No routing between subnets even with firewall disabled
-
@viragomann I forgot to include my NAT table. I'm using manual outbound NAT because I was NATing specific IPs to specific outbound gateways (the VPN thing).
But here's what it looks like now.
Theoretically, I should be able to ping out using the PIAVPN gateway with this NAT rule. After screenshotting this, though, I added a 192.168.2.0/24 > WAN address on the WAN interface to (bottom of the list), and it didn't change anything. I was pinging IPs, not hostnames, as you suggested.
As for pinging the LAN subnet, I grabbed a half-dozen other IPs, including a printer, and am unable to ping them from the OPT2 subnet (using the PFSense ping utility). I AM able to ping them from the LAN interface (as I would expect)
-
Don't use manual outbound NAT, use Hybrid Outbound NAT instead.
-
@tendonut said in No routing between subnets even with firewall disabled:
Theoretically, I should be able to ping out using the PIAVPN gateway with this NAT rule.
From the point of outbound NAT, yes you should. However, outbound NAT does no more than NAT, it does not route the traffic. The routing to a non-default gateway has to be done by policy routing rule.
@tendonut said in No routing between subnets even with firewall disabled:
After screenshotting this, though, I added a 192.168.2.0/24 > WAN address on the WAN interface to (bottom of the list)
That's the one I am missing. However, it is correct??
You upper two rules are totally useless at all. They won't match any traffic, since the destination of packets will never be the subnet which is connected to the interface the rule is added to.
-
@bob-dig I just flipped it. It just added two additional rules, allowing all subnets to NAT with the WAN address. No change with my issue though.
I don't think I'd be able to keep this setting permanently though, because the way it reads, the automatic rules are read first, and I explicitly want to block the OPT2 subnet from being able to use the WAN interface at all, but for troubleshooting purposes, I'm OK with it.
-
@tendonut said in No routing between subnets even with firewall disabled:
I don't think I'd be able to keep this setting permanently though, because the way it reads, the automatic rules are read first, and I explicitly want to block the OPT2 subnet from being able to use the WAN interface at all
You are wrong.
Especially take note about this.
This can be generalized by making an alias for any RFC1918 traffic which would cover all private networks, and then using that in a rule. The alias contains 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8.
-
From the point of outbound NAT, yes you should. However, outbound NAT does no more than NAT, it does not route the traffic. The routing to a non-default gateway has to be done by policy routing rule.
That I understand. I stripped those rules out as I was troubleshooting. Previously, I'd both tag the packets with a "no_wan_egress" tag, and block that as a WAN rule, and also set up rules to block traffic from using the WAN gateway and explicitly allow the VPN one as rules on the respective interfaces. But like I said, those have been stripped out for the time being.
The rule I added is this:
I removed those top two rules. I agree, they didn't make any sense, just my multi-hour brain frying.
@Bob-Dig Then I will keep it at Hybrid :)
-
@tendonut said in No routing between subnets even with firewall disabled:
The rule I added is this:
This is for the source of LAN subnet, not OPT1.
-
I think you need something like this for your vpn-only interface.
Later create a VPN Killswitch.
-
@viragomann
Whoops! Like I said, brain fried. Same issue, though. -
@bob-dig The RFC1918 alias is a good idea. I just created it. Didn't fix the issue, unfortunately, but I am gonna keep that in my back pocket when I start adding more elaborate rules.
-
I dropped off to go watch a movie, but am back now. One thing I noticed, is when I am doing a endless ping of www.google.com, going back to the dashboard traffic graph, I am seeing a pretty constant 50 B/s load on the VPN interface. So that tells me traffic IS going to the VPN interface from OPT2. You see exactly when I stopped the ping too.