2 Networks, 2 Gateways, same Router. Routing Question
This is complicated...
I have two Lans 172.27.2.x and 172.27.3.x all on a pfSense Router with multiple Lan adapters. No Vlans.
Nothing special about 2.x
3.x has its own Gateway on 3.3 which is a VPN client. But I have server exceptions using dnsmasq.d so that I can access devices on 2.x from 3.x by bypassing the gateway:
I also have a route set in the OpenVPN client config :
route 172.27.2.0 255.255.255.0 172.27.3.1
But I need to go the other way too: I need to be able to access devices on 3.x from 2.x, but I don't know how to do that.
At the moment, I just get "This site can't be reached" when I try to go that direction - probably because the response is being sent out the 3.3 gateway instead of back to 2.x
Can this be done? Pointers? Docs to read?
On your 172.27.3.3 Gateway you set a route to 172.17.2.x/x with Gateway IP of pfSense in your 172.17.3.x/x net.
@Rico : Oh so that should have been:
route 172.27.2.0 255.255.255.0 172.27.2.1
No, as Gateway you specify the pfSense IP in the 172.17.3.x/x network.
@Rico : Like this?
route 172.27.2.0 255.255.255.0 172.27.3.0/24
@Rico : 172.27.3.1 is the Gateway IP of the pfSense network.
Ah I've overlooked "3.x has its own Gateway on 3.3 which is a VPN client".
What do you mean with that? 172.27.3.3 is some kind of virtual IP sitting on pfSense? Some extra device like a cheap router?
Are Clients in 172.27.3.x using 172.27.3.3 as Gateway?
172.27.3.3 is a raspberry pi running OpenVPN client.
All clients on 172.27.3.x use 172.27.3.3 as their gateway.
I have the exceptions (above) set in the openvpn client config and dnsmasq.d to route requests to devices on 172.27.2.x from 172.27.3.x when named with my local domain name.
I tried this in my dnsmasq.d config file on the 172.27.3.3 gateway, but it doesn't seem to help:
In Linux it should be someting like
ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
Maybe you need to enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
But I'm no Raspi guy, maybe those commands need some adjustment.
@Rico : ip forwarding is turned on.
When I entered your 'ip route' command, I got this:
root@wormhole:/home/pi# ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0 RTNETLINK answers: File exists
So, it looks like that's already in there. But still no joy.
What is the output of
@Rico : Lots of stuff!
root@wormhole:/etc/dnsmasq.d# ip route 0.0.0.0/1 via 10.8.0.5 dev tun0 default via 172.27.3.1 dev eth0 metric 202 10.8.0.0/24 via 10.8.0.5 dev tun0 10.8.0.1 via 10.8.0.5 dev tun0 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 10.10.0.0/24 via 10.10.0.5 dev tun2 10.10.0.1 via 10.10.0.5 dev tun2 10.10.0.5 dev tun2 proto kernel scope link src 10.10.0.6 22.214.171.124 via 172.27.3.1 dev eth0 127.0.0.1 via 172.27.3.1 dev eth0 126.96.36.199/1 via 10.8.0.5 dev tun0 188.8.131.52 via 172.27.3.1 dev eth0 184.108.40.206 via 172.27.3.1 dev eth0 220.127.116.11 via 172.27.3.1 dev eth0 18.104.22.168 via 172.27.3.1 dev eth0 172.27.2.0/24 via 172.27.3.1 dev eth0 172.27.3.0/24 dev eth0 proto kernel scope link src 172.27.3.3 metric 202
That looks Okay to me, but routing is still asynchronous.
You can either add routes to your endpoints in the 172.27.3.0/24 network or tell pfSense to use 172.27.3.3 as Gateway for 172.27.3.0/24. Check https://docs.netgate.com/pfsense/en/latest/book/routing/static-routes.html
Probably the best and clean solution would be to get rid of the Raspi and use pfSense as your VPN Client.
Check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html
Ok, so I already had 172.27.3.3 set up as a gateway for the 172.27.3.x Interface.
Not sure how to add a route to an endpoint in the 172.27.3.0/24 network, but I'll dig around for how to do that on those devices I need to access from 172.27.2.x
I'm still dead.
Can't figure out how to set a static route on hassio or a tasmota device.
And I know my
172.27.2.0/24 via 172.27.3.1 dev eth0
works, because if I remove that route, then I can't get to anything on the 2.x network from the 3.x network. But I'm still unable to access anything on the 3.x network from the 2.x network.
I'll jump over the the OpenVPN forum and see if they can help. But if anyone has any further ideas, please let me know.
Thanks @Rico !!
Here's a tracert from the 172.27.2.x network (my PC) to a device on the 172.27.3.x network (my Home Assistant Server):
C:\Users\DaHai>tracert hassio.asgard Tracing route to hassio.asgard [172.27.3.4] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms bifrost.asgard [172.27.2.1] 2 2 ms 2 ms 1 ms hassio.asgard [172.27.3.4] Trace complete.
It routes and complete pretty much instantly, but I can't bring its web page up in my browser.
I get "The site can't be reached"
This is the same with any other device on the 3.x network when I try to access it via its web page from the 2.x network.
Maybe the iptables.up.rules is set up wrong on the OpenVPN RPI3B+ device?
# Generated by iptables-save v1.4.21 on Tue Nov 29 15:32:04 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [25:1612] :POSTROUTING ACCEPT [25:1612] -A POSTROUTING -o tun0 -j MASQUERADE -A POSTROUTING -o tun1 -j MASQUERADE -A POSTROUTING -o tun2 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Nov 29 15:32:04 2016
-A POSTROUTING -o eth0 -j MASQUERADE
Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network!
I'll have to look through my notes to see why it was put in there to begin with...