• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Weirdness with non-local gateway…

Scheduled Pinned Locked Moved Routing and Multi WAN
6 Posts 3 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    ipodgorny
    last edited by May 26, 2016, 12:33 AM

    Long story short…

    Remote device (tried another pfSense, cisco router, computer..) is reachable (ping, ssh, https..) until I configure gateway for that device with:

    Use non-local gateway through interface specific route.

    Than it becomes unreachable… example:

    Laptop (192.168.0.2 DG:192.168.0.1)
            |
            |
    (LAN:192.168.0.1)
    pfSence 1
    (WAN: 172.16.0.2 DG:172.16.0.1)
            |
            |
    (172.16.0.1)
    Cisco router
            |
            |
    MPLS Cloud
            |
            |
    Cisco router
    (172.16.2.1)
            |
            |
    (WAN: 172.16.2.2 DG:172.16.2.1)
    pfSence 2
    (LAN:192.168.2.1)
            |
            |
    Another host (192.168.2.1)

    Everything OK until I create a gateway for example on pfSense 1 with IP 172.16.2.2 using "non-local gateway through interface specific route" option.

    pfSense box shows the gateway as online and pingable, but Laptop can no longer ping 172.16.2.2, but can ping all the other addresses including the ones behind that gateway...

    Firewall rules are "Pass" everything in all directions on all interfaces, no NAT whatsoever is configured.

    You may ask what am I trying to accomplish is to set up separate gateway groups from primary to remote sites (there are 5 of them).
    If that gateway goes down meaning MPLS is down (main site or the other end) than VPN gateway is used.

    Any ideas on another way to accomplish this kind of thing are welcome:)

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by May 26, 2016, 3:39 AM

      You can't do that. "Non-local" means non-local at layer 3, it must be local at layer 2. That's not for the circumstance you show there. You have to route to your next hop router, which has a local IP, use it.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by May 27, 2016, 12:59 PM

        "If that gateway goes down meaning MPLS is down (main site or the other end) than VPN gateway is used."

        So your pfsense box has internet access other than the mpls?  If so then sure you could use that to get to the other pfsense box.  Where is that path in your drawing, it before the cisco router, after?

        Take a look here on how you work with multiwan connections, see the failover section.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • I
          ipodgorny
          last edited by May 28, 2016, 1:16 AM

          @johnpoz:

          "If that gateway goes down meaning MPLS is down (main site or the other end) than VPN gateway is used."

          So your pfsense box has internet access other than the mpls?  If so then sure you could use that to get to the other pfsense box.  Where is that path in your drawing, it before the cisco router, after?

          Take a look here on how you work with multiwan connections, see the failover section.

          Thank you for your answer,

          Yes there is another interface with Internet access on pfSense box. I don't really care at all about the Internet access though.
          Primary concern is site to site connectivity. Let me paraphrase my question a bit.

          Is there a way to track "something" through a gateway whether "something" is UP or DOWN and if it's down use another gateway / route / interface?
          There are 5 "somethings" that I need to track through one gateway, and make routing decision for each one depending on its status.
          Using different IP in gateway tracking not going to work as it can only do 1. That is why I hoped to set up a separate gateway for each location I need to track.

          Somewhat like tracking in Cisco, which bumps route metric, swaps route, or does many different actions when "false" is returned.

          1 Reply Last reply Reply Quote 0
          • I
            ipodgorny
            last edited by May 28, 2016, 2:50 AM

            @cmb:

            You can't do that. "Non-local" means non-local at layer 3, it must be local at layer 2. That's not for the circumstance you show there. You have to route to your next hop router, which has a local IP, use it.

            Thanks, that clears it up. I thought that Non-Local was both layer 2 and 3, now it all makes sense.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by May 28, 2016, 4:54 AM

              The gateways' monitor IPs are basically the equivalent of IOS's tracking. If your backup path is going to be a VPN, you can use OpenVPN for that, which will give you an additional gateway.

              @ipodgorny:

              Thanks, that clears it up. I thought that Non-Local was both layer 2 and 3, now it all makes sense.

              That's just the nature of IP routing, you can't tell a system to use a gateway that isn't on the same layer 2 network (or otherwise directly-connected, like a VPN).

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received