2 Networks, 2 Gateways, same Router. Routing Question



  • This is complicated...
    I have two Lans 172.27.2.x and 172.27.3.x all on a pfSense Router with multiple Lan adapters. No Vlans.
    Nothing special about 2.x
    3.x has its own Gateway on 3.3 which is a VPN client. But I have server exceptions using dnsmasq.d so that I can access devices on 2.x from 3.x by bypassing the gateway:

    server=/local/172.27.2.1
    server=/mydomain/172.27.2.1
    

    I also have a route set in the OpenVPN client config :

    route 172.27.2.0 255.255.255.0 172.27.3.1
    

    But I need to go the other way too: I need to be able to access devices on 3.x from 2.x, but I don't know how to do that.
    At the moment, I just get "This site can't be reached" when I try to go that direction - probably because the response is being sent out the 3.3 gateway instead of back to 2.x

    Can this be done? Pointers? Docs to read?
    Thanks!


  • LAYER 8 Rebel Alliance

    On your 172.27.3.3 Gateway you set a route to 172.17.2.x/x with Gateway IP of pfSense in your 172.17.3.x/x net.

    -Rico



  • @Rico : Oh so that should have been:

    route 172.27.2.0 255.255.255.0 172.27.2.1
    

    ?


  • LAYER 8 Rebel Alliance

    No, as Gateway you specify the pfSense IP in the 172.17.3.x/x network.

    -Rico



  • @Rico : Like this?
    Like this?

    route 172.27.2.0 255.255.255.0 172.27.3.0/24
    


  • @Rico : 172.27.3.1 is the Gateway IP of the pfSense network.


  • LAYER 8 Rebel Alliance

    Ah I've overlooked "3.x has its own Gateway on 3.3 which is a VPN client".
    What do you mean with that? 172.27.3.3 is some kind of virtual IP sitting on pfSense? Some extra device like a cheap router?
    Are Clients in 172.27.3.x using 172.27.3.3 as Gateway?

    -Rico



  • 172.27.3.3 is a raspberry pi running OpenVPN client.
    All clients on 172.27.3.x use 172.27.3.3 as their gateway.
    I have the exceptions (above) set in the openvpn client config and dnsmasq.d to route requests to devices on 172.27.2.x from 172.27.3.x when named with my local domain name.



  • I tried this in my dnsmasq.d config file on the 172.27.3.3 gateway, but it doesn't seem to help:

    rev-server=172.27.2.0/24,172.27.2.1
    

  • LAYER 8 Rebel Alliance

    In Linux it should be someting like
    ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
    Maybe you need to enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    But I'm no Raspi guy, maybe those commands need some adjustment.

    -Rico



  • @Rico : ip forwarding is turned on.
    When I entered your 'ip route' command, I got this:

    root@wormhole:/home/pi# ip route add 172.27.2.0/24 via 172.27.3.1 dev eth0
    RTNETLINK answers: File exists
    
    

    So, it looks like that's already in there. But still no joy.


  • LAYER 8 Rebel Alliance

    What is the output of ip route?

    -Rico



  • @Rico : Lots of stuff!

    root@wormhole:/etc/dnsmasq.d# ip route
    0.0.0.0/1 via 10.8.0.5 dev tun0
    default via 172.27.3.1 dev eth0  metric 202
    10.8.0.0/24 via 10.8.0.5 dev tun0
    10.8.0.1 via 10.8.0.5 dev tun0
    10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6
    10.10.0.0/24 via 10.10.0.5 dev tun2
    10.10.0.1 via 10.10.0.5 dev tun2
    10.10.0.5 dev tun2  proto kernel  scope link  src 10.10.0.6
    47.149.29.80 via 172.27.3.1 dev eth0
    127.0.0.1 via 172.27.3.1 dev eth0
    128.0.0.0/1 via 10.8.0.5 dev tun0
    136.32.128.65 via 172.27.3.1 dev eth0
    136.61.208.161 via 172.27.3.1 dev eth0
    139.178.68.38 via 172.27.3.1 dev eth0
    139.178.82.59 via 172.27.3.1 dev eth0
    172.27.2.0/24 via 172.27.3.1 dev eth0
    172.27.3.0/24 dev eth0  proto kernel  scope link  src 172.27.3.3  metric 202
    
    

  • LAYER 8 Rebel Alliance

    That looks Okay to me, but routing is still asynchronous.
    You can either add routes to your endpoints in the 172.27.3.0/24 network or tell pfSense to use 172.27.3.3 as Gateway for 172.27.3.0/24. Check https://docs.netgate.com/pfsense/en/latest/book/routing/static-routes.html

    -Rico


  • LAYER 8 Rebel Alliance

    Probably the best and clean solution would be to get rid of the Raspi and use pfSense as your VPN Client.
    Check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

    -Rico



  • @Rico
    Ok, so I already had 172.27.3.3 set up as a gateway for the 172.27.3.x Interface.

    Not sure how to add a route to an endpoint in the 172.27.3.0/24 network, but I'll dig around for how to do that on those devices I need to access from 172.27.2.x

    Thanks!



  • I'm still dead.
    Can't figure out how to set a static route on hassio or a tasmota device.
    And I know my

    172.27.2.0/24 via 172.27.3.1 dev eth0
    

    works, because if I remove that route, then I can't get to anything on the 2.x network from the 3.x network. But I'm still unable to access anything on the 3.x network from the 2.x network.

    I'll jump over the the OpenVPN forum and see if they can help. But if anyone has any further ideas, please let me know.

    Thanks @Rico !!



  • Here's a tracert from the 172.27.2.x network (my PC) to a device on the 172.27.3.x network (my Home Assistant Server):

    C:\Users\DaHai>tracert hassio.asgard
    
    Tracing route to hassio.asgard [172.27.3.4]
    over a maximum of 30 hops:
    
      1     1 ms     1 ms     1 ms  bifrost.asgard [172.27.2.1]
      2     2 ms     2 ms     1 ms  hassio.asgard [172.27.3.4]
    
    Trace complete.
    

    It routes and complete pretty much instantly, but I can't bring its web page up in my browser.
    I get "The site can't be reached"

    This is the same with any other device on the 3.x network when I try to access it via its web page from the 2.x network.



  • Maybe the iptables.up.rules is set up wrong on the OpenVPN RPI3B+ device?

    # Generated by iptables-save v1.4.21 on Tue Nov 29 15:32:04 2016
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [25:1612]
    :POSTROUTING ACCEPT [25:1612]
    -A POSTROUTING -o tun0 -j MASQUERADE
    -A POSTROUTING -o tun1 -j MASQUERADE
    -A POSTROUTING -o tun2 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Tue Nov 29 15:32:04 2016
    


  • @LeiShen said in 2 Networks, 2 Gateways, same Router. Routing Question:

    -A POSTROUTING -o eth0 -j MASQUERADE

    Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network!

    I'll have to look through my notes to see why it was put in there to begin with...

    Cheers!


Log in to reply