Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow LAN to LAN, not routing

    Scheduled Pinned Locked Moved General pfSense Questions
    37 Posts 6 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lewis
      last edited by

      I'm struggling on this so thought I should ask at this point before breaking something.
      I have one LAN on the firewall of 10.0.0.1/24 and this is also the gateway.
      I need to reach devices on another LAN 10.100.100.x that has its own gateway.

      I added a virtual IP to one of the devices, 10.100.100.12 on the LAN and I can now ping that device but most everything else fails. The device is an NFS server but while I can ping it, I cannot see or mount or do much else with the device.

      I've been looking to see if I also need to add some rules or something but this is now beyond my skill level and no idea what I'm missing.

      Can anyone help.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The devices in LAN 2 will send responses to their default gateway, since they don't have a route to LAN 1.
        So either add a route to each device (properly per DHCP) or set up a transit network between the two routers (gateways) and set up static route on both for the networks behind them as @johnpoz has illustrated here: https://forum.netgate.com/topic/145513/firewall-routing-problem/7

        A dirty workaround here is to add an outbound NAT rule to the LAN 2 interface which translates source addresses in outgoing packets into the interface address. If this is practicable for you depends on your needs.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          @lewis said in Allow LAN to LAN, not routing:

          that has its own gateway.

          Yeah that is going to be problem.. When you say you added another IP to a device... This sounds like your running 2 different L3 networks on the same L2 network... This is not optimal..

          Could you draw up how you have everything connected and we can work out how to do what you want to do.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by KOM

            That won't work. Virtual IPs are used so that pfSense can pretend to be another host. What you ended up with was pfSense spoofing that IP address, so it wouldn't work like your real NFS server other then pinging it. Also, I'm not sure how you're expecting to get traffic from one network to another without routing it, regardless of whether they're LANs, WANs or whatever.

            Add a static route via System - Routing - Static Routes by specifying the destination network and its gateway.

            (Bah, I didn't notice John and viragomann slipping in first...)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Sure could do a source nat if required - but I want to make sure he is just not running both L3 on the same L2... That is never a good way to do anything.

              But sure if his other network is actually different L2 then we could source nat if need be.

              Prob better to put this other gateway on a transit connected to pfsense and route/firewall everything that way.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • L
                lewis
                last edited by lewis

                lan-to-neighbor-lan.png

                Very simplistic image but we have our own LAN, 10.0.0.1.
                We have a neighbor in the data center that is going to share some data with us.
                They have their own LAN at 10.0.1.1 for example and they have their our gateway on that LAN of course.
                I don't want to route or be the gateway for that LAN, I just need to reach the NFS storage device on their LAN.

                Of course, I have no control over their LAN or what they use or how they use it. I only have the possibility of using this storage if I can reach it. The two servers I show would want to mount that NFS share.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  I don't want to route...

                  WHY NOT?

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by viragomann

                    @lewis said in Allow LAN to LAN, not routing:

                    I don't want to route

                    You have a routing issue...

                    So you have only to add a static route for your LAN 10.0.0.0/24 pointing to the pfSense IP in 10.0.1.0/?? on the NFS storage. That's all you need.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lewis
                      last edited by

                      I don't want to route meant I cannot route their network, we aren't their gateway. Sorry that wasn't clear.
                      I basically just need LAN to LAN access from our own 10.0.0.1 LAN to devices on their 10.0.1.1 LAN network.

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        You can most certainly route to their network, and if they're onboard with sharing data with you then surely they can add a static route on their end for the 5 second it would take?

                        1 Reply Last reply Reply Quote 0
                        • L
                          lewis
                          last edited by

                          Yes, our traffic is allowed, it's me that is not sure what to do on our end as I don't want to break something.

                          DerelictD 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann
                            last edited by

                            You need a working communication between the NFS storage and your LAN devices as you stated above. So you need a static route for your LAN on the device in the other LAN. The default route can still stay as it is and upstream traffic from the NFS may go out the neighbours gateway.

                            As I mentioned above, you may also do a workaround with NAT.
                            To do so go to Firewall > NAT > outbound. Switch into the hybrid mode, save and add a new rule:
                            interface: LAN2
                            Source: your LAN network or an alias with the two considered servers in your LAN
                            Translation address: interface address

                            If you want you may also restrict protocol and port.

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              Adding a static route to them won't break anything unless you're really, really good.

                              1 Reply Last reply Reply Quote 0
                              • L
                                lewis
                                last edited by

                                So, not doubting anything since I'm already at a point where I'm not knowledgeable enough and had to ask but, I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN. I just can't mount it and get RPC errors.

                                V 1 Reply Last reply Reply Quote 0
                                • KOMK
                                  KOM
                                  last edited by

                                  But you're not really pinging that NFS server, are you? You're pinging pfSense which is pretending to be that IP address. That's what a Virtual IP - IP Alias is. I explained all this in my first post.

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @lewis
                                    last edited by viragomann

                                    @lewis said in Allow LAN to LAN, not routing:

                                    I had added a virtual (alias) IP with the IP of the storage device. I wanted to point out that I can already ping the storage device on their LAN.

                                    The ping will not reach the device in the other network if the destination IP is on your own router!

                                    Edit: Okay, KOM has the same idea and was faster. ☺

                                    1 Reply Last reply Reply Quote 0
                                    • L
                                      lewis
                                      last edited by

                                      Please guys, I appreciate the help, don't get impatient with me. I know you explained but this is not my network to break so am counting on you guys to help me do the right thing.

                                      It makes sense that I can ping the IP if I added it on the local router. I had not thought about that.

                                      Changing to hybrid won't break anything that is running now? I mean, will it require a reboot or something? Pfsense is always highly reliable and never need to reboot it but I'm asking since we are changing a 'mode'.

                                      1 Reply Last reply Reply Quote 0
                                      • V
                                        viragomann
                                        last edited by

                                        Changing the outbound NAT mode from automatic to hybrid does nothing. The automatically added rules are still in place and you're able to add manual rules.

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          lewis
                                          last edited by

                                          NAT > outbound. Switch into the hybrid mode

                                          Done.

                                          save and add a new rule:
                                          interface: LAN2

                                          The above is not clear to me. I've not create d a new interface and don't see one. I only see the usual WAN and LAN in Interface so I'm missing something before I can add rules next.

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            viragomann
                                            last edited by

                                            So the neighbours LAN is really not on an separate interface? It's connected directly to your LAN as John assumed?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.