Allow LAN to LAN, not routing
-
You need a working communication between the NFS storage and your LAN devices as you stated above. So you need a static route for your LAN on the device in the other LAN. The default route can still stay as it is and upstream traffic from the NFS may go out the neighbours gateway.
As I mentioned above, you may also do a workaround with NAT.
To do so go to Firewall > NAT > outbound. Switch into the hybrid mode, save and add a new rule:
interface: LAN2
Source: your LAN network or an alias with the two considered servers in your LAN
Translation address: interface addressIf you want you may also restrict protocol and port.
-
Adding a static route to them won't break anything unless you're really, really good.
-
So, not doubting anything since I'm already at a point where I'm not knowledgeable enough and had to ask but, I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN. I just can't mount it and get RPC errors.
-
But you're not really pinging that NFS server, are you? You're pinging pfSense which is pretending to be that IP address. That's what a Virtual IP - IP Alias is. I explained all this in my first post.
-
@lewis said in Allow LAN to LAN, not routing:
I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN.
The ping will not reach the device in the other network if the destination IP is on your own router!
Edit: Okay, KOM has the same idea and was faster.
-
Please guys, I appreciate the help, don't get impatient with me. I know you explained but this is not my network to break so am counting on you guys to help me do the right thing.
It makes sense that I can ping the IP if I added it on the local router. I had not thought about that.
Changing to hybrid won't break anything that is running now? I mean, will it require a reboot or something? Pfsense is always highly reliable and never need to reboot it but I'm asking since we are changing a 'mode'.
-
Changing the outbound NAT mode from automatic to hybrid does nothing. The automatically added rules are still in place and you're able to add manual rules.
-
NAT > outbound. Switch into the hybrid mode
Done.
save and add a new rule:
interface: LAN2The above is not clear to me. I've not create d a new interface and don't see one. I only see the usual WAN and LAN in Interface so I'm missing something before I can add rules next.
-
So the neighbours LAN is really not on an separate interface? It's connected directly to your LAN as John assumed?
-
The pfsense box has two interfaces only, WAN and LAN.
Our LAN subnet is 10.0.0.1/24.
On the LAN side, there are many other segments and I need to connect to a neighbors LAN and a storage device at 10.100.100.12.
They too route their own 10.100.100.1/24 subnet, have their own DHCP service, etc so I don't want to break anything on either subnet. -
As John mentioned above: That is never a good way to do anything.
However, you can give it a try.
At first your pfSense need an IP in the neighbours subnet. (IP Alias). Ensure to set the correct mask.
After you have added this you can select it at translation address in the outbound NAT rule.
At network select this one the NFS storage is connected to, guess LAN. -
Well, it's why I asked in the forums, because I don't want to do this in the wrong way :). So, what way should I do it or should I explain a bit more about what I am trying to accomplish?
-
As we already mentioned 15 posts ago, the correct way is to set up an separate transit network where you connect pfSense and the NFS to. This may also be a VLAN, so that there is no further hardware needed.
However, even with that you will need either a static route on the NFS storage or the Outbound NAT rule.
-
15 posts ago was different than what I just added about there being only two interfaces. I already explained this is beyond my level of knowledge with pfsense and you keep telling me it's simple, do this, do that but I've never done it before so cannot follow such advise.
-
It sounds like it's easy but it's not something I've ever had to deal with. At most, I've had to set up multiple WAN interfaces and route those which wasn't very hard but this is something different since I don't own that network yet it's on the same LAN as many other private subnets are so I don't want to break anything on our or anyone else's subnet.
Could someone please explain the steps, one by one. Once I see how this works, it will be another thing I've learned and will not have to ask about. Right now, there were a lot of replies and clarification so I really don't know what do do next.
-
So, can someone please give me the steps?
-
@lewis said in Allow LAN to LAN, not routing:
Yes, our traffic is allowed, it's me that is not sure what to do on our end as I don't want to break something.
I already explained this is beyond my level of knowledge with pfsense and you keep telling me it's simple, do this, do that but I've never done it before so cannot follow such advise.
Could someone please explain the steps, one by one.
So, can someone please give me the steps?
Please don't be offended, but it really sounds like you need to hire someone who knows what they're doing.
-
That's not very nice. I already explained that this kind of setup is new to me. I've been using pfsense for many years but I simply cannot mess this up since it's not my network to practice or learn on.
What's the point of a 'community' helping each other when they only help those who already know how.
-
Thing is, you have been told several times what steps are necessary. You are asking someone to spend at least a good part of an hour outlining the steps one by one for you.
Why should someone do that and not be compensated?
There is a difference between asking a question and demanding someone be your personal, uncompensated, consultant.
That is why you do not yet have a list of exact steps to take.
-
Demanding??????
There is no 'thing is'. I've never done this before and I added something that had not been mentioned/asked about in my original post so now I'm not sure what is what.
You help each other all the time, don't give me this nonsense about not being paid, you replied. I'm not asking for the world here, I'm asking for a little help from kind human beings which is what forums are all about.
What kind of stupid world are we building anyhow? I help people all the time and now I ask for a little help and you come back with this garbage that is said all the time in forums.
Just don't respond then and let someone help find the kindness to instead of motivating others not to. I've been struggling with this all day, I sure don't need your high and mighty hate friend.
Very nice community friend, very nice.
