LAN2 Subnet Internet access from different router on LAN1 subnet



  • Hello,
    I have one WAN port and 2 LAN Ports on PFSense.

    Both LAN ports are independent network subnet.

    LAN1: 192.168.0.1
    LAN2: 10.5.20.1

    All LAN1 clients are getting internet from PFsense WAN port.

    Apart from this, I have one other separate router which connects to internet.
    That Mikrotik Router's IP address is 192.168.0.5 (Same subnet as LAN1)

    For internet access to LAN2 subnet Clients (10.5.20.x), i want them to connect to Mikrotik router 192.168.0.5 (Available on LAN1 subnet).
    How can I program this in PFSense. LAN2 Subnet clients are on PFSense DHCP, and they get IP from PFSense in 10.5.20.X series.
    But they should connect internet via Mikrotik Router 192.168.0.5

    Please help.

    Thanks



  • What is the sense of that? If you want to use the Mikrotik as router for LAN2 put it into LAN2.



  • @viragomann said in LAN2 Subnet Internet access from different router on LAN1 subnet:

    What is the sense of that? If you want to use the Mikrotik as router for LAN2 put it into LAN2.

    My mistake, it is not Mikrotik, but it is Untangle.
    I cannot move Untangle to LAN2 subnet for couple of internal reason.


  • LAYER 8 Global Moderator

    So you have a downstream router and you want clients in a specific vlan to use this as their internet connection.

    Then connect this downstream router via a transit network, setup a gateway to this downstream router transit IP, and policy route traffic.. I can draw that up if you want..

    edit: here does this help;
    thishelp.png



  • So basically I need to put one router in between pfsense and Untangle.

    It will NAT traffic between untangle internal IP(LAN1 subnet) and pfsense internal IP (LAN2 subnet).

    Correct me if I misunderstood you.

    Thanks



  • I just read your edited post with diagram


  • LAYER 8 Global Moderator

    Yeah you don't need any other router, but if you don't use a transit network you will run into asymmetrical issues, unless you do host routing on every client you want to use that gateway.

    You don't need any extra ports even on pfsense - you just need a smart/switch to do vlans if you don't have port open on pfsense to use as the transit.. Transit can be over a vlan just fine.

    Keep in mind if you want this vlan you want to route out the other router to get to your other vlans, then you would need rules above the policy route to allow that.



  • @johnpoz said in LAN2 Subnet Internet access from different router on LAN1 subnet:

    You don't need any extra ports even on pfsense - you just need a smart/switch to do vlans if you don't have port open on pfsense to use as the transit.. Transit can be over a vlan just fine.

    I had to install extra LAN port on PFSense. Because I am running PFSense on VMware workstation.
    I tried lot to setup proper VLAN on VMWare workstation but it did not work.
    So I guess I only had an option to install separate LAN port for Guest VLAN. (10.5.20.x subnet).

    I have cisco SG350, I set port#14 to VLAN 300 on this switch and run cable from Port14 to PFSense LAN2.

    LAN2 Guest client was getting DHCP IP in 10.5.20.X series with traffic going out from PFSense WAN. But then LAN2 clients' internet needs to route thru Untangle which is on LAN1 subnet.

    Just few mins back, I tried something else and it seems working.
    I added Virtual VLAN port on Internal interface of Untangle and assigned LAN2 subnet IP. (10.5.20.2 with VLAN300), then on PFSense LAN2 interface DHCP, i mentioned specific gateway to Untangle. It seems working as all traffic coming on LAN2 of PFSense now going to Untangle.

    I hope this is correct method.

    I will also try what you have advised. I am little confused with Transit network as I have never tried it.


  • LAYER 8 Global Moderator

    A transit network is any network that connects 2 or more routers together.. It just doesn't have hosts on it.. Hosts on a transit lead to asymmetrical routing problems.



  • Thanks for your great support.
    Will google and try to study how to setup Transit network.


  • LAYER 8 Global Moderator

    Showed via the drawing how to set it up ;) Is just a common network between 2 routers without any hosts on it.. With the routers knowing what networks they can access via the other routers IP.

    example -- your wan IP, that network is a transit network from the ISP.. It connects all their customers routers to their router(s) to get to the internet.

    edit.. Here is why when you put hosts on a network that connects 2 routers you have problems.

    synack.png

    That box on 192.168.1/24 wants to get to host on 172.16.0 network.. Sure his gateway knows how to get there, yup I know exactly where that network is - Im attached to it.. Let me send your syn on, and create a state for the return traffic in my state table.

    This host on 172.16 doesn't know how to get to 192.168.1 - so he sends his syn,ack to his gateway the 172.16.0.2 router.. That firewall/router say hey wait a minute.. I never saw any syn for that traffic, I have no state for this.. Your syn,ack - garbage - drop that shit like a hot potato..

    Even if that firewall/router knows how to get to 192.168.1 via his routing table - there was no state for that traffic so it does not pass.

    For you to talk to that 172.16 box, it would have to have a route on it to know to send his syn,ack back to router you sent the traffic through..

    Even if just routