Routing, can pfsense be used as a router?



  • Hi,

    I'm having troubles settings the pfsense as a router.

    PFSENSE version: 1.2 RELEASE

    Here's my setup:

    ISP1 ==> WAN1 == FIREWALL1 == CARPvIP1 ==> LAN 1 ==> ROUTER1 ==> LAN2
    ISP2 ==> WAN2 == FIREWALL1                                                      ==> LAN3

    ISP1 ==> WAN2 == FIREWALL2 == CARPvIP1 ==> LAN 1 ==> ROUTER1 ==> LAN2
    ISP2 ==> WAN1 == FIREWALL2                                                      ==> LAN3

    CONFIGURATION:

    FIREWALL1: WAN LOADBALANCING using MultiWan how to, CARP, VPN site to site
    FIREWALL1 STATUS: WORKING, Loadbalacing works fine, VPN site to site does as well, no apparent routing problems.

    ROUTER1: I disabled PACKET FILTERING, NAT TO AON removed all auto generated rules (as NAT is disabled when in router mode this is probably not necessary), removed all firewall rules (useless as well), enabled RIP v2 with the FIREWALL1.
    ROUTER1 STATUS: Internet hardly working (works 2 minutes, goes down, etc..), unable to reach the VPN (Shouldn't the two pfsenses exchange complete routing tables and help the ROUTER1 route the traffic to the FIREWALL1?), etc…

    I'm going back to a IPTABLES script to have the routing feature working. Is anyone having a "Configure Pfsense as a mutlihomed LAN router" how to?, I've tried all the options that may help to have a stable router, but nothing works. I have already tried 2 different PCs with 2 different brands of NIC, exact same behaviour.

    TROUBLESHOOTING:

    TESTS FROM LAN1:

    Everything works as it should, I can reach both my ADSL routers behind the WAN interfaces, I can work on the remote location using VPN. And of course the Internet works as a charm using the CARP.

    TEST FROM LAN2:

    Nothing works, eventhough the router got all the infos from its mate (I didn't add any static route to the VPN as the RIP should exchange routing table with the previous hop). I can ping some other networks but its all eratic, same for the Internet or any protocol going through).

    I'm starting to be strongly pis..d off as I've tried 3 different kind of configuration for the router, even turning it back into a firewall but the behaviour is quite the same; eratic Internet (losing routes live?). As I may be short sighted because being angry, any help would be appreciated of course, it is probably some kid problem but now I may have troubles stay focused.

    I just have a question: can CARP be the cause of this trouble? And if yes, why? I'm using the VIRTUAL IP of the CARP on the FIREWALL1 as a gateway for the ROUTER.

    Thanks



  • I found the solution:

    For those who want to solve the same problem in the future, here's a summary of the problem:

    Pfsense used as firewall and site-to-site vpn on 2 remote locations. Directly attached networks are having no problem using the vpn. Subnets behind a third pfsense acting as a router is unable to reach the remote network. Moreover the subnets behind the pfsense router are having troubles with the Internet.

    Solution:

    Goodbye pfsense router, welcome IPtables routing script on Gentoo. This solved the instability of the routing, now the Internet never times out. Now to solve the routing problem between the subnets behind the router and the remote location, you will first need to make sure you added correct static routes for those networks that are not directly attached to the pfsenses establishing the vpn tunnel.

    Once this is done, you will need to create a new vpn tunnel the same way as you would do for a normal site-to-site vpn, best is to simply create a new tunnel based on an existing one, if any, the only thing that needs to be changed is the remote network you want to reach. All the rest remains exactly the same. Don't bother inventing something, just use an existing/working vpn tunnel as a template, change the source network or remote network depending on which pfsense you’re working , that’s all.



  • You can use pfSense strictly as a router, with IPsec or anything else. You have to make sure all your subnets are specified in your IPsec configuration, you can't use routes to pass traffic over VPN, the SPD of your IPsec controls routing.


Locked