pfsense configuration problem
-
@randym said in pfsense configuration problem:
It never made any sense to me, since all networks require a gateway in order to communicate properly.
Not sure where you got that idea.. I only need a gateway to talk to some "other" network.. I don't need a gateway to talk to anything on the network connected to..
Lan interface will never need to get off LAN... it is the "gateway" for device the lan. Same goes for any other interface you create on pfsense, be it native or vlan.. Only the interface that has a gateway it can talk to get to other networks should have that set.. Its now considered by pfasense a WAN connection, or atleast a transit network... used to get to other networks..
Once you create a gateway on the inteface - pfsense oh I can use that gateway via this network to get to other networks, ie WAN!!
The documentation is very clear..
-
@johnpoz
Perhaps that is true in pfsense, but not switches and routers. Default gateways have to be configured in order to get traffic to move correctly. Even in pfsense it has a gateway, it just assumes that the IP on the LAN is the gateway IP, so you don't have to set one. However, if you are using a switch or router in conjuction and just using the PFSense as a firewall, then I seem to run into problems getting things to route properly. I have followed the recommendations made above and still can't get the other subnets to communicate with the WAN. I have rules in place that basically make this thing a router, not blocking anything internally, only on the WAN. Outbound NAT is set to allow all ports on all networks to NAT to the WAN interface. -
@viragomann
Turn on the PFSense appliance without a configuration, assign your interfaces and then set the IP. When you are setting the IP for the LAN it will tell you not to set a gateway for a LAN, they are only used for the WAN. -
@randym said in pfsense configuration problem:
When you are setting the IP for the LAN it will tell you not to set a gateway for a LAN, they are only used for the WAN.
That's absolutely correct. In this configuration section pfSense is asking for upstream gateways. Since you won't have an upstream gateway (default gateway) connected to the LAN interface, you have to set this to 'none'.
That's the same gateway setting as I mentioned above in the GUI: Interfaces > LAN. As well as in any other interface setting and is meant for multi-WAN purposes.I assume, you have troubles to differ gateway and upstream (default) gateway.
When you define an upstream gateway pfSense sets the default route directing any traffic to it, which is not destined to a network connected to pfSense directly.
However, a simple gateway may be any IP address (any device) within a subnet configured on an interface. I.e. when your LAN network is 192.168.1.0/24 any IP from 192.168.1.1 to 192.168.1.254 can be defined as gateway in System > Routing > Gateways. That does nothing for now. But after you can add a special (static) route for a network that is reachable over this gateway in System > Routing > Static Routes as explained above.So presumed, your router or switch in front of your VLANs has the IP 192.168.1.3 (within the LAN subnet), so you have to add this IP as gateway here and then set a (or multiple) static route(s) for the VLANs behind the router using this gateway.
But as already mentioned above if one of you VLANs behind the switch owns the subnet 192.168.1.0/24 you must not assign the same subnet to the pfSense LAN interface, otherwise the communication with this VLAN won't work. -
@randym said in pfsense configuration problem:
Perhaps that is true in pfsense, but not switches and routers.
Dude not sure what your talking about... I have worked with global networks and DCs for going on 30 some years.. So I know thing or 2 about routers, switches and networks ;) And no a interface does not need a gateway unless its "wan" connection or a transit connection.. And its almost never on the actual interface... Its just a ROUTE to get somewhere..
We have multiple layer 3 switches (routers) in one our DC in hou that I access all the time.. Tell you right now pretty much no interfaces have gateways set on them.. There is a default route, and then other routes, etc.. .They are not gateways on the actual interface, this really only done on the default connection.
Why don't you draw up your network and we can discuss what your doing wrong. I can tell you what is very common mistake around here putting a downstream router on a host network vs a transit network - so asymmetrical routing seems to be a common user error.
-
@johnpoz
I have been working on them for over 25 years and I know a thing or two about them too. Any time you create a VLAN in a switch you assign an interface and an IP. That IP is always the gateway for that subnet. No matter how you want to look at it all subnets have a gateway and a broadcast IP, that is how they are designed in IPv4. You may not call them that, but that is what they are. Routes have to have, especially in pfsense, a gateway in order for them to work correctly. -
This is starting to smell like a thread that's going south real fast.
-
@viragomann
So what I am hearing you say is, that I cannot use a subnet that is on the switch. So right now, 192.168.1.1 is VLAN 1 on my switch. If I want the pfsense to work correctly, I need to choose an IP that does not belong to any VLANs on the switch to configure the pfsense. This becomes my transit network as discussed by @johnpoz. Thus the pfsense LAN interface becomes the transit interface for all of the other VLANs to communicate with the WAN interface. Now the question of routing comes into play. Each subnet actually does have a gateway, (upstream gateway), I tend to think of them as the same thing, because their function is the same, it's just that one resides remote to the box communicating. So take the 1.1 subnet. If I want to have this subnet communicate with the internet, I need to create a special static route that points to the LAN interface of the pfsense, is that correct or did I miss something? -
No, it is just a difference in the usage of terms. John and I have no beef, just a lack of understanding due to a difference in terminology usage.
-
There is a HUGE difference between setting a gateway on an interface, and the gateway for the network.. .On the router, yes the interface on the router will be the gateway of that network to talk to that router and get to other networks... BUT it is NOT set on the router as a gateway.. It would only be set on the hosts in that network.. Which has zero to do with setting a gateway on an interface on any sort of router or L3 switch doing routing.
Your using the term wrong! ;) And to anyone concerned - I don't have any beefs.. Misuse of terms on his part is the problem ;) heheh
PFSense automatically assumes that the interface is the gateway,
Pfsense doesn't assume anything as a gateway... Just because you set a IP on an interface. That is just an interface IP on the router - psfense sees it as nothing more. Now hosts on that network need to use that as their gateway ;)
-
The issue is not in the usage of the term, but in where it is being used. Let's look at the pfsense, for instance. We are talking about the LAN interface and setting the IP for the LAN interface. This is an interface and not a network, yet in this instance it is being used as both. This is what is causing some of the misunderstandings that people are having. If I am understanding what @viragomann is saying correctly, the LAN interface IP can not be an IP that is managed by a remote VLAN on my switch. Thus the LAN interface becomes the transit network for all traffic that needs to reach the WAN interface from the remote switch. Routing for each subnet that needs to reach the WAN needs to be set on the the pfsense. If I understand correctly, that routing needs to take the subnet (example 192.168.1.0/24) and point it to the LAN interface in order for the traffic to traverse the firewall and reach the internet. Is that what you have been trying to say?
