pfSense RIPv2 configuration
-
I've got an updated 2.4.4 pfSense install that is inside my network. I've got several networks attached. The layout is as follows:
Internet -> Firewall/Router -> Network A L3 Switch -> pfSense -> Network B/C/D.
Internally we have been using RIP v2 successfully. pfSense is also intended to be a router for networks B/C. D is also routed on "Firewall/Router" and uses a different switch path to the pfSense install. Network A is connected to the WAN port on pfSense.
I've checked the box for RIP v2 and I'm seeing the pfSense show that it's the route via RIP broadcasts received by linux clients running RIPd in listen mode.
However, pfSense is also broadcasting it's the route for networks it doesn't route, such as A and D. I can't figure out why this is happening, but it causes network chaos. Is there a way to tell pfSense it's NOT the router for ALL networks it's connected to, and tell it which ones it IS the router for?
-
Im trying to picture this but Im having issues..
Only one pfsense box? Im thinking you need to turn off NAT for network D and simply do not include your WAN as an active RIP interface on network A..
But without a clear picture I myself am just guessing.
-
So, only one pfsense box for now. I don't think NAT is enabled at all? Or I didn't turn it on anyway. If I turn off RIP on network A interface, then no one on network A can access network B and C because they don't get the route via what should be the default router "Firewall/Router".
Part of the problem is the network is very complex. I could try and draw a diagram somewhere if I had digital tools that could handle it, though I'm not sure we want to put that much detail on the wide open net either.
-
NAT is on by default unless you specifically turned it off.
Sounds like you want a device that does nothing but internal routing??. But B and C still need to access the outside world via network A??..
You really do need to be as descriptive as possible.. Just leave out anything that would identify if your worried. I can guarantee you there are far more complex networks behind some of the guys and gals here..
-
Yes, we want an internal router and firewall in this instance. Network A is how you get to the Internet, and also used by most desktops and servers. It is routed via "Router/Firewall" and that device is the default gateway for the servers and desktops. Also connected to Network A are a bunch of other Layer 3 switches doing routing for multiple other networks. These devices are the gateway for those networks. "Router/Firewall" Is also the gateway for Network D, a management network (out of band if you will).
pfSense is connected to the 4 networks, and has IPs on all of them. Network D should be strictly used to access the web UI of pfSense. It doesn't need to be routed by pfSense at all. Network A is the upstream network for B and C. So we want B and C to be accessible from Network A, and be able to access Network A and the internet in terms of routing. We want to use pfSense Firewall to control access in either direction, but we need the routing base working first.
What we don't want, and is currently happening, is to have pfSense broadcast to Network A that it is the gateway for Network A and D. This breaks a lot of things when the servers try and send traffic to pfSense rather than to "Network/Firewall".
I just disabled "Outbound" NAT, though there were no rules enabled.
-
It's worth pointing out that every other device I've used that does RIP has an UI for specifying what networks it advertises, as well as whether RIP is enabled or disabled globally. It seems like pfSense doesn't have a way to specify which networks it advertises? I think that's all I need, a way to turn on and off advertisements on a per network basis.
