2 Networks, 2 Gateways, same Router. Routing Question

LeiShen

This is complicated...
I have two Lans 172.27.2.x and 172.27.3.x all on a pfSense Router with multiple Lan adapters. No Vlans.
Nothing special about 2.x
3.x has its own Gateway on 3.3 which is a VPN client. But I have server exceptions using dnsmasq.d so that I can access devices on 2.x from 3.x by bypassing the gateway:

server=/local/172.27.2.1
server=/mydomain/172.27.2.1

I also have a route set in the OpenVPN client config :

route 172.27.2.0 255.255.255.0 172.27.3.1

But I need to go the other way too: I need to be able to access devices on 3.x from 2.x, but I don't know how to do that.
At the moment, I just get "This site can't be reached" when I try to go that direction - probably because the response is being sent out the 3.3 gateway instead of back to 2.x

Can this be done? Pointers? Docs to read?
Thanks!

Rico

On your 172.27.3.3 Gateway you set a route to 172.17.2.x/x with Gateway IP of pfSense in your 172.17.3.x/x net.

-Rico

LeiShen

@Rico : Oh so that should have been:

route 172.27.2.0 255.255.255.0 172.27.2.1

?

Rico

No, as Gateway you specify the pfSense IP in the 172.17.3.x/x network.

-Rico

LeiShen

@Rico : Like this?
Like this?

route 172.27.2.0 255.255.255.0 172.27.3.0/24

LeiShen

@Rico : 172.27.3.1 is the Gateway IP of the pfSense network.

Rico

Ah I've overlooked "3.x has its own Gateway on 3.3 which is a VPN client".
What do you mean with that? 172.27.3.3 is some kind of virtual IP sitting on pfSense? Some extra device like a cheap router?
Are Clients in 172.27.3.x using 172.27.3.3 as Gateway?

-Rico

LeiShen

172.27.3.3 is a raspberry pi running OpenVPN client.
All clients on 172.27.3.x use 172.27.3.3 as their gateway.
I have the exceptions (above) set in the openvpn client config and dnsmasq.d to route requests to devices on 172.27.2.x from 172.27.3.x when named with my local domain name.

LeiShen

I tried this in my dnsmasq.d config file on the 172.27.3.3 gateway, but it doesn't seem to help:

rev-server=172.27.2.0/24,172.27.2.1

Rico

In Linux it should be someting like
ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
Maybe you need to enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
But I'm no Raspi guy, maybe those commands need some adjustment.

-Rico

LeiShen

@Rico : ip forwarding is turned on.
When I entered your 'ip route' command, I got this:

root@wormhole:/home/pi# ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
RTNETLINK answers: File exists

So, it looks like that's already in there. But still no joy.

Rico

What is the output of ip route?

-Rico

LeiShen

@Rico : Lots of stuff!

root@wormhole:/etc/dnsmasq.d# ip route
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 172.27.3.1 dev eth0  metric 202
10.8.0.0/24 via 10.8.0.5 dev tun0
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6
10.10.0.0/24 via 10.10.0.5 dev tun2
10.10.0.1 via 10.10.0.5 dev tun2
10.10.0.5 dev tun2  proto kernel  scope link  src 10.10.0.6
47.149.29.80 via 172.27.3.1 dev eth0
127.0.0.1 via 172.27.3.1 dev eth0
128.0.0.0/1 via 10.8.0.5 dev tun0
136.32.128.65 via 172.27.3.1 dev eth0
136.61.208.161 via 172.27.3.1 dev eth0
139.178.68.38 via 172.27.3.1 dev eth0
139.178.82.59 via 172.27.3.1 dev eth0
172.27.2.0/24 via 172.27.3.1 dev eth0
172.27.3.0/24 dev eth0  proto kernel  scope link  src 172.27.3.3  metric 202

Rico

That looks Okay to me, but routing is still asynchronous.
You can either add routes to your endpoints in the 172.27.3.0/24 network or tell pfSense to use 172.27.3.3 as Gateway for 172.27.3.0/24. Check https://docs.netgate.com/pfsense/en/latest/book/routing/static-routes.html

-Rico

Rico

Probably the best and clean solution would be to get rid of the Raspi and use pfSense as your VPN Client.
Check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

-Rico

LeiShen

@Rico
Ok, so I already had 172.27.3.3 set up as a gateway for the 172.27.3.x Interface.

Not sure how to add a route to an endpoint in the 172.27.3.0/24 network, but I'll dig around for how to do that on those devices I need to access from 172.27.2.x

Thanks!

LeiShen

I'm still dead.
Can't figure out how to set a static route on hassio or a tasmota device.
And I know my

172.27.2.0/24 via 172.27.3.1 dev eth0

works, because if I remove that route, then I can't get to anything on the 2.x network from the 3.x network. But I'm still unable to access anything on the 3.x network from the 2.x network.

I'll jump over the the OpenVPN forum and see if they can help. But if anyone has any further ideas, please let me know.

Thanks @Rico !!

LeiShen

Here's a tracert from the 172.27.2.x network (my PC) to a device on the 172.27.3.x network (my Home Assistant Server):

C:\Users\DaHai>tracert hassio.asgard

Tracing route to hassio.asgard [172.27.3.4]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  bifrost.asgard [172.27.2.1]
  2     2 ms     2 ms     1 ms  hassio.asgard [172.27.3.4]

Trace complete.

It routes and complete pretty much instantly, but I can't bring its web page up in my browser.
I get "The site can't be reached"

This is the same with any other device on the 3.x network when I try to access it via its web page from the 2.x network.

LeiShen

Maybe the iptables.up.rules is set up wrong on the OpenVPN RPI3B+ device?

# Generated by iptables-save v1.4.21 on Tue Nov 29 15:32:04 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [25:1612]
:POSTROUTING ACCEPT [25:1612]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o tun1 -j MASQUERADE
-A POSTROUTING -o tun2 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Nov 29 15:32:04 2016

LeiShen

@LeiShen said in 2 Networks, 2 Gateways, same Router. Routing Question:

-A POSTROUTING -o eth0 -j MASQUERADE

Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network!

I'll have to look through my notes to see why it was put in there to begin with...

Cheers!