Gateway is down

lonblu

Hi

I got a new HyperV host, finally!  ::)

–-WHAT IS WORKING-
Without Pfsense and a manual route on my VMs+host, I can reach a private subnet0 in a second host HyperV, where a Pfsense1 VM routes correctly to that subnet.
With a Pfsense2 VM in the new HyperV still I can reach the subnet0, when I put the Wan interface with Pfsense1 as gateway, but cannot reach Internet.

–-THEN-
I put the Pfsense2 Wan interface with gateway to the provider's router, in order to have Internet working.
I added
-the Pfsense1 gateway + static route to the subnet0 on top priority.
-rules allowing traffic outbound from LANs in both Pfsenses (...I not sure about Nat here...) and inbound on the interfaces connected to the router's Lan (pfsense wan gateways).
-tried set the gateway to Pfsense1 as default.

Result?
I see the Pfsense1 gateway to Pfsense2 down. And viceversa.
My clients go directly through the router's of the provider (pathping, tracert).

I would like:
-either pass all traffic to Pfsense1
-route all traffic for the subnet0 through Pfsense1, and al the rest through the router's provider.

I know is difficult to read, I don't read much myself... Thanks for your time.
Andrea

lonblu

I notice that if a client in Subnet0 does not have a gateway in its nic config, tracert from a router's client, physical or virtual, shows the traffic leaving directly through the provider's router, without ever touching Pfsense1.

Wan–-Pfsense1 wan-------------
|                                              ____VM Subnet0
|                                              |
Router----Pfsense1 backup wan---
|  \     
|  \      laptop
|    \ 
|      \Opnsense Wan
|
|
Pfsense2
|
VMs Subnet1

dpinger sendto error: 64
dpinger sendto error: 55

lonblu

Nat, Vlans, no Pfsense2?  8)  :-[ :-\

lonblu

The gateway came up adding a super gentle firewall rule, but I still cannot control the flow to either the VM subnet, or the Internet.

lonblu

It seems I had the 2nd Wan interface set with the gateway, which is quite normal for a Wan interface, but not if another Wan has already set a default gateway.

https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

still there are issues…:(

Sometimes something works for a while, then maybe a states refresh happens, I get inconsistent results.

egas_tt

Is it all on the same single host?

lonblu

I just got a 2nd HyperV and a Dlink Gigabit router with Public Fix Ip.
A second Public Fix Ip Connection is on  Pfsense1.

I have now 2/3 Pfsenses and 1 Opnsense all VMs with an External interface on the Lan of the Dlink.

If I try to check the system logs I see no traffic logged, so I started to presume this is happening at switch level. This document speaks about Unfilterable Traffic
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

This isn't possible if both clients are on the same subnet and switch; In that case, the routing of packets is handled at the switch level, and pfSense has no knowledge of the traffic.

I believe the behavior of HyperV virtual switch is in question. Indeed I had issues with QoS as well.

https://social.technet.microsoft.com/Forums/en-US/451f97e6-6601-4e2b-8377-01b8869b906c/internal-nic-no-more-than-fastethernet-speed?forum=win10itprovirt

lonblu

I think i am trying to do something non logical.

Can somebody give me an advise how to have intercommunication between 2 VM subnets in 2 different Hosts, both connected to the same switch(router)?

CARP, VPN?

I cannot do much modification on the Dlink switch(router).

lonblu

For egas_tt only

It was a design issue. Basically 2 interface DGs cannot be set to point at each other. 1 of the 2 need have no if-dg.

Osfp helps avoiding to create default routes.

Wonderful Pfsense ! :o 8) ::)