2 Networks, 2 Gateways, same Router. Routing Question

  • This is complicated...
    I have two Lans 172.27.2.x and 172.27.3.x all on a pfSense Router with multiple Lan adapters. No Vlans.
    Nothing special about 2.x
    3.x has its own Gateway on 3.3 which is a VPN client. But I have server exceptions using dnsmasq.d so that I can access devices on 2.x from 3.x by bypassing the gateway:


    I also have a route set in the OpenVPN client config :


    But I need to go the other way too: I need to be able to access devices on 3.x from 2.x, but I don't know how to do that.
    At the moment, I just get "This site can't be reached" when I try to go that direction - probably because the response is being sent out the 3.3 gateway instead of back to 2.x

    Can this be done? Pointers? Docs to read?

  • LAYER 8 Rebel Alliance

    On your Gateway you set a route to 172.17.2.x/x with Gateway IP of pfSense in your 172.17.3.x/x net.


  • @Rico : Oh so that should have been:



  • LAYER 8 Rebel Alliance

    No, as Gateway you specify the pfSense IP in the 172.17.3.x/x network.


  • @Rico : Like this?
    Like this?


  • @Rico : is the Gateway IP of the pfSense network.

  • LAYER 8 Rebel Alliance

    Ah I've overlooked "3.x has its own Gateway on 3.3 which is a VPN client".
    What do you mean with that? is some kind of virtual IP sitting on pfSense? Some extra device like a cheap router?
    Are Clients in 172.27.3.x using as Gateway?


  • is a raspberry pi running OpenVPN client.
    All clients on 172.27.3.x use as their gateway.
    I have the exceptions (above) set in the openvpn client config and dnsmasq.d to route requests to devices on 172.27.2.x from 172.27.3.x when named with my local domain name.

  • I tried this in my dnsmasq.d config file on the gateway, but it doesn't seem to help:


  • LAYER 8 Rebel Alliance

    In Linux it should be someting like
    ip route add via dev eth0
    Maybe you need to enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    But I'm no Raspi guy, maybe those commands need some adjustment.


  • @Rico : ip forwarding is turned on.
    When I entered your 'ip route' command, I got this:

    root@wormhole:/home/pi# ip route add via dev eth0
    RTNETLINK answers: File exists

    So, it looks like that's already in there. But still no joy.

  • LAYER 8 Rebel Alliance

    What is the output of ip route?


  • @Rico : Lots of stuff!

    root@wormhole:/etc/dnsmasq.d# ip route via dev tun0
    default via dev eth0  metric 202 via dev tun0 via dev tun0 dev tun0  proto kernel  scope link  src via dev tun2 via dev tun2 dev tun2  proto kernel  scope link  src via dev eth0 via dev eth0 via dev tun0 via dev eth0 via dev eth0 via dev eth0 via dev eth0 via dev eth0 dev eth0  proto kernel  scope link  src  metric 202

  • LAYER 8 Rebel Alliance

    That looks Okay to me, but routing is still asynchronous.
    You can either add routes to your endpoints in the network or tell pfSense to use as Gateway for Check https://docs.netgate.com/pfsense/en/latest/book/routing/static-routes.html


  • LAYER 8 Rebel Alliance

    Probably the best and clean solution would be to get rid of the Raspi and use pfSense as your VPN Client.
    Check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html


  • @Rico
    Ok, so I already had set up as a gateway for the 172.27.3.x Interface.

    Not sure how to add a route to an endpoint in the network, but I'll dig around for how to do that on those devices I need to access from 172.27.2.x


  • I'm still dead.
    Can't figure out how to set a static route on hassio or a tasmota device.
    And I know my via dev eth0

    works, because if I remove that route, then I can't get to anything on the 2.x network from the 3.x network. But I'm still unable to access anything on the 3.x network from the 2.x network.

    I'll jump over the the OpenVPN forum and see if they can help. But if anyone has any further ideas, please let me know.

    Thanks @Rico !!

  • Here's a tracert from the 172.27.2.x network (my PC) to a device on the 172.27.3.x network (my Home Assistant Server):

    C:\Users\DaHai>tracert hassio.asgard
    Tracing route to hassio.asgard []
    over a maximum of 30 hops:
      1     1 ms     1 ms     1 ms  bifrost.asgard []
      2     2 ms     2 ms     1 ms  hassio.asgard []
    Trace complete.

    It routes and complete pretty much instantly, but I can't bring its web page up in my browser.
    I get "The site can't be reached"

    This is the same with any other device on the 3.x network when I try to access it via its web page from the 2.x network.

  • Maybe the iptables.up.rules is set up wrong on the OpenVPN RPI3B+ device?

    # Generated by iptables-save v1.4.21 on Tue Nov 29 15:32:04 2016
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [25:1612]
    # Completed on Tue Nov 29 15:32:04 2016

  • @LeiShen said in 2 Networks, 2 Gateways, same Router. Routing Question:


    Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network!

    I'll have to look through my notes to see why it was put in there to begin with...


Log in to reply