Connecting two networks without sharing internet access

wagex

yeah that drawing is exactly point on

im running pfsense hes running DDWRT im not 100% on his router exactly i do know its pretty new

im researching site to site vpn's currently, all the setups ive seen thus far involve setting the WAN as the interface for the connection as though it was a remote site to site, guess i need to work on my google skills a little more lol

johnpoz

No don't need to use your wan… Just create a new interface in pfsense as transit, could be vlan even on one of your current physical interfaces if switch supports vlans.

As to dd-wrt, while it slick and makes nice use of shitty soho hardware.. Its still very very very limited in features and power compared to anything running pfsense. But if it can isolate one of its switch ports as different vlan you should able to do it no problem..

You don't really even need to setup any sort of vpn or site to site for this since you have a private connection. This is just a simple transit network with simple routes.. No need for ipsec or openvpn even.. Since your wireless connection would be already encrypted.

So really all your doing is connecting 2 routers with a transit network. So as long as his dd-wrt supports the ability to create a vlan and route you should have no issues.

wagex

ok, so his router couldnt do vlan on a seperate nic so what we did was set opt1 to his subnet, and allowed all traffic to pass via rules to LAN and vice versa, we blocked dhcp so we didnt have any ip issues, the issue we are having is i i have full access to all his stuff but he can just see my router on either interface 192.168.1.1 or 192.168.50.1 he can pin either or and login to the system on either or. i attached screenshots of all the things, my arp table shows all of his devices fine enough.

the random routes in his router are just because we have been trying just about everything, if we remove the top one he loses ping to my router on the 1.1, so its doing something but the route of 1.5 doesnt allow him to my server

![opt1 rules.png](/public/imported_attachments/1/opt1 rules.png)
![opt1 rules.png_thumb](/public/imported_attachments/1/opt1 rules.png_thumb)
![opt1 device.png](/public/imported_attachments/1/opt1 device.png)
![opt1 device.png_thumb](/public/imported_attachments/1/opt1 device.png_thumb)
![lan rules.png](/public/imported_attachments/1/lan rules.png)
![lan rules.png_thumb](/public/imported_attachments/1/lan rules.png_thumb)
![arp table.png](/public/imported_attachments/1/arp table.png)
![arp table.png_thumb](/public/imported_attachments/1/arp table.png_thumb)
![network map.png](/public/imported_attachments/1/network map.png)
![network map.png_thumb](/public/imported_attachments/1/network map.png_thumb)

clintslan.png_thumb

johnpoz

In such a setup your going to be asymmetrical.

You are going to want to create a transit network.. Use a router on his so you can create an actual transit network.

device on 192.168.50/24 wanting to go to 192.168.1 is going to hit its gateway 192.168.50.126.. Which will just send traffic back down the wifi link, but when you answer you are not going to send the traffic back to 192.168.50.126 since pfsense is directly connected to 192.168.50 so it would just send the traffic direct to those devices.

if you want to do it that way, you would need to create host routes on the devices in the 192.168.50 telling them to get to 192.168.1/24 talk to 192.168.50.1 pfsense opt1 interface

Also - if you ping ping 192.168.1.1, but can not get into a server on 192.168.1.1 that device could have a firewall not allowing access from 192.168.50.. Keep in mind even if you allow that on the firewall of the devices in 192.168.1 your still asymmetrical which can cause other issues.

if your going to have devices on a transit network, then you need to do host routing on those devices in the transit network.

wagex

yeah we have static routes on his router telling it to send 192.168.0/24 traffic to opt1 at 192.168.50.1 which is letting him ping and access my pfsense router on http://192.168.1.1 but he cant access nothing else on my network, on opt1 i have his 192.168.50.126 router set as the gateway which is what let me communicate with all his devices in every way.

him being able to ping and login to my router (192.168.1.1) from his desktop (192.168.50.129) would make me think he should not have an issue getting through to other devices on my end which is why im thinking it has something to do with my config.

i posted screenshots of both our configs in my last post not sure if i did it right though.

do you have a link do some good documentation on how a transit network works and how to set one up? ive been googling it but nothing really comes up within the realm of what we are trying to do at all.

i think we might have to get him setup on a pfsense machine at some point and get that setup but for now his simple asus router doesn't have what we need to do what i think you are suggesting.

johnpoz

a transit or transfer network is networking 101.. It would be any network that connects "routers"

yes you created a route on his router, but the traffic is asymmetrical in flow since pfsense will not send the traffic back to his router since its interface is directly connected to that network and can see all the hosts directly via arp.

On one of his pc create a route that points 192.168.1/24 to your 192.168.50.1 address - that would remove the asymmetrical routing.. if still having issues and you can ping 192.168.1.1 then most likely the device in 192.168.1.1 your trying to talk to has a firewall that doesn't all whatever your trying to do from this 192.168.50 network.

wagex

ok so for the transit network, id have mypc->lan on pfsense 192.168.1.1->opt1 192.168.50.1->wireless connection ->wan on router A (192.168.50.2) -> lan port on router B 192.168.2.1 -> his devices ?

johnpoz

It wouldn't be WAN on his router, it would just be another interface… He his another interface on that router for wan that would go to internet.

See my drawing I first posted, that is a transit network. The 172.16.0/30

Box in 192.168.1 wants to get to 192.168.50.x - So hits his gateway 192.168.1.1, router says oh to get to 192.168.50/20 I send the traffic to 172.16.0.2.. That router says oh this traffic want to go to 192.168.50.x... I have that network attached let me send it to him..

On the way back follow the exact same path back... Symmetrical vs Asymmetrical ;)

No concerns with dhcp since your not on the same layer 2.. And you wouldn't run dhcp on the transit interfaces. You may need to run something larger than /30 if you want to be able to get to your wireless bridge devices to manage them which would also have IPs on this 172.16 network. Or maybe they have a management vlan or interface?

wagex

yeah they have a management interface.

just wanted to update the whole issue we were having was his asus router did not like my 192.168.1.0/24 soon as i changed to 192.168.10.0/24 he was getting packets all the way through. thanks for all the help guy, i think i know what we need to do in the future to get it symmetrical now! need to get him on a better router, but i don't think he wants to lol.

me pfsense
lan 192.168.10.1/24
opt1 192.168.30.1 "transit network"
static route 192.168.50.1/24 -> 192.168.30.2

him pfsense
lan 192.168.50.1/24
opt2 192.168.30.2 "transit network"
static route 192.168.10.1/24 -> 192.168.30.1

wagex

one last update, i figured out the main issue we were having, we had the antennas setup with one as a wifi access point and one as a wifi bridge, that was causing the issues we were having, hes now on pfsense as well, but setting the antennas up both as WDS bridge solved all issues 100% since it makes the connection 100% transparent it acts just as an ethernet cable bridging the gap. guess it had something to do with showing the requests coming from a different mac address than the other or something idk.

Derelict

As an aside I would still be tempted to IPsec the traffic even though the wireless might be encrypted.

You could use IPsec transport mode for that.