Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default gateway residing on different subnet

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 992 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Smokeshow
      last edited by

      I have two site connected together via a layer 3 gateway provided by my ISP. Site 2 has no internet access, but is reacable via a private IP address. What I am trying to do is get internet access to site 2 via site 1. Both sites are running pfsense 2.1.3.

      Here is a quick breakdown of my setup:

      
Site 2 ------- ISP Router ------- ISP Router ------- Site 1 ------- Internet
10.0.4.3 ---- 10.0.4.1 ----------- 10.0.2.1 -------- 10.0.2.3

      I have tried the following:

      route del default
route add -net 10.0.2.3 -iface igb0
route add default 10.0.2.3

      But my traceroute still shows traffic trying to go out 10.0.4.1.

      I do have a route setup for 172.0.2.0/24 via 172.0.4.1

      I have two other sites that are directly connected to site 1 via wireless links, and they work just fine (they are on the 10.0.2.0/24 subnet as well though). I'm fairly sure my NAT & firewall rules are setup correctly at site 1.

      Any ideas on what I can do here?

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        What you're attempting with the gateway is not possible. You have to use a gateway in the same subnet as the device.

        You have a couple choices:

        Scenario #1:
        1. Site 2 uses its ISP router as its default gateway
        2. The ISP router is configured to send all traffic from Site 2 over to Site 1
        3. Site 1 has a static route for site 2 back via the ISP router at 10.0.2.1
        4. Firewall rules on Site 1 pass in the traffic from Site 2
        5. Site 1 does outbound NAT to ensure Site 2 can reach the Internet

        Scenario #2 (if the ISP won't setup that routing)
        1. Setup an OpenVPN tunnel between site 2 and site 1, shared/static key peer to peer
        2. Site 2, assign the OpenVPN interface, enable it with an IP type of 'none'
        3. Site 2, use the OpenVPN gateway on the LAN firewall rules to direct traffic over OpenVPN
        4. Site 1, allow the traffic in over the VPN
        5. Site 1 needs outbound NAT setup

        The reason #2 works is because the VPN gives them a "direct" connection which can be used as a gateway. The first choice is better, less overhead, but the ISP may not cooperate on the routing.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S Offline
          Smokeshow
          last edited by

          That is basically what I came up with. My biggest issue is that I require the pfsense unit to have internet, not the clients. I already have an openvpn tunnel between the two sites (tap bridged to the lan) for internet access to the clients, however I needed pfsense to have internet access to install packages. I will have to talk to our ISP to find out if they will make changes to accommodate us.

          1 Reply Last reply Reply Quote 0
          • M Offline
            makbet
            last edited by

            Hey

            Follow this article http://forum.ovh.co.uk/showthread.php?6507-ESXi-pfSense-and-failover-IP
            Tested by me, works perfectly, and if you want to block internet for LAN users, just add necessary rule on your firewall.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.