Allow LAN to LAN, not routing



  • I'm struggling on this so thought I should ask at this point before breaking something.
    I have one LAN on the firewall of 10.0.0.1/24 and this is also the gateway.
    I need to reach devices on another LAN 10.100.100.x that has its own gateway.

    I added a virtual IP to one of the devices, 10.100.100.12 on the LAN and I can now ping that device but most everything else fails. The device is an NFS server but while I can ping it, I cannot see or mount or do much else with the device.

    I've been looking to see if I also need to add some rules or something but this is now beyond my skill level and no idea what I'm missing.

    Can anyone help.



  • The devices in LAN 2 will send responses to their default gateway, since they don't have a route to LAN 1.
    So either add a route to each device (properly per DHCP) or set up a transit network between the two routers (gateways) and set up static route on both for the networks behind them as @johnpoz has illustrated here: https://forum.netgate.com/topic/145513/firewall-routing-problem/7

    A dirty workaround here is to add an outbound NAT rule to the LAN 2 interface which translates source addresses in outgoing packets into the interface address. If this is practicable for you depends on your needs.


  • LAYER 8 Global Moderator

    @lewis said in Allow LAN to LAN, not routing:

    that has its own gateway.

    Yeah that is going to be problem.. When you say you added another IP to a device... This sounds like your running 2 different L3 networks on the same L2 network... This is not optimal..

    Could you draw up how you have everything connected and we can work out how to do what you want to do.



  • That won't work. Virtual IPs are used so that pfSense can pretend to be another host. What you ended up with was pfSense spoofing that IP address, so it wouldn't work like your real NFS server other then pinging it. Also, I'm not sure how you're expecting to get traffic from one network to another without routing it, regardless of whether they're LANs, WANs or whatever.

    Add a static route via System - Routing - Static Routes by specifying the destination network and its gateway.

    (Bah, I didn't notice John and viragomann slipping in first...)


  • LAYER 8 Global Moderator

    Sure could do a source nat if required - but I want to make sure he is just not running both L3 on the same L2... That is never a good way to do anything.

    But sure if his other network is actually different L2 then we could source nat if need be.

    Prob better to put this other gateway on a transit connected to pfsense and route/firewall everything that way.



  • lan-to-neighbor-lan.png

    Very simplistic image but we have our own LAN, 10.0.0.1.
    We have a neighbor in the data center that is going to share some data with us.
    They have their own LAN at 10.0.1.1 for example and they have their our gateway on that LAN of course.
    I don't want to route or be the gateway for that LAN, I just need to reach the NFS storage device on their LAN.

    Of course, I have no control over their LAN or what they use or how they use it. I only have the possibility of using this storage if I can reach it. The two servers I show would want to mount that NFS share.



  • I don't want to route...

    WHY NOT?



  • @lewis said in Allow LAN to LAN, not routing:

    I don't want to route

    You have a routing issue...

    So you have only to add a static route for your LAN 10.0.0.0/24 pointing to the pfSense IP in 10.0.1.0/?? on the NFS storage. That's all you need.



  • I don't want to route meant I cannot route their network, we aren't their gateway. Sorry that wasn't clear.
    I basically just need LAN to LAN access from our own 10.0.0.1 LAN to devices on their 10.0.1.1 LAN network.



  • You can most certainly route to their network, and if they're onboard with sharing data with you then surely they can add a static route on their end for the 5 second it would take?



  • Yes, our traffic is allowed, it's me that is not sure what to do on our end as I don't want to break something.



  • You need a working communication between the NFS storage and your LAN devices as you stated above. So you need a static route for your LAN on the device in the other LAN. The default route can still stay as it is and upstream traffic from the NFS may go out the neighbours gateway.

    As I mentioned above, you may also do a workaround with NAT.
    To do so go to Firewall > NAT > outbound. Switch into the hybrid mode, save and add a new rule:
    interface: LAN2
    Source: your LAN network or an alias with the two considered servers in your LAN
    Translation address: interface address

    If you want you may also restrict protocol and port.



  • Adding a static route to them won't break anything unless you're really, really good.



