Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Other interfaces not using LAN gateway

    Routing and Multi WAN
    3
    8
    6.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      klave7
      last edited by

      We have several different locations connected via a WAN with PFSense boxes at each office.  The subnet shared with the LAN interfaces at all locations can all communicate fine across the WAN (i.e. 10.0.0.0/24 can talk to/from 10.1.0.0/24).  We have a default gateway going out to our ISP, and a second gateway pointing to our WAN will the appropriate static routes set for each location.

      However, when we have a device on an interface different than our main LAN (i.e. Wifi 10.0.20.0/24) it can talk to local subnets (10.0.0.0/24) but cannot talk to remote subnets (10.1.0.0/24).  Additionally it can ping every device locally with the exception of the gateway for the WAN (10.0.0.1).

      I've been fighting this for weeks and am at a loss.  My currently plan of shooting fish in a barrel is baring no fruit.  Please help!

      EDIT: Fixed a typo (/20 to /24 for WLAN)

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Produce a network diagram. Afraid that the description fails.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          /20 for your wifi segment.. that is a shitton of wifi devices - why such a large segment?  You sure your not overlapping networks?

          So your "wan" is just a large transit network.. With specific gateways setup for each other location and what networks that are there?  I take it your not natting these connections?  And only natting to your public gateway?  Or at your public gateway?

          So see attached, his is how I see your network.  Adding an opt or another network segment off 1 of your pfsense is no different than the lan segments on your pfsense.

          My guess would be your overlapping or have config error for your routes or firewall rules.

          So what is your transit network in use as your "wan"  So are you natting or not natting at pfsense?  Is this drawing close to your setup?

          yournetwork.jpg
          yournetwork.jpg_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            klave7
            last edited by

            Sorry my WLAN is /24.  That was a typo after a long frustrating evening.

            I've attached my network map.  The PFSense (Firewall) is the default gateway for for the LAN and for the WLAN.

            10.0.0.0/24 and 10.1.1.0/24 can all talk to each other just fine.  10.0.0.0/24 and 10.0.20.0/24 can communicate, except 10.0.20.0/24 cannot ping 10.0.0.1, but it can ping 10.0.0.5,6,7,8,9 etc.  Without being able to ping 10.0.0.1 it can't talk to 10.1.1.0/24 which is my main problem.  This problem also exists on my OpenVPN network set up on the PFSense (10.0.254.0/24).

            ![Network Map.png](/public/imported_attachments/1/Network Map.png)
            ![Network Map.png_thumb](/public/imported_attachments/1/Network Map.png_thumb)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              The way I see your drawing your mpls routers are on your lan networks?  So those become downstream routers to pfsense, and not wan gateways..  Yeah that is going to have all kinds of issues.

              You have hosts on these 10.0.0/24 and 10.1.1/24 networks?  What are their gateways?  You have a asymmetrical setup form the way I read your drawing.

              So a host on 10.0.0/24 wants to talk to your remote network, he goes to pfsense who then sends it to 10.0.0.1 (mpls router)  But when the traffic comes back why would mpls router send back to pfsense?  He is directly connected to 10.0.0/24

              Your mpls routers should be on a transit network that is connected to pfsense.. Not what looks like your normal lan networks.

              Your vpn would come in off the internet to any of your pfsense boxes or both, etc.  And they would be able to access your whole network as long as you allow it, etc.

              Once you set that up correctly, your sites could leverage the internet connections at hq or remote sites as backup/failover internet as well..  Unless you drew it wrong, your setup is messed up!!

              normalsetup.jpg
              normalsetup.jpg_thumb
              normalsetup-vpn.jpg
              normalsetup-vpn.jpg_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • K
                klave7
                last edited by

                You're absolutely right.  I am not the one who set it up this way, and it certainly isn't the way it should have been done.  I do not have the ability to change it right now though.  These problems arose because we changed our WAN provider, but the WAN router was also providing some internal routing as well.  Is there anything I can do to get this to work, or am I hosed until these changes are made?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  hmmmm.. Why can you not just move the mpls routers to transit networks.. Can you not get the networks on the lan side of the mpls routers changed to a transit network that does not conflict when your lan networks?

                  The current setup as I see it drawn is completely borked!!  I would have to assume your having issues with clients talking to the other networks because your setup would be asymmetrical.

                  To get your opt wifi segment to talk.. Do your mpls routers have routes to this 10.0.20/24 ??  If not you could snat them at pfsense so looks like coming from pfsense 10.0.0/24 IP..  But you would have issues if remote network needed to initiate a conversation to something in the opt network in hq.

                  To be honest the best course of action would be to correct the overall flaw in the design asap!!

                  As to work arounds - I would suggest you reach out to paid support from pfsense.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • K
                    klave7
                    last edited by

                    Thanks for the advice Johnpoz.  I at the very least have a pretty clear understanding why its broken.  Hopefully I can convince some people to make a change.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.