• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Two gateways, two subnets, one internet, subnet connectivity issue

Scheduled Pinned Locked Moved General pfSense Questions
66 Posts 4 Posters 13.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    marvosa
    last edited by Feb 2, 2017, 2:53 PM Feb 2, 2017, 2:05 PM

    @jamesonp:

    I kind of figured you might run into that error.  I'm thinking something like this might work:

    http://i.imgur.com/95ouWv4.jpg

    I accidentally deleted my post with it originally.

    jamesonp, the design is sound, but the interfaces on the transit network have to be on the same network.  i.e. the OPT interfaces would need to be 172.16.0.1/30 and 172.16.0.2/30 then adjust the static routes accordingly.

    Then when I go to change the WAN to static and assign it an IP of 192.168.1.254, I get the following error in pfsense: This IPv4 address conflicts with a Static Route.

    I'm guessing you forgot to remove your old route sending 192.168.1.0/24 to 192.168.1.1?  That would be the reason for the conflict.

    Also, after doing some more research, if you use my suggestion, the inter-connectivity between the sites would work, but we would still need to use policy routing to get LAN 2 to the internet.  Which is fine, but it's an extra step.  In your specific case, all we really needed to do from the beginning is disable outbound NAT (Firewall -> NAT -> Outbound -> check Disable Outbound NAT) which turns PFsense into a routing only firewall and put an any/any rule on the interface connected to the bridge.

    Another option is to disable both NAT and the firewall which turns PFsense into a routing only platform:
    System -> Advanced -> Firewall & NAT -> check Disable all packet filtering

    I apologize for missing these steps.  This could've been a much shorter thread :)

    1 Reply Last reply Reply Quote 0
    • L
      Live4soccer7
      last edited by Feb 2, 2017, 4:04 PM

      Thanks, I'll give it a shot today. Possibly this morning if I can find time before work. I'll post back.

      1 Reply Last reply Reply Quote 0
      • L
        Live4soccer7
        last edited by Feb 2, 2017, 4:39 PM

        I tried the following as it seemed like the simplest test.

        Another option is to disable both NAT and the firewall which turns PFsense into a routing only platform:
        System -> Advanced -> Firewall & NAT -> check Disable all packet filtering

        I have now deleted an firewall rules that I've created and same went for routing tables on the pfSense box. When I did the above, I lost internet connectivity AND access to the router on the other side of the wireless bridge. I still have a route on the DDWRT router to the pfsense gateway and 192.168.5.0 subnet. What am I missing as that seems like it should do the trick. I still had local access to the 192.168.5.0 clients though, that was good.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by Feb 2, 2017, 5:41 PM Feb 2, 2017, 5:20 PM

          You now need a default route @ LAN 2 pointing back to LAN 1 (192.168.1.1).

          You also need to verify that the static route @ LAN 1 is pointed at the current IP configured @ LAN 2.  (i.e. if the LAN 2 interface is 192.168.1.254, then the route should be destination 192.168.5.0/24 gateway 192.168.1.254)

          1 Reply Last reply Reply Quote 0
          • L
            Live4soccer7
            last edited by Feb 2, 2017, 5:47 PM

            Ok, so I did this:

            System -> Advanced -> Firewall & NAT -> check Disable all packet filtering

            WAN was set to 192.168.1.254
            Default Gateway on wan is set to: 192.168.1.1

            Still nothing. I am on the 192.168.5.0 subnet doing all this and once I make those changes I can't access the internet. On LAN1 I have confirmed that I DO have the static route pointing at the WAN IP provided above.

            Is there something that needs to be set on LAN2 pfsense box to tell the LAN on that box to communicate with the WAN since all NAT/Filtering is disabled?

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by Feb 2, 2017, 5:57 PM

              Check your routing table, what is the gateway of the default route?  Diagnostics -> Routes.  Post a screen shot if you can.

              1 Reply Last reply Reply Quote 0
              • L
                Live4soccer7
                last edited by Feb 2, 2017, 6:04 PM

                I've been using .112 instead of .254 :) My static routes on LAN1 match this.

                ![route table.png](/public/imported_attachments/1/route table.png)
                ![route table.png_thumb](/public/imported_attachments/1/route table.png_thumb)

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa
                  last edited by Feb 2, 2017, 6:07 PM

                  Can you ping 192.168.1.1?  Can you ping 8.8.8.8?

                  1 Reply Last reply Reply Quote 0
                  • L
                    Live4soccer7
                    last edited by Feb 2, 2017, 6:09 PM

                    I doubt it, but I'll change the configuration back right now and let you know.

                    1 Reply Last reply Reply Quote 0
                    • L
                      Live4soccer7
                      last edited by Feb 2, 2017, 6:11 PM

                      Ping on both was 100% failure.

                      1 Reply Last reply Reply Quote 0
                      • M
                        marvosa
                        last edited by Feb 2, 2017, 6:16 PM

                        Can you post a network map of how things are currently connected?

                        Also, what default gateway are your clients using on the PC's?

                        What happens when you ping 192.168.1.1 from PFsense itself?

                        1 Reply Last reply Reply Quote 0
                        • L
                          Live4soccer7
                          last edited by Feb 2, 2017, 6:29 PM

                          What happens when you ping 192.168.1.1 from PFsense itself?

                          I'm checking now.

