• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

2 Networks, 2 Gateways, same Router. Routing Question

Scheduled Pinned Locked Moved Routing and Multi WAN
20 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LeiShen
    last edited by Apr 11, 2019, 12:09 PM

    This is complicated...
    I have two Lans 172.27.2.x and 172.27.3.x all on a pfSense Router with multiple Lan adapters. No Vlans.
    Nothing special about 2.x
    3.x has its own Gateway on 3.3 which is a VPN client. But I have server exceptions using dnsmasq.d so that I can access devices on 2.x from 3.x by bypassing the gateway:

    server=/local/172.27.2.1
    server=/mydomain/172.27.2.1
    

    I also have a route set in the OpenVPN client config :

    route 172.27.2.0 255.255.255.0 172.27.3.1
    

    But I need to go the other way too: I need to be able to access devices on 3.x from 2.x, but I don't know how to do that.
    At the moment, I just get "This site can't be reached" when I try to go that direction - probably because the response is being sent out the 3.3 gateway instead of back to 2.x

    Can this be done? Pointers? Docs to read?
    Thanks!

    1 Reply Last reply Reply Quote 0
    • R
      Rico LAYER 8 Rebel Alliance
      last edited by Apr 11, 2019, 12:14 PM

      On your 172.27.3.3 Gateway you set a route to 172.17.2.x/x with Gateway IP of pfSense in your 172.17.3.x/x net.

      -Rico

      L 1 Reply Last reply Apr 11, 2019, 12:16 PM Reply Quote 0
      • L
        LeiShen @Rico
        last edited by Apr 11, 2019, 12:16 PM

        @Rico : Oh so that should have been:

        route 172.27.2.0 255.255.255.0 172.27.2.1
        

        ?

        1 Reply Last reply Reply Quote 0
        • R
          Rico LAYER 8 Rebel Alliance
          last edited by Apr 11, 2019, 12:18 PM

          No, as Gateway you specify the pfSense IP in the 172.17.3.x/x network.

          -Rico

          L 2 Replies Last reply Apr 11, 2019, 12:23 PM Reply Quote 0
          • L
            LeiShen @Rico
            last edited by Apr 11, 2019, 12:23 PM

            @Rico : Like this?
            Like this?

            route 172.27.2.0 255.255.255.0 172.27.3.0/24
            
            1 Reply Last reply Reply Quote 0
            • L
              LeiShen @Rico
              last edited by Apr 11, 2019, 12:27 PM

              @Rico : 172.27.3.1 is the Gateway IP of the pfSense network.

              1 Reply Last reply Reply Quote 0
              • R
                Rico LAYER 8 Rebel Alliance
                last edited by Rico Apr 11, 2019, 12:35 PM Apr 11, 2019, 12:34 PM

                Ah I've overlooked "3.x has its own Gateway on 3.3 which is a VPN client".
                What do you mean with that? 172.27.3.3 is some kind of virtual IP sitting on pfSense? Some extra device like a cheap router?
                Are Clients in 172.27.3.x using 172.27.3.3 as Gateway?

                -Rico

                1 Reply Last reply Reply Quote 0
                • L
                  LeiShen
                  last edited by Apr 11, 2019, 12:50 PM

                  172.27.3.3 is a raspberry pi running OpenVPN client.
                  All clients on 172.27.3.x use 172.27.3.3 as their gateway.
                  I have the exceptions (above) set in the openvpn client config and dnsmasq.d to route requests to devices on 172.27.2.x from 172.27.3.x when named with my local domain name.

                  1 Reply Last reply Reply Quote 0
                  • L
                    LeiShen
                    last edited by Apr 11, 2019, 12:55 PM

                    I tried this in my dnsmasq.d config file on the 172.27.3.3 gateway, but it doesn't seem to help:

                    rev-server=172.27.2.0/24,172.27.2.1
                    
                    1 Reply Last reply Reply Quote 0
                    • R
                      Rico LAYER 8 Rebel Alliance
                      last edited by Rico Apr 11, 2019, 1:03 PM Apr 11, 2019, 12:57 PM

                      In Linux it should be someting like
                      ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
                      Maybe you need to enable IP forwarding
                      echo 1 > /proc/sys/net/ipv4/ip_forward
                      But I'm no Raspi guy, maybe those commands need some adjustment.

                      -Rico

                      L 1 Reply Last reply Apr 11, 2019, 1:08 PM Reply Quote 0
                      • L
                        LeiShen @Rico
                        last edited by Apr 11, 2019, 1:08 PM

                        @Rico : ip forwarding is turned on.
                        When I entered your 'ip route' command, I got this:

                        root@wormhole:/home/pi# ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
                        RTNETLINK answers: File exists
                        
                        

                        So, it looks like that's already in there. But still no joy.

                        1 Reply Last reply Reply Quote 0
                        • R
                          Rico LAYER 8 Rebel Alliance
                          last edited by Apr 11, 2019, 1:11 PM

                          What is the output of ip route?

                          -Rico

                          L 1 Reply Last reply Apr 11, 2019, 1:18 PM Reply Quote 0
                          • L
                            LeiShen @Rico
                            last edited by Apr 11, 2019, 1:18 PM

                            @Rico : Lots of stuff!

                            root@wormhole:/etc/dnsmasq.d# ip route
                            0.0.0.0/1 via 10.8.0.5 dev tun0
                            default via 172.27.3.1 dev eth0  metric 202
                            10.8.0.0/24 via 10.8.0.5 dev tun0
                            10.8.0.1 via 10.8.0.5 dev tun0
                            10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6
                            10.10.0.0/24 via 10.10.0.5 dev tun2
                            10.10.0.1 via 10.10.0.5 dev tun2
                            10.10.0.5 dev tun2  proto kernel  scope link  src 10.10.0.6
                            47.149.29.80 via 172.27.3.1 dev eth0
                            127.0.0.1 via 172.27.3.1 dev eth0
                            128.0.0.0/1 via 10.8.0.5 dev tun0
                            136.32.128.65 via 172.27.3.1 dev eth0
                            136.61.208.161 via 172.27.3.1 dev eth0
                            139.178.68.38 via 172.27.3.1 dev eth0
                            139.178.82.59 via 172.27.3.1 dev eth0
                            172.27.2.0/24 via 172.27.3.1 dev eth0
                            172.27.3.0/24 dev eth0  proto kernel  scope link  src 172.27.3.3  metric 202
                            
                            
                            1 Reply Last reply Reply Quote 0
                            • R
                              Rico LAYER 8 Rebel Alliance
                              last edited by Apr 11, 2019, 2:10 PM

                              That looks Okay to me, but routing is still asynchronous.
                              You can either add routes to your endpoints in the 172.27.3.0/24 network or tell pfSense to use 172.27.3.3 as Gateway for 172.27.3.0/24. Check https://docs.netgate.com/pfsense/en/latest/book/routing/static-routes.html

                              -Rico

                              L 1 Reply Last reply Apr 12, 2019, 2:11 AM Reply Quote 1
                              • R
                                Rico LAYER 8 Rebel Alliance
                                last edited by Apr 11, 2019, 2:20 PM

                                Probably the best and clean solution would be to get rid of the Raspi and use pfSense as your VPN Client.
                                Check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

                                -Rico

                                1 Reply Last reply Reply Quote 1
                                • L
                                  LeiShen @Rico
                                  last edited by Apr 12, 2019, 2:11 AM

                                  @Rico
                                  Ok, so I already had 172.27.3.3 set up as a gateway for the 172.27.3.x Interface.

                                  Not sure how to add a route to an endpoint in the 172.27.3.0/24 network, but I'll dig around for how to do that on those devices I need to access from 172.27.2.x

                                  Thanks!

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    LeiShen
                                    last edited by LeiShen Apr 12, 2019, 6:09 AM Apr 12, 2019, 6:08 AM

                                    I'm still dead.
                                    Can't figure out how to set a static route on hassio or a tasmota device.
                                    And I know my

                                    172.27.2.0/24 via 172.27.3.1 dev eth0
                                    

                                    works, because if I remove that route, then I can't get to anything on the 2.x network from the 3.x network. But I'm still unable to access anything on the 3.x network from the 2.x network.

                                    I'll jump over the the OpenVPN forum and see if they can help. But if anyone has any further ideas, please let me know.

                                    Thanks @Rico !!

                                    1 Reply Last reply Reply Quote 0
                                    • L
                                      LeiShen
                                      last edited by Apr 12, 2019, 12:44 PM

                                      Here's a tracert from the 172.27.2.x network (my PC) to a device on the 172.27.3.x network (my Home Assistant Server):

                                      C:\Users\DaHai>tracert hassio.asgard
                                      
                                      Tracing route to hassio.asgard [172.27.3.4]
                                      over a maximum of 30 hops:
                                      
                                        1     1 ms     1 ms     1 ms  bifrost.asgard [172.27.2.1]
                                        2     2 ms     2 ms     1 ms  hassio.asgard [172.27.3.4]
                                      
                                      Trace complete.
                                      

                                      It routes and complete pretty much instantly, but I can't bring its web page up in my browser.
                                      I get "The site can't be reached"

                                      This is the same with any other device on the 3.x network when I try to access it via its web page from the 2.x network.

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        LeiShen
                                        last edited by Apr 12, 2019, 12:51 PM

                                        Maybe the iptables.up.rules is set up wrong on the OpenVPN RPI3B+ device?

                                        # Generated by iptables-save v1.4.21 on Tue Nov 29 15:32:04 2016
                                        *nat
                                        :PREROUTING ACCEPT [0:0]
                                        :INPUT ACCEPT [0:0]
                                        :OUTPUT ACCEPT [25:1612]
                                        :POSTROUTING ACCEPT [25:1612]
                                        -A POSTROUTING -o tun0 -j MASQUERADE
                                        -A POSTROUTING -o tun1 -j MASQUERADE
                                        -A POSTROUTING -o tun2 -j MASQUERADE
                                        -A POSTROUTING -o eth0 -j MASQUERADE
                                        COMMIT
                                        # Completed on Tue Nov 29 15:32:04 2016
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          LeiShen
                                          last edited by Apr 13, 2019, 2:41 PM

                                          @LeiShen said in 2 Networks, 2 Gateways, same Router. Routing Question:

                                          -A POSTROUTING -o eth0 -j MASQUERADE

                                          Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network!

                                          I'll have to look through my notes to see why it was put in there to begin with...

                                          Cheers!

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 20
                                          • First post
                                            20/20
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received