Multi wan/dsl/wifi

Ofloo · Apr 11, 2014, 10:51 PM

WAN_DSL => => LAN, vlan10 => wan ip clients / wifi router => clients
WAN_WIFI(vlan20) =>

Now, on vlan 20 with ip 172.16.2.2, i've got a wifi wan setup which has an IP 172.16.2.1, .. if i set the gateway monitor to 8.8.8.8 it pings fine, ..

If I create vlan20 on my clients set default gateway to 172.16.2.1 I can go on the internet, just fine

However if i ping from the router through ip 172.16.2.2 to 8.8.4.4 then it doesn't work, if i change the monitor IP to 8.8.4.4 i can again ping it. Why is this. After changing the ip to 8.8.4.4 I can't ping 8.8.8.8 anymore.

So basicly from IP 172.16.2.2 which is a member of vlan 20 I can only reach the gateway monitor, aside from that i can't reach anything from that IP, how ever if i go to any client and i set the default gateway to 172.16.2.1 i can just use the internet. And yes I've set the gateway for 172.16.2.2 to 172.16.2.1.

doktornotor · Apr 12, 2014, 8:29 AM

@Ofloo:

WAN_DSL => => LAN, vlan10 => wan ip clients / wifi router => clients
WAN_WIFI(vlan20) =>

Am I the only one to whom the above "network diagram" makes no sense whatsoever?

Ofloo · Apr 12, 2014, 10:42 AM

I hope it makes more sense now, .. i added an attachment with an image

wan static/28: wan addresses
lan 192.168.1.0/24: clients
vlan10 172.16.1.0/24: management range/making servers reach certain clients
vlan20 172.16.2.0/24: bridge network

phil.davis · Apr 12, 2014, 11:34 AM

Not sure what is really going on from your diagram. A logical diagram would be useful, because on the physical diagram I have to try and guess where the broadcast domain of each VLAN actually might be…

Clients are in 192.168.1.0/24 on the diagram. So I don't see how you can "set the default gateway to 172.16.2.1".

Anyway, it sounds like vlan20 is a path to the internet (WAN-STYLE interface). When you specify an alternate monitor IP, pfSense explicitly makes a route to that IP out through the corresponding gateway. So anything behind pfSense, and pfSense itself, should reach that IP address by using the specified (vlan20) interface/gateway. That is the behavior you seem to be describing with 8.8.8.8 and 8.8.4.4

If you want any other traffic to go over that "vlan20 WAN", then you have to put policy-routing rules on LAN/s - i.e. Pass rules that specify the gateway in the advanced section.

But maybe you have "clients" sitting in the vlan20 also and want them to go back to pfSense (as if they were a "LAN-style" subnet) and then be routed out either WAN ("real" WAN or vlan20) according to your failover/load-balancing needs. I posted about that quite a while ago. If you need that, then say so and I can find the post.

Ofloo · Apr 12, 2014, 12:10 PM

pfsense delivers
static wan / static/28 from isp >>
static/28(routable)
172.16.1.1/24(nat) static wan

bridge delivers
gets IP from wireless >>
172.16.2.0/24 (nat)

accesspoint delivers
gets routable from pfsense static/28 and >>
192.168.1.0/24 (nat)

so to me it's really strange that pfsense can't use 172.16.2.2 to connect to the internet while all my other clients in vlan20 can and yes i added firewall rules to allow all.

I hope this makes sense, .. so basicly on vlan20 pfsense is kinda a client .. not sure if i can call it that but if i set client to ip 172.16.2.100 and i add route to 172.16.2.1 it works just fine so i don't really understand why this isn't the case for pfsense.

Ofloo · Apr 12, 2014, 12:35 PM

#client linux box
$ ifconfig eth0.20
eth0.20   Link encap:Ethernet  HWaddr 94:de:80:ab:49:bf  
          inet addr:172.16.2.100  Bcast:172.16.2.255  Mask:255.255.255.0
          inet6 addr: fe80::96de:80ff:feab:49bf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26971 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21172 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12384361 (12.3 MB)  TX bytes:3447072 (3.4 MB)