                          Please excuse my terrible drawing, but it is all there. Let me know if you need clarification.

                          IMG_1153.JPG
                          IMG_1153.JPG_thumb

                          1 Reply Last reply Reply Quote 0
                          • M
                            marvosa
                            last edited by Feb 2, 2017, 6:33 PM

                            Where can I input commands in pfSense?

                            Either from the shell via ssh or by going to Diagnostics -> Ping

                            1 Reply Last reply Reply Quote 0
                            • L
                              Live4soccer7
                              last edited by Feb 2, 2017, 6:35 PM

                              Ping Results directly from pfSense. Looks good. That means something is still prohibiting a connection between the LAN and WAN on the pfsense box as I'm unable to ping from a client connected to the pfSense Subnet (192.168.5.0)

                              PING 8.8.8.8 (8.8.8.8): 56 data bytes
                              64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=19.789 ms
                              64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=19.992 ms
                              64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=18.517 ms

                              –- 8.8.8.8 ping statistics ---
                              3 packets transmitted, 3 packets received, 0.0% packet loss
                              round-trip min/avg/max/stddev = 18.517/19.433/19.992/0.653 ms

                              PING 192.168.1.1 (192.168.1.1): 56 data bytes
                              64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.897 ms
                              64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=3.034 ms
                              64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=2.398 ms

                              --- 192.168.1.1 ping statistics ---
                              3 packets transmitted, 3 packets received, 0.0% packet loss
                              round-trip min/avg/max/stddev = 1.897/2.443/3.034/0.465 ms

                              1 Reply Last reply Reply Quote 0
                              • M
                                marvosa
                                last edited by Feb 2, 2017, 6:41 PM

                                Run a tracert on your laptop to 8.8.8.8 and post the results.

                                1 Reply Last reply Reply Quote 0
                                • L
                                  Live4soccer7
                                  last edited by Feb 2, 2017, 6:51 PM Feb 2, 2017, 6:46 PM

                                  Traceroute while I have internet access:

                                  Traceroute has started…

                                  traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 72 byte packets
                                  1  192.168.5.1 (192.168.5.1)  2.032 ms  1.566 ms  3.057 ms
                                  2  192.168.1.1 (192.168.1.1)  4.491 ms  2.755 ms  3.445 ms
                                  3  * * *
                                  4  WANISP.ptr.us.xo.net (WANISP)  13.697 ms  11.825 ms  15.092 ms
                                  5  ge-0-0-2-spk-cr1.cet.com (198.202.27.65)  14.796 ms  12.241 ms  12.642 ms
                                  6  te-1-1-sea-cr2.cet.com (198.202.26.2)  18.589 ms  20.696 ms  20.326 ms
                                  7  six.sea01.google.com (206.81.80.17)  20.489 ms  20.139 ms  19.410 ms
                                  8  108.170.245.113 (108.170.245.113)  20.336 ms  20.854 ms  20.953 ms
                                  9  209.85.250.19 (209.85.250.19)  20.182 ms  20.219 ms  21.039 ms
                                  10  google-public-dns-a.google.com (8.8.8.8)  19.162 ms  20.637 ms  20.258 ms

                                  Let me run one when I turn NAT/Firewall off

                                  traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 72 byte packets
                                  1  192.168.5.1 (192.168.5.1)  1.249 ms  3.578 ms  1.490 ms
                                  2  * * *
                                  3  * * *
                                  4  * * *
                                  5  * * *
                                  6  * * *
                                  7  * * *
                                  8  * * *
                                  9  * * *
                                  10  * * *
                                  11  * * *
                                  12  * * *
                                  13  * * *

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    marvosa
                                    last edited by Feb 2, 2017, 6:59 PM Feb 2, 2017, 6:53 PM

                                    So, that traceroute shows you hitting the LAN 2 internal interface, then routed to LAN 1 and out to the internet.

                                    So, what do you mean when you say "traceroute while I have internet access"?

                                    ahh… I think I know what you mean now, so once you turn off the firewall and NATing.... you can't get past the local adapter.  Which tells me there's an internal  routing issue.

                                    1 Reply Last reply Reply Quote 0
                                    • L
                                      Live4soccer7
                                      last edited by Feb 2, 2017, 6:58 PM

                                      Yes, that is correct. It hits the LAN interface on LAN2 and then dies on the spot.

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        Live4soccer7
                                        last edited by Feb 2, 2017, 7:28 PM

                                        Do I need a static route between the LAN interface and the WAN?

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          Live4soccer7
                                          last edited by Feb 2, 2017, 10:16 PM

                                          I can ping everything on LAN1 (192.168.1.0), however when I try to ping something on LAN2 I get something like this:

                                          92 bytes from dd-wrt (192.168.1.1): Destination Host Unreachable
                                          Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
                                          4  5  00 5400 4fc9  0 0000  3f  01 a41b 192.168.1.115  192.168.5.1

                                          92 bytes from dd-wrt (192.168.1.1): Redirect Host(New addr: 192.168.1.254)
                                          Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
                                          4  5  00 0054 f9f5  0 0000  3f  01 f9ee 192.168.1.115  192.168.5.1

                                          I'm not sure what the .254 address is.

                                          1 Reply Last reply Reply Quote 0
                                          45 out of 66
                                          • First post
                                            45/66
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received