Everything working, except the ability for the router itself to reach the outside

JLFR

Hello,

This issue got me stuck for a while.
From pfSense itself, I just can't ping anything.
This is an problem because I can't install additional packages, thru the package manager, or the command line. Nor update pfsense
The DNS resolution occurs, but nothing after that.

Apart from that, I have a perfectly working setup, in production.
WAN 0 : SDSL
WAN 1 : VDSL
WAN 2 : 4G
LAN 0 : normal LAN, with your usual clients and servers.

I have NAT forwaring from the SDSL to servers on the LAN working well.
I have multiple computers on the LAN, all reaching internet, thru pre-defined groups of routers (SDSL,VDSL,4G), with failover/loadbalancing working well.
I have traffic shapping working well.
I have DNS Forwarding working well.

I have tried multiple things

• forcing an update in ipv4 only thru the command line
• activating "prefer ipv4 over ipv6"
• creating a specific rule for the IP of the router on the LAN, to allow anything
• creating a specific rule for "self" to allow anything
• reseting the datetime (not kidding, someone suggested that)

I posted in Firewalling, because that's what it looks like, sorry If it's not.

Thank your very much for your help

JLFR

Finally found what was wrong !

WAN0 is on 10.10.10.0 router is 10.10.10.1 disctinct ethernet interface
WAN1 is on 10.10.10.0 router is 10.10.10.10 disctinct ethernet interface
WAN2 is on 192.168.1.0 router is 192.168.1.1 disctinct ethernet interface
LAN is on 10.10.10.0 router is 10.10.10.10 disctinct ethernet interface

I tried to ping each router and could only ping the WAN2 !
The default gateway was WAN1, so I switched to WAN2 and now it works properly.

I guess I should change the subnet of WAN0 and WAN1, to avoid such issues.
(Idea behind keeping the same subnets what to allow to an easy recovery in case of massive pfsense crash. As putting the WAN1 router directly on the LAN would ensure the client could use internet as usual).

johnpoz

how did you get the same network on so many multiple interfaces? Pfsense should of prevented you from doing that. You can not for sure have same network on wan as you do on lan..

JLFR

The address range is the same. But physically, they are 4 distinct interfaces, that can never contact each other directly.

Behind the WAN0 interface of pfsense, there's only a router (SDSL) connected
Behind the WAN1 interface of pfsense, there only a router (VDSL) connected
Bbehind the WAN2 interface of pfsense, there only a router (4G) connected
Behind the LAN0 interface of pfsense, there is the local network, and none of the routers are connected to it in any way.

I think is has been possible because of DHCP mode on those interfaces.
WAN2 is configured in DHCP (the 4G router providing IP and routing info)
WAN1 is configured in DHCP (the VDSL router is providing IP and routing info)
WAN0 is configured as static IPv4, as it has public IP directly exposed.

jahonix

@jlfr said in Everything working, except the ability for the router itself to reach the outside:

The address range is the same. But physically, they are 4 distinct interfaces, that can never contact each other directly.

...and which will never pass traffic from/to each other because they are (seem to be) on the same subnet.
Very basic networking: every interface needs to be on its own subnet.

johnpoz

Nor will pfsense let you do it even.. Are you wan all dhcp?

JLFR

It doesn't appear to be much of an issue.
I've got about 80 users and about 10 servers that are running without a glitch since a week. Loadbalancing occurs, rules for specific users/services using specific gateway occurs too.
I mean, conceptually there might be something very wrong (and now that I'm aware of it, I'll see to fix that).
But in practice it does work very well.

@johnpoz said in Everything working, except the ability for the router itself to reach the outside:

Nor will pfsense let you do it even.. Are you wan all dhcp?

Please see above,
two wan are DHCP, one is static IPv4.

johnpoz

@jlfr

So your two overlap are dhcp.. Pfsense will not let you set same network on multiple interfaces static...

Your setup is borked - I would suggest you correct the networks on your wan connections so they do not overlap any other networks.

JLFR

Yes I got that in the previous post.
As literally everything is working now, I'll wait for a possible downtime this weekend to fix that.

I'm sorry if the lack of basic networking knowledge offended you. I'm not in charge of that here, but the person responsible for it does much worse, let put it this way.
Thank you for your patience.

jahonix

@jlfr said in Everything working, except the ability for the router itself to reach the outside:

I'm sorry if the lack of basic networking knowledge offended you.

Nah, no offense taken.
It's just very unlikely that something might actually work (or seem to do) in that setup.

johnpoz

I clearly did not mean to offend anyone.. Borked is my term of endearment for something that is clearly wrong ;) Its a bit nicer than saying your setup is F'd dude ;) hehehe

While you think it might be working.. Its sure and the F shouldn't be.. You can not have overlapping networks on multiple interfaces in a router and expect it to work correctly.