Supernetting (nested routers) experiment



  • Hi, all! I am a newbie and am struggling a bit to get things working in a pfSense-based project (1.2.2-release). I set up a prototype network like this:

    Border Router - border gateway to the whole 10/8 network
    LAN IP - 10.0.0.1/16
    DHCP server

    Router 105 - router delimiting 10.105/16 (sub)network
    WAN IP - 10.0.2.253/16 (on Border Router's LAN, obtained by DHCP)
    LAN IP - 10.105.0.1/16

    Router 106 - router delimiting 10.106/16 (sub)network
    WAN IP - 10.0.2.252/16 (on Border Router's LAN, obtained by DHCP)
    LAN IP - 10.106.0.1/16

    So the Border Router's LAN NIC and Routers 105/106's WAN NICs all belong to a 10.0/16 network. I'll explain in a moment what my requirements and attempted configurations are like, but will state the symptoms right away:

    –- SYMPTONS ---
    . according to the logs, rules "default deny rule" and "block dhcp client out wan" really rule and I can hardly ping anybody. Specifically:
      . Routers 105/106 ping 10.0.0.1;
      . 10.0.0.1 cannot ping either of the ROUTERS (i.e. 10.0.2.252/253) or computers in the subnets. However, if I add a non-router host to net 10.0/16, it can be pinged and ping 10.0.0.1. One is lead to the conclusion that the routers are actually refusing ping requests;
      . sometimes, I can get to ping 10.0.0.1 from say 10.106.0.23 (never the other way around), but that seems to be due to my having once set up Router 106's LAN interface to bridge with WAN, which I actually have undone;
    . by the way, I am using static routes saying that 10.105/16 (10.106/16) should go through gateway 10.0.2.253 (10.0.2.252), to no effect. Probably because they can't even be pinged.

    --- REQUIREMENTS ---
    . I understand (maybe wrongly) that I do not want just a filtering bridge. These nested routers are primarily intended to avoid unnecessary trafic (to/from the subnets) and provide for DHCP, rather than actually do firewalling. So a bridge set-up does not apply, correct?
    . In spite of my desperate use of static routes in this experiment, the real thing will eventually include lots of nested routers. So I hope dynamic routing (with RIP) will play nicely once I get everyone to communicate, will it? Fortunately :o) the RIP tab in the web configurator doesn't leave much to configure, so I simply enabled it for both interfaces for everyone and defined a common password.

    --- ATTEMPTED CONFIGS ---
    For reference, I attach the exported configurations for all three routers (.xml renamed as .txt). Here is a summary of it:

    0 - the three of them are almost identically configured. I just made the minimum adaptations to a commom coniguration to get the experiment going;
    1 - NAT is disabled for everyone (eventually will be turned on for the real border routers only);
    2 - "block private addresses" is disabled;
    3 - there are filtering rules allowing virtually anything to pass (only "block bogon networks" is enabled);
    4 - border Router LAN IP is 10.0.0.1/16 and not 10.0.0.1/8, although it delimits the whole 10/8 network, right?
    5 - all LAN NIC web configuration tabs have "Bridge" set to "None".

    Thanks in advance for any light/pointers.

    Cheers,

    Jorge.

    config-border-router.txt
    config-subrouter-105.txt
    config-subrouter-106.txt



  • It looks like you're allow rule for the LAN on the border router is only allowing traffic originating from that subnet. With a routed network not performing NAT, it will see traffic coming from  those inside addresses (10.106 10.105).

    You might just put a full allow rule on the WAN interfaces of the internal routers until everything is working and then tighten it down afterwards. That will make sure that RIP works and then you wont have to use static routes.


Locked