Passing public /29 through one pfSense firewall to another
-
If you ping into something in the /29 from an external IP do you see those pings actually arriving anywhere? Maybe that /29 is not being routed to you correctly?
Steve
-
I thought it wasn't being routed correctly too, however if I try assign it to a device (eg if I connect a test VM onto an OPT interface) to the L2TP pfSense instance, I can assign any /29 IP there just fine via just 1:1 mapping it... leads me to believe I'm missing something in the way its being routed from the L2TP pfSense to my main one.
Really really appreciate your help so far. I'm also trying to see if there's something obvious that's been missed or if it's some sort of issue elsewhere but can't think of what it could be.
-
What does your static route look like for that?
Even if that was missing entirely you should still traffic arriving for those IPs at the L2TP pfSense if it's routed to you.
Steve
-
This is the static route on the main pfSense instance. Gateway created automatically by DHCP.
Can't ping (and I've made sure there's an IMCP rule present to pass) - so still confused.
I think another option would be to assign the /29 to the LAN interface of the L2TP pfSense, then address the main one with an IP from that /29. I'd burn 3 addresses instead of 1, which is a lot considering it's only a /29 but it would at least get me somewhere.
The aim has been to get the L2TP pfSense to route the /29 as-is, without having to waste any addresses, using the /30 as the transport network. Fast appreciating that my day job isn't in IT/network admin based on the frustration this is causing!
-
That static route appears to be on the wrong firewall, it needs to be on the L2TP pfSense to route traffic to main firewall.
Steve
-
Added a static route from the /29 to 81.x.x.225 (created the gateway on the L2TP instance for the interface address) and still nothing. Even tried creating a gateway for 81.x.x.226 (the IP given to the main firewall) to go via that and still nothing.
Have also attempted various combos of having/not having a static route on the main firewall routing traffic via the receiving interface to no avail. Nothing in the firewall logs that's showing issues either. The /29 works fine if allocated to an interface so know it's being routed down the tunnel fine.
-
The static route needs to be on the L2TP firewall and it needs to be for the /29 subnet via the .226 address on the main firewall.
Any static route on the main firewall needs to be removed of you will have a routing loop.
The hosts inside that /29 do not need a static route. The only outbound routing should be policy based on the firewall rules passing traffic from that interface.
Steve
-
I'm losing the plot here I think. Right - static route has been added to the L2TP instance which looks like the below:
No static routes or anything are added to the main firewall. Still no luck in getting it to route - adding a 1:1 NAT to the test machine or even standing up a test interface with the /29 assigned on the main firewall results in... nothing.
Its configured like the following:
a) L2TP instance takes L2TP tunnel, auths, establishes connection
b) /30 is assigned to LAN on L2TP instance
c) Main firewall picks up .226 of that /30
d) Static route is configured like the above cap
e) /29 is assigned to an interface on the main firewall.
f) Client connected picks up a public IPv4 but usesAn allow-all rule is present on the interface which has got the /29 assigned with the gateway being the one provided on the L2TP instance.
Where do you think on the above steps I could be screwing up?
PS: I owe you a drink or three. Thank you so much for helping.
-
Send some pings to some IP in the /29 from an external address.
Check the state table in each pfSense, you should see states for that ping traffic coming in over the L2TP interface and out towards the main firewall. And states allowing it into the main firewall and out to wherever the target is, on the assigned interface for example.
If any state is missing check the firewall log for blocked traffic.Ultimately run packet captures to determine if those packets are actually arriving at all.
Steve
-
Assigning an IP from the /29 to an interface means I can ping that IP from an external address. That shows, at least, the block is being routed to the main firewall. Couldn't get any internet access, 1:1 NAT etc working though. Have now run out of time trying to diagnose, but ISP has swapped my /29 for a /28, which is more than enough for what I need for now even considering the 4 lost addresses (3+1 interface) - so have just put it on an interface on the L2TP instance and gone the easy way.
Thanks so much for your help though - absolute legend!