Allow LAN to LAN, not routing
-
Very simplistic image but we have our own LAN, 10.0.0.1.
We have a neighbor in the data center that is going to share some data with us.
They have their own LAN at 10.0.1.1 for example and they have their our gateway on that LAN of course.
I don't want to route or be the gateway for that LAN, I just need to reach the NFS storage device on their LAN.Of course, I have no control over their LAN or what they use or how they use it. I only have the possibility of using this storage if I can reach it. The two servers I show would want to mount that NFS share.
-
-
@lewis said in Allow LAN to LAN, not routing:
I don't want to route
You have a routing issue...
So you have only to add a static route for your LAN 10.0.0.0/24 pointing to the pfSense IP in 10.0.1.0/?? on the NFS storage. That's all you need.
-
I don't want to route meant I cannot route their network, we aren't their gateway. Sorry that wasn't clear.
I basically just need LAN to LAN access from our own 10.0.0.1 LAN to devices on their 10.0.1.1 LAN network. -
You can most certainly route to their network, and if they're onboard with sharing data with you then surely they can add a static route on their end for the 5 second it would take?
-
Yes, our traffic is allowed, it's me that is not sure what to do on our end as I don't want to break something.
-
You need a working communication between the NFS storage and your LAN devices as you stated above. So you need a static route for your LAN on the device in the other LAN. The default route can still stay as it is and upstream traffic from the NFS may go out the neighbours gateway.
As I mentioned above, you may also do a workaround with NAT.
To do so go to Firewall > NAT > outbound. Switch into the hybrid mode, save and add a new rule:
interface: LAN2
Source: your LAN network or an alias with the two considered servers in your LAN
Translation address: interface addressIf you want you may also restrict protocol and port.
-
Adding a static route to them won't break anything unless you're really, really good.
-
So, not doubting anything since I'm already at a point where I'm not knowledgeable enough and had to ask but, I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN. I just can't mount it and get RPC errors.
-
But you're not really pinging that NFS server, are you? You're pinging pfSense which is pretending to be that IP address. That's what a Virtual IP - IP Alias is. I explained all this in my first post.
-
@lewis said in Allow LAN to LAN, not routing:
I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN.
The ping will not reach the device in the other network if the destination IP is on your own router!
Edit: Okay, KOM has the same idea and was faster.
-
Please guys, I appreciate the help, don't get impatient with me. I know you explained but this is not my network to break so am counting on you guys to help me do the right thing.
It makes sense that I can ping the IP if I added it on the local router. I had not thought about that.
Changing to hybrid won't break anything that is running now? I mean, will it require a reboot or something? Pfsense is always highly reliable and never need to reboot it but I'm asking since we are changing a 'mode'.
-
Changing the outbound NAT mode from automatic to hybrid does nothing. The automatically added rules are still in place and you're able to add manual rules.
-
NAT > outbound. Switch into the hybrid mode
Done.
save and add a new rule:
interface: LAN2The above is not clear to me. I've not create d a new interface and don't see one. I only see the usual WAN and LAN in Interface so I'm missing something before I can add rules next.
-
So the neighbours LAN is really not on an separate interface? It's connected directly to your LAN as John assumed?
-
The pfsense box has two interfaces only, WAN and LAN.
Our LAN subnet is 10.0.0.1/24.
On the LAN side, there are many other segments and I need to connect to a neighbors LAN and a storage device at 10.100.100.12.
They too route their own 10.100.100.1/24 subnet, have their own DHCP service, etc so I don't want to break anything on either subnet. -
As John mentioned above: That is never a good way to do anything.
However, you can give it a try.
At first your pfSense need an IP in the neighbours subnet. (IP Alias). Ensure to set the correct mask.
After you have added this you can select it at translation address in the outbound NAT rule.
At network select this one the NFS storage is connected to, guess LAN. -
Well, it's why I asked in the forums, because I don't want to do this in the wrong way :). So, what way should I do it or should I explain a bit more about what I am trying to accomplish?
-
As we already mentioned 15 posts ago, the correct way is to set up an separate transit network where you connect pfSense and the NFS to. This may also be a VLAN, so that there is no further hardware needed.
However, even with that you will need either a static route on the NFS storage or the Outbound NAT rule.
-
15 posts ago was different than what I just added about there being only two interfaces. I already explained this is beyond my level of knowledge with pfsense and you keep telling me it's simple, do this, do that but I've never done it before so cannot follow such advise.