  • So, not doubting anything since I'm already at a point where I'm not knowledgeable enough and had to ask but, I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN. I just can't mount it and get RPC errors.



  • But you're not really pinging that NFS server, are you? You're pinging pfSense which is pretending to be that IP address. That's what a Virtual IP - IP Alias is. I explained all this in my first post.



  • @lewis said in Allow LAN to LAN, not routing:

    I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN.

    The ping will not reach the device in the other network if the destination IP is on your own router!

    Edit: Okay, KOM has the same idea and was faster. ☺



  • Please guys, I appreciate the help, don't get impatient with me. I know you explained but this is not my network to break so am counting on you guys to help me do the right thing.

    It makes sense that I can ping the IP if I added it on the local router. I had not thought about that.

    Changing to hybrid won't break anything that is running now? I mean, will it require a reboot or something? Pfsense is always highly reliable and never need to reboot it but I'm asking since we are changing a 'mode'.



  • Changing the outbound NAT mode from automatic to hybrid does nothing. The automatically added rules are still in place and you're able to add manual rules.



  • NAT > outbound. Switch into the hybrid mode

    Done.

    save and add a new rule:
    interface: LAN2

    The above is not clear to me. I've not create d a new interface and don't see one. I only see the usual WAN and LAN in Interface so I'm missing something before I can add rules next.



  • So the neighbours LAN is really not on an separate interface? It's connected directly to your LAN as John assumed?



  • The pfsense box has two interfaces only, WAN and LAN.
    Our LAN subnet is 10.0.0.1/24.
    On the LAN side, there are many other segments and I need to connect to a neighbors LAN and a storage device at 10.100.100.12.
    They too route their own 10.100.100.1/24 subnet, have their own DHCP service, etc so I don't want to break anything on either subnet.



  • As John mentioned above: That is never a good way to do anything.

    However, you can give it a try.
    At first your pfSense need an IP in the neighbours subnet. (IP Alias). Ensure to set the correct mask.
    After you have added this you can select it at translation address in the outbound NAT rule.
    At network select this one the NFS storage is connected to, guess LAN.



  • Well, it's why I asked in the forums, because I don't want to do this in the wrong way :). So, what way should I do it or should I explain a bit more about what I am trying to accomplish?



  • As we already mentioned 15 posts ago, the correct way is to set up an separate transit network where you connect pfSense and the NFS to. This may also be a VLAN, so that there is no further hardware needed.

    However, even with that you will need either a static route on the NFS storage or the Outbound NAT rule.



  • 15 posts ago was different than what I just added about there being only two interfaces. I already explained this is beyond my level of knowledge with pfsense and you keep telling me it's simple, do this, do that but I've never done it before so cannot follow such advise.



  • It sounds like it's easy but it's not something I've ever had to deal with. At most, I've had to set up multiple WAN interfaces and route those which wasn't very hard but this is something different since I don't own that network yet it's on the same LAN as many other private subnets are so I don't want to break anything on our or anyone else's subnet.

    Could someone please explain the steps, one by one. Once I see how this works, it will be another thing I've learned and will not have to ask about. Right now, there were a lot of replies and clarification so I really don't know what do do next.



  • So, can someone please give me the steps?


  • LAYER 8 Netgate

    @lewis said in Allow LAN to LAN, not routing:

    Yes, our traffic is allowed, it's me that is not sure what to do on our end as I don't want to break something.

    I already explained this is beyond my level of knowledge with pfsense and you keep telling me it's simple, do this, do that but I've never done it before so cannot follow such advise.

    Could someone please explain the steps, one by one.

    So, can someone please give me the steps?

    Please don't be offended, but it really sounds like you need to hire someone who knows what they're doing.



  • That's not very nice. I already explained that this kind of setup is new to me. I've been using pfsense for many years but I simply cannot mess this up since it's not my network to practice or learn on.

    What's the point of a 'community' helping each other when they only help those who already know how.


  • LAYER 8 Netgate

    Thing is, you have been told several times what steps are necessary. You are asking someone to spend at least a good part of an hour outlining the steps one by one for you.

    Why should someone do that and not be compensated?

    There is a difference between asking a question and demanding someone be your personal, uncompensated, consultant.

    That is why you do not yet have a list of exact steps to take.



  • Demanding??????

    There is no 'thing is'. I've never done this before and I added something that had not been mentioned/asked about in my original post so now I'm not sure what is what.

    You help each other all the time, don't give me this nonsense about not being paid, you replied. I'm not asking for the world here, I'm asking for a little help from kind human beings which is what forums are all about.

    What kind of stupid world are we building anyhow? I help people all the time and now I ask for a little help and you come back with this garbage that is said all the time in forums.

    Just don't respond then and let someone help find the kindness to instead of motivating others not to. I've been struggling with this all day, I sure don't need your high and mighty hate friend.

    Very nice community friend, very nice.



  • @lewis Please don't overreact. We're empathetic to your issue and you have received lots of replies and guidance. Derelict was being straight-forward even if it wasn't easy to hear.

    If you want to go the static route method, you would need to know the network you want to connect to, possibly 10.0.1.0/24, and the address of their gateway. You can't create a route without it. Also, they would have to modify their firewall rules to allow you to talk to that NFS server or nothing will work.

    I can't seem to find it here, but did you mention what the other network is connected to? Your diagram makes it look like they're connected directly to your pfSense instance and that probably isn't right.



  • You can try to justify your online friends behavior all you want but it's far from being straight forward. It's just unfriendly, rude and it's mean as the person receiving it.
    There is no excuse for high and nightly behavior and only helping those who are already experts. Don't freaking help if you feel your help is worth too much that you cannot help those who are still learning.

    No one needs to be told these things in forums, it's absolutely insulting when you can clearly tell when someone is trying. I've been in forums long enough to tell when someone just wants the answers and is not willing to learn and this is not the case.

    I said many times, I've never done this before, it's a live network that I cannot mess up.

    I don't need any help at this point. I had to hire someone to do this tomorrow. Thanks so much for the help that was NEVER demanded. Such childish behavior in what I would have thought were professional forums.


  • LAYER 8 Global Moderator

    huh? Just at a loss to how this got to you saying help and advice to you is offensive..

    Your drawing looks like that 10.0.1 network is attached to your pfsense directly.. Which as already mentioned seems highly unlikely if your in a data center.

    Your saying you have an interface on pfsense, a physical interface or vlan that is actually in the 10.0.1 network? And pfsense has an IP on this interface that is in this network? So all your devices are on the same L2? In a DC, and you just run whatever IP ranges you want? Again highly unlikely... I would not be in such a DC with my stuff that is for damn sure..

    If you want to share data with another customer in the DC, then the DC would have to connect your networks, or provide a transit network between, etc..

    As to your concern about routing? Sorry but its not possible for 2 different networks to talk to each other with out routing.. I have to concur with the other comments, you seem to be over your head.. And its prob best to hire the DC or someone that works with the DC where your stuff is located on how you and another customer there can share data..



  • Don't twist my words, I never said that.

    I'm done with this thread if you're all going to try to justify shitty behavior. Talk to yourselves, get the lat word in if it means that much to you at this point because I'm not going to respond.


  • Netgate Administrator

    It's unclear exactly how these subnets are connected and we need to know that before we can tell you what steps are required.

    I think most will have assumed that you have a subnet behind a pfSense firewall and your neighbour has a different subnet behind some other firewall router. Is that correct?

    The diagram implies it might just be one pfSense instance in front of both subnet which would be very different.

    If it's two firewalls, which seems more likely, the correct way to do this is to link those firewalls using a new connection. That might just be a Ethernet cable directly if you have spare interfaces. Setup a small transit subnet on that link and then route traffic between the LANs across it.

    If you don't have interfaces you might be able to route via the WAN if they share a WAN side subnet. Or use a tunnel of some sort.

    Steve


  • LAYER 8 Netgate

    @lewis said in Allow LAN to LAN, not routing:

    I said many times, I've never done this before, it's a live network that I cannot mess up.

    My point exactly.


Log in to reply