What did I screw up this time??

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                DaHai8
                                last edited by

                                johnpoz,

                                I have a WiFi AP (192.168.3.2) on Loki Interface (192.168.3.1)
                                Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
                                That data is sent to the OpenVPN/SSL Server somewhere 'out there'

                                My issue is getting Loki WiFi AP connections to the OpenVPN/SSL Client.

                                That's it in a nutshell

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  DaHai8
                                  last edited by

                                  Ok, I googled around and found this web site that talks about pretty much what I'm trying to do. They set up the VPN Gateway on the same subnet as all the clients (I didn't think you could do that!)
                                  http://ozcan.com/blog/en/setting-up-vpn-gateway-with-raspberry-pi

                                  So I put my Pi on Loki (192.168.3.x) and set it as follows:
                                  IP Address: 192.168.3.3/24
                                  Gateway: 192.168.3.1

                                  I set this up in iptables:

                                  
                                  iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
                                  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
                                  
                                  

                                  While the above web site does not mention the second iptables setting, if I don't include it, the PI randomly aborts the SSH connection.

                                  I then SSH'd into my Pi while on the Loki Interface and verified that the VPN Client was connecting to the VPN Server and working properly (it was)

                                  So then I tried to set up the Pi as the new Gateway for Loki using the following setting in pfSense:


                                  However, now with all that in place, when I'm connected on the Loki Interface, I cannot get to the VPN Server - regular Web Sites don't work either. The Web Browser just reports "No Internet Connection".

                                  I feel like I'm really close. Its probably some setting not right in pfSense.

                                  Thank you all for sticking with me on this - I really do appreciate it!!

                                  Any ideas/suggestions on what I've mis-configured is greatly welcome!!!

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
                                    That data is sent to the OpenVPN/SSL Server somewhere 'out there'

                                    So you want your traffic to go to a vpn??  Why would you not just setup this vpn connection in pfsense???  Openvpn client, Policy route = done!!  2 freaking minutes.  No asymmetrical routing, no hairpinning, no other boxes/devices needed..

                                    Then you could route any of your segments to this vpn, you could route just specific hosts, you could route just specific dest traffic…

                                    You keep saying openvpn/ssl - and you brought up stunnel in your other thread??  So is this vpn connection a openvpn one or stunnel based?  Stunnel will run on pfsense.. Your going down the WRONG PATH trying to setup devices to route to a host on their own network or different local network..  The proper way to do this sort of stuff is at the edge of your network, not internally.  if done on some internal box you either end up with a messy hairpins best case or hairpins and asymmetrical routing at best.  Even when you do this on a transit network to remove the asymmetrical routing issues you end up hairpinning..

                                    Why can you not just do this the simple easy less complex way by running the vpn connection on pfsense and then policy routing the devices on your network you want to use this vpn connection??

                                    If you have more than 1 public IP you could run it on some other box via a transit network connection to pfsense without hairpin..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      DaHai8
                                      last edited by

                                      I'll say it again: OpenVPN over SSL. I don't know how much clearer I can be. Google it.

                                      So, no, its not just 'boom' done in pfSense as there is no web interface for stunnel.

                                      I took the 192.168.3.3 ip address out of the Loki_VPNHost Rule and I am not able to get to the VPN Server from clients connected on that Interface (Loki/192.168.3.x)

                                      I have some DNS issues to address, but it's almost there!

                                      Hopefully you'll never have to hear from me again (ha. fat chance)

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        DaHai8
                                        last edited by

                                        Well, there are two issues:

                                        1. the VPN won't connect if the LOKI_VPNHOST Rule is active. Once VPN is connected, then I can active that Rule. But if the VPN link goes down, it can't reconnect.

                                        2. The Traffic over LOKI is redirected through the VPN, but the DNS lookup is not. So I need to be able to set the DNS Resolver to go through the VPN link

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          DaHai8
                                          last edited by

                                          I think I have it all working now!!!
                                          I disabled the Gateway rule and just set the gateway for Loki on the DHCP Loki Interface.
                                          I also set the specific DNS servers on that page as well.
                                          The Pi likes it too - no more failed connecting.
                                          Awesome!!!

                                          Thanks everyone again for all your help!!!

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            "its not just 'boom' done in pfSense as there is no web interface for stunnel. "

                                            So you seem to be able to do iptables via config file - but stunnel is too hard??

                                            Working as a asymmetrical hairpinning nightmare.. Have fun with that mess!!  WTF..

                                            Simple search and here looks to be instructions on bringing up stunnel on pfsense inbound
                                            https://forum.pfsense.org/index.php?topic=109873.0

                                            I show newer version here http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/stunnel-5.37,1.txz vs the one in that thread.

                                            Tell you for sure the time need to create this sort of connection would of be a fraction of the mess you have!!

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.