Two gateways, two subnets, one internet, subnet connectivity issue
-
The local and remote site are backwards in respect to the hardware being used (pfsense vs ddwrt).
Are you suggesting to still hook the wireless bridge up on the remote site to a WAN port or to a LAN port?
-
I have not used DDWRT in a long time so I'm unfamiliar with the options. Do you have the ability to create an OPT type port on the DDWRT side?
-
I can unbridge one of the physical ports and I believe assign it a new IP.
Can I load pfsense on this DDWRT router? or is there a better option. It is a WRT320N (V1) router.
-
Yea that's probably what you're looking for.
I still think an IPSEC tunnel between the sites where the phase two protocol set to AH is your best option. That way you avoid the NAT issue and port forwarding issues.
I'm pretty sure DDWRT supports IPSEC but I couldn't tell you how to set it up. Optimally, it'd be best if you could put a pfSense device on the remote site. All you'd need is a spare PC with two NIC ports.
-
That'd be nice. I'm fresh out of NIC ports and extra PCs. I've utilized just about every piece of hardware I have owned over the last 15 years in the current networks on both sides.
I am unfamiliar with IPSEC. I want to run OpenVPN with a VPN service on the pfsense side. Can I do the IPSEC and have the OpenVPN/VPN service simultaneously?
-
I don't see why you couldn't. There's no overlapping ports.
You'd just have to make sure the pfSense box is strong enough to do the encryption/decryption for both IPSEC and OpenVPN at the same time. Though if you setup the IPSEC phase two entries with just AH, the CPU impact would be far less.
-
Seems like there should be a simpler solution than IPSEC for LAN communication. I'm just baffled, I figured connecting two subnets would have been much simpler.
-
It really is simple. You don't have to use IPSEC, I was only suggesting it because I thought that would be the easiest solution in this case.
In reality, the only difficult part of this is the DDWRT setup because I'm unfamiliar with it.
If you could figure out how to not use the WAN port (to avoid NAT) on the DDWRT side, you'd just set it up like how I have in the picture and then add the rules to deny/allow the types of traffic you want pass between the two networks.
Edit:
This might be even better: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=78029
-
Thanks, I'm reading the link now.
The WAN port from the PFsense machine is connected to the LAN on the DDWRT. Just in case there was confusion. I do have a third router with DDRWT on it as well if that router could simply handle the routing between the two subnets, but it seems like that would be redundant.
-
I kind of figured you might run into that error. I'm thinking something like this might work:
http://i.imgur.com/95ouWv4.jpg
I accidentally deleted my post with it originally.
jamesonp, the design is sound, but the interfaces on the transit network have to be on the same network. i.e. the OPT interfaces would need to be 172.16.0.1/30 and 172.16.0.2/30 then adjust the static routes accordingly.
Then when I go to change the WAN to static and assign it an IP of 192.168.1.254, I get the following error in pfsense: This IPv4 address conflicts with a Static Route.
I'm guessing you forgot to remove your old route sending 192.168.1.0/24 to 192.168.1.1? That would be the reason for the conflict.
Also, after doing some more research, if you use my suggestion, the inter-connectivity between the sites would work, but we would still need to use policy routing to get LAN 2 to the internet. Which is fine, but it's an extra step. In your specific case, all we really needed to do from the beginning is disable outbound NAT (Firewall -> NAT -> Outbound -> check Disable Outbound NAT) which turns PFsense into a routing only firewall and put an any/any rule on the interface connected to the bridge.
Another option is to disable both NAT and the firewall which turns PFsense into a routing only platform:
System -> Advanced -> Firewall & NAT -> check Disable all packet filteringI apologize for missing these steps. This could've been a much shorter thread :)
-
Thanks, I'll give it a shot today. Possibly this morning if I can find time before work. I'll post back.
-
I tried the following as it seemed like the simplest test.
Another option is to disable both NAT and the firewall which turns PFsense into a routing only platform:
System -> Advanced -> Firewall & NAT -> check Disable all packet filteringI have now deleted an firewall rules that I've created and same went for routing tables on the pfSense box. When I did the above, I lost internet connectivity AND access to the router on the other side of the wireless bridge. I still have a route on the DDWRT router to the pfsense gateway and 192.168.5.0 subnet. What am I missing as that seems like it should do the trick. I still had local access to the 192.168.5.0 clients though, that was good.
-
You now need a default route @ LAN 2 pointing back to LAN 1 (192.168.1.1).
You also need to verify that the static route @ LAN 1 is pointed at the current IP configured @ LAN 2. (i.e. if the LAN 2 interface is 192.168.1.254, then the route should be destination 192.168.5.0/24 gateway 192.168.1.254)
-
Ok, so I did this:
System -> Advanced -> Firewall & NAT -> check Disable all packet filtering
WAN was set to 192.168.1.254
Default Gateway on wan is set to: 192.168.1.1Still nothing. I am on the 192.168.5.0 subnet doing all this and once I make those changes I can't access the internet. On LAN1 I have confirmed that I DO have the static route pointing at the WAN IP provided above.
Is there something that needs to be set on LAN2 pfsense box to tell the LAN on that box to communicate with the WAN since all NAT/Filtering is disabled?
-
Check your routing table, what is the gateway of the default route? Diagnostics -> Routes. Post a screen shot if you can.
-
I've been using .112 instead of .254 :) My static routes on LAN1 match this.
 -
Can you ping 192.168.1.1? Can you ping 8.8.8.8?
-
I doubt it, but I'll change the configuration back right now and let you know.
-
Ping on both was 100% failure.
-
Can you post a network map of how things are currently connected?
Also, what default gateway are your clients using on the PC's?
What happens when you ping 192.168.1.1 from PFsense itself?