Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interface Route to local IP

    Scheduled Pinned Locked Moved Routing and Multi WAN
    24 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DaHai8
      last edited by

      Sorry if I'm not describing this correctly, or using the proper terminology.
      I want to route all traffic from Interface A to a Node on Interface B (B-node).
      B-node already works properly and connects to the Internet.
      I just want all traffic coming in from Interface A to go through B-node on its way out to the internet.
      I'm new at pfSense and can't figure out how to do this.
      Thank you for any help, pointers, suggestions and references to pages where I can find information on how to do this.

      P.S.: I'm thinking it would be something like: route 192.168.3.0/24 192.168.4.4
      But I have no idea if that's right or where to enter it…

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        So you have a downstream router and you want to use that as the internet connection?

        So you have the attached first pic?

        So you want PC-A to go through pfsense and use this downstream router?  Do you have any devices on this other network like pc-b?  Do they also point to pfsense?  Do these devices need to talk to each other?

        So why can this other router not just be another wan?  What your trying to do has possible asymmetrical routing concerns.  This downstream router needs to know how to nat your node a network where pc-a sits.

        If you have multiple internet connections they really should all be just wan connections on pfsense, you can then policy route to determine which internet connection you use, or could use in load balance/failover setup.  These pfsense wan connections can be double natted if need be, etc.

        What exactly are you trying to accomplish - why do you have a downstream connection to the internet?  Why do you want to route your node A through this connection and not pfsense normal connection?

        See picture 2 is how you would normally do it.

        downstreamrouter.png
        downstreamrouter.png_thumb
        multipleinternet.png
        multipleinternet.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • D Offline
          DaHai8
          last edited by

          I have a pfSense on a server with 4 ethernet ports. 1 WAN and 3 LAN
          I have a WiFi AP on LAN3
          I have computer on LAN1
          Instead of LAN3 going to the Gateway, I want it to be routed to the computer on LAN1, and then go to the Gateway.
          I'm not sure how else to explain this.
          Sorry

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            "Instead of LAN3 going to the Gateway, I want it to be routed to the computer on LAN1, and then go to the Gateway."

            When you say gateway.. You mean pfsense??  Or your wifi AP?  What are you calling the gateway.  AP is not a gateway.. A gateway would be something that gets a client off the network its on to other networks, like internet.  Or pfsense client on lan 3 wanting to go to lan 1 or lan 2 or internet, etc.. pfsense would be its gateway.  An "Access Point" is never a gateway.  Now if you have it double natting and you just have some wifi router your "calling" a AP then sure it could be the gateway to your wifi devices..

            Why would you want to go to a computer on lan 1 just to go back out pfsense to get to the internet.. Makes ZERO sense to do that.. ZERO!!

            Do you have some vpn connection or something on the computer on lan 1??  And you want your traffic to go through the vpn??  Why would you not just create the vpn connection on pfsense and then policy route the stuff you want to use the vpn.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • D Offline
              DaHai8
              last edited by

              Ok, normally Lan3 would go out the WAN to get to the internet, right?
              Instead, it would work something like this:
              Lan3 -> Lan1 (computer) -> WAN

              I'm Sorry I'm not being very clear.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Your being clear – but there is ZERO point to do this... WHY would you want/need to do this - is freaking pointless!!!  Are you wanting to run some sort of proxy on this box on lan 1?

                What is the point of sending traffic to lan 1 computer to just get to the same internet connection??

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                1 Reply Last reply Reply Quote 0
                • D Offline
                  DaHai8
                  last edited by

                  There is a point, but that's not the issue. Can this be done? How? Where can I find out how to do this?
                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Find out how to do what.. Are you running a proxy, are you running a vpn on this box.  You have to run something on this box or even if you send it traffic its not going to do anything with it.

                    Without some understanding of what your trying to accomplish no its not possible…

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      BluBoy
                      last edited by

                      Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.
                      LAN1 host would then need to be able to forward those packets on to the internet after you have done whatever you are trying to do.

                      If you are looking at an IDS type solution, I'd highly recommend looking into a switch that can mirror ports (SPAN PORTS) instead.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        DaHai8
                        last edited by

                        Thanks!
                        I will give that a try.
                        I was thinking it was a custom Route, but your suggestion sounds logical.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          instead of being evasive how about telling us what you are trying to do? Routing to the LAN1 host is easy. What it does with the traffic might not be.

                          Create a gateway on LAN called LAN1_HOST with the IP address of LAN1 Host.

                          Policy route LAN3 traffic to LAN1 host.

                          I want it to be routed to the computer on LAN1, and then go to the Gateway.

                          The and then go to the gateway part is up to that host. What it does with the traffic is outside the scope of the firewall.

                          Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.

                          No because the LAN1 host is not on the same subnet as the LAN3 hosts. They will have no idea where to send the traffic to get to LAN3 even if they do accept that as the gateway.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            DaHai8
                            last edited by

                            Under System / Routing / Gateways:
                            Enabled: LAN1_Host / LAN1 / 192.168.1.4

                            In Firewall / Rules / LAN2, there is no option to specify the Gateway.
                            :(

                            1 Reply Last reply Reply Quote 0
                            • KOMK Offline
                              KOM
                              last edited by

                              It's under the Advanced options for the rule, I believe.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                Where did LAN2 come from?

                                Match the traffic coming into LAN1 and set the gateway under advanced on that rule.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  DaHai8
                                  last edited by

                                  Sorry about that - meant to say LAN3

                                  I thought using numbers instead of my assigned names would make it easier for everyone, but instead its just got me confused.
                                  From now on in all my posts (hopefully not many more :)…) I will refer to them by the assigned names so I don't get confused and muck up everything...again.
                                  LAN1 = SIF
                                  LAN2 = THOR
                                  LAN3 = LOKI

                                  I seem to be having lots of problems with SIF since I changed it from 192.168.1.x to 192.168.4.x as I was doubled-NAT'd. I've since removed that other NAT device and now single NAT'd with pfSense. Therefore, I've set SIF back to 192.168.1.x, but it still seems to be messed up.

                                  The DHCP service on SIF is not talking to anyone. I've posted a message in the HDCP/DNS forum asking for help as I cannot seem to get it working now
                                  https://forum.pfsense.org/index.php?topic=121772.0

                                  Maybe once I get that sorted out, my route from LOKI to 192.168.1.4 (Wormhole) will work.

                                  I'm also building a new Wormhole to test with because I can't even PING the old Wormhole no matter what Interface I put it on (if different than the Ping Sender's)
                                  https://forum.pfsense.org/index.php?topic=121748.0

                                  Ugh, what I mess I've made…I really do very much appreciate everyone's help!

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    What are you doing dude.. Completely agree with you here

                                    "Ugh, what I mess I've made.."

                                    Do you understand the hairpining that would be going on in this network??  So in going to the internet. Follow your path..

                                    lanPC
                                    To
                                    langw
                                    outlan3gw
                                    Inwormhole
                                    Outwormhole
                                    inlan3gw

                                    How does your traffic expect to get back now??  Because if you don't go through your wormhole its asymmetrical and your firewall will kill any states it sees not traffic on once it hits is timeout, etc..

                                    So yeah what a mess..

                                    Lets try this again - if you actually explain what you want to accomplish we can go over the options of doing it is whatever it is your wanting to do..  Without a borked up pile of crap!!

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      DaHai8
                                      last edited by

                                      So, two steps forward, one step backwards

                                      My Pi VPN/SSL Client in working on 192.168.1.4 and connects to the VPN/SSL Server just fine.
                                      But…you knew there'd be a 'but'...

                                      When I enable the Policy Route and Upstream Gateway, it (the Pi) cannot connect to the VPN/SSL Server anymore.
                                      It just initiates, and then gets a soft reset, and tries again - infinitely...

                                      So here's how I implemented Derelict's instructions (the Route was Enabled before when I did the test, as was the upstream gateway):

                                      What did I screw up this time??

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        DaHai8
                                        last edited by

                                        johnpoz,

                                        I have a WiFi AP (192.168.3.2) on Loki Interface (192.168.3.1)
                                        Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
                                        That data is sent to the OpenVPN/SSL Server somewhere 'out there'

                                        My issue is getting Loki WiFi AP connections to the OpenVPN/SSL Client.

                                        That's it in a nutshell

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          DaHai8
                                          last edited by

                                          Ok, I googled around and found this web site that talks about pretty much what I'm trying to do. They set up the VPN Gateway on the same subnet as all the clients (I didn't think you could do that!)
                                          http://ozcan.com/blog/en/setting-up-vpn-gateway-with-raspberry-pi

                                          So I put my Pi on Loki (192.168.3.x) and set it as follows:
                                          IP Address: 192.168.3.3/24
                                          Gateway: 192.168.3.1

                                          I set this up in iptables:

                                          
                                          iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
                                          iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
                                          
                                          

                                          While the above web site does not mention the second iptables setting, if I don't include it, the PI randomly aborts the SSH connection.

                                          I then SSH'd into my Pi while on the Loki Interface and verified that the VPN Client was connecting to the VPN Server and working properly (it was)

                                          So then I tried to set up the Pi as the new Gateway for Loki using the following setting in pfSense:


                                          However, now with all that in place, when I'm connected on the Loki Interface, I cannot get to the VPN Server - regular Web Sites don't work either. The Web Browser just reports "No Internet Connection".

                                          I feel like I'm really close. Its probably some setting not right in pfSense.

                                          Thank you all for sticking with me on this - I really do appreciate it!!

                                          Any ideas/suggestions on what I've mis-configured is greatly welcome!!!

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
                                            That data is sent to the OpenVPN/SSL Server somewhere 'out there'

                                            So you want your traffic to go to a vpn??  Why would you not just setup this vpn connection in pfsense???  Openvpn client, Policy route = done!!  2 freaking minutes.  No asymmetrical routing, no hairpinning, no other boxes/devices needed..

                                            Then you could route any of your segments to this vpn, you could route just specific hosts, you could route just specific dest traffic…

                                            You keep saying openvpn/ssl - and you brought up stunnel in your other thread??  So is this vpn connection a openvpn one or stunnel based?  Stunnel will run on pfsense.. Your going down the WRONG PATH trying to setup devices to route to a host on their own network or different local network..  The proper way to do this sort of stuff is at the edge of your network, not internally.  if done on some internal box you either end up with a messy hairpins best case or hairpins and asymmetrical routing at best.  Even when you do this on a transit network to remove the asymmetrical routing issues you end up hairpinning..

                                            Why can you not just do this the simple easy less complex way by running the vpn connection on pfsense and then policy routing the devices on your network you want to use this vpn connection??

                                            If you have more than 1 public IP you could run it on some other box via a transit network connection to pfsense without hairpin..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.