Routing from LAN to WAN Upstream Gateway not working
-
I have installed the Firewall software into ESX and configured a very simple two subnet setup. I have connected one interface to each subnet. the Firewall is disabled (in Advanced-Firewall&NAT) because I need a router with no firewall capability.
The WAN interface is connected to a virtual switch that is bound to the ESX Host's NIC. IP on this interface is 192.168.101.254. I get a ping response from the upstream Gateway (192.168.101.1) using this interface as the source.
The LAN Interface is on a second virtual switch not connected to the Host's NIC. IP on this interface is 192.168.80.1. I do NOT get a ping response from the upstream gateway when using this interface as the source.
Any advice on what I'm not getting right, or what I've missed would be gratefully received.
-
You need a route on your upstream gateway for the network behind pfSense which directs traffic to it.
Have add it? -
While sure you can use pfsense as just a router be it on hardware or a vm. Keep in mind if all you need is a low resource "router" for your vm there are other options to be sure.
VyOS or even dd-wrt can run on esxi. Or any small linux vm could be used for routing. All comes down to how big your esxi box and how much resources you can spare for your "routers" and how comfortable you might be without a gui, and or learning a new cmd structure at the cli, etc.
I would be the first to say pfsense is a great choice for such needs - just throwing out there that it is not the "only" choice and depending on the use case something else might fit the bill better depending on your resources available and skill set.
Now if you want full blown firewall/router feature set with a simple to use and understand web gui then pfsense for sure.
-
I've not added any routes to my upstream gateway - I'm trying to get traffic from the network behind pfSense (192.168.80.x) to the network where the upstream gateway resides (192.168.101.x).
Put simply: I have one device on each subnet: device 1 (192.168.101.2) gets a ping response from device 2 (192.168.80.2) but not the other way around.
It surprises me that you'd need to add a route to tell it which interface to use when the destination is on networks to which it's attached.
-
Each device sends network packet (also response packets) which are destined to an IP outside its own network segment to its default gateway, aside it has a specific route for the destination IP.
So your devices in 192.168.101.x will send packets destined to 192.168.80.x to your upstream gateway as long as they have no route defined for it.
So if you also want to enable communication between devices behind pfSense with other devices 192.168.101.x you will need a static route on these devices.
On devices behind pfSense there are no routes necessary, because pfSense is the derfault gateway on them, so the traffic is routed to pfSense anyway. -
Keep in mind that traffic is always bi-directional, with that said:
- Your pfSense "router" instance has two IPs, A1 on subnet S1 and A2 on subnet S2.
- Any host on subnet S1 must either have a default gateway of A1 OR a route for subnet S2 via A1.
- AND any host on subnet S2 must either have a default gateway of A2 OR a route for subnet S1 via A2.
-
@cottroad said in Routing from LAN to WAN Upstream Gateway not working:
tell it which interface to use when the destination is on networks to which it's attached.
You wouldn't - you do not need to add a route on a device to tell it how to talk to a network its directly attached too.
-
@awebster said in Routing from LAN to WAN Upstream Gateway not working:
A1
Now my brain has melted. However, on johnPOZ's suggestion I've now got VyOS running, relaying DHCP correctly and allowing bi-directional comms between my two test subnets, and from both subnets to the downstream gateway and on to the web.
I thank you for your help. Even if the result was to point me at another product to try :-)