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0.10
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0.10
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0.20
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
$ ping -n google.be
PING google.be (173.194.65.94) 56(84) bytes of data.
64 bytes from 173.194.65.94: icmp_req=1 ttl=48 time=16.1 ms
64 bytes from 173.194.65.94: icmp_req=2 ttl=48 time=15.2 ms
$ ping -n yahoo.com
PING yahoo.com (98.138.253.109) 56(84) bytes of data.
64 bytes from 98.138.253.109: icmp_req=1 ttl=41 time=155 ms
64 bytes from 98.138.253.109: icmp_req=2 ttl=41 time=156 ms
$ sudo route del -net default
$ sudo route add -net default gw 172.16.2.1
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.2.1      0.0.0.0         UG    0      0        0 eth0.20
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0.10
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0.10
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0.20
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
$ ping -n google.be
PING google.be (173.194.65.94) 56(84) bytes of data.
64 bytes from 173.194.65.94: icmp_req=1 ttl=44 time=50.5 ms
64 bytes from 173.194.65.94: icmp_req=2 ttl=44 time=46.9 ms
$ ping -n yahoo.com
PING yahoo.com (98.139.183.24) 56(84) bytes of data.
64 bytes from 98.139.183.24: icmp_req=1 ttl=48 time=132 ms
64 bytes from 98.139.183.24: icmp_req=2 ttl=48 time=123 ms

#pfsense
$ ifconfig vr2_vlan20
vr2_vlan20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	ether 00:0d:b9:2b:7f:76
	inet6 fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 prefixlen 64 scopeid 0x8 
	inet 172.16.2.2 netmask 0xffffff00 broadcast 172.16.2.255
	nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
	vlan: 20 vlanpcp: 0 parent interface: vr2
$ ping -n -S 172.16.2.2 172.16.2.1
PING 172.16.2.1 (172.16.2.1) from 172.16.2.2: 56 data bytes
64 bytes from 172.16.2.1: icmp_seq=0 ttl=64 time=7.980 ms
64 bytes from 172.16.2.1: icmp_seq=1 ttl=64 time=3.489 ms
$ping -n -S 172.16.2.2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 172.16.2.2: 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
$ping -n -S 172.16.2.2 8.8.4.4
PING 8.8.4.4 (8.8.4.4) from 172.16.2.2: 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=47 time=53.467 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=47 time=51.842 ms
^C
--- 8.8.4.4 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.842/52.654/53.467/0.812 ms
netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            213.219.132.x     UGS         0  2977611 pppoe0
8.8.4.4            172.16.2.1         UGHS        0      124 vr2_vl
127.0.0.1          link#7             UH          0        2    lo0
172.16.1.0/24      link#11            U           0     6461 vr2_vl
172.16.1.1         link#11            UHS         0        2    lo0
172.16.2.0/24      link#8             U           0        2 vr2_vl
172.16.2.2         link#8             UHS         0        0    lo0
212.71.19.x/28    link#3             U           0  4167521    vr2
212.71.19.x       link#3             UHS         0      424    lo0
213.219.132.x     link#10            UH          0    56727 pppoe0
213.219.170.x    link#10            UHS         0        0    lo0</full-duplex></performnud></up,broadcast,running,simplex,multicast>

I understand now why 8.8.4.4 can be pinged cause of the gateway monitor it adds a route for the IP
however it still doesn't make any sense to me why i can't connect to anything from that ip, it should act as any other regular interface.

phil.davis · Apr 12, 2014, 1:30 PM

I think the ping -S just makes the source IP on the ping packet. It does not effect how it is routed, so pfSense is going to route it out the default gateway (which is your other WAN link), and probably there is no effective NAT rule on the way out that WAN that would NAT source IP 172.16.2.n. So the packet will travel out main WAN without being NAT'd, and the Google server will not be able to reply.

You should be able to put policy-routing rules on LAN and then traceroute from a LAN client to see which pfSense WAN the traffic takes.

Ofloo · Apr 12, 2014, 3:06 PM

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0.10
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.10
172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.20
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

$ ping -n -S 172.16.2.100 google.be
PING google.be (74.125.136.94) 56(84) bytes of data.
64 bytes from 74.125.136.94: icmp_req=1 ttl=48 time=15.7 ms
64 bytes from 74.125.136.94: icmp_req=2 ttl=48 time=15.1 ms

$ ping -n -S 172.16.2.100 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=48 time=44.5 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=48 time=15.4 ms

ofcourse it can

edit: maybe you have a point, gateway of 172.16.2.0 is default, going to do some tests, .. however i tried setting the default gateway on the router to 172.16.2.1 and it didn't work.

edit: i get the werid same result, .. however
when i open my browser and i got to myip.nl on my clients the IP changes, .. while when i go to any site when i change the router to use 172.16.2.1 as default then all internet traffic stops. Except IPv6 but that's normal cause i've got native ipv6 which has it's own gateway.

Ofloo · Apr 12, 2014, 4:16 PM

Ok so i added a new firewall rule to use the 172.16.2.2 gateway, .. first and then the default gateway second, however it still keeps on using that verry same IP the IP doesn't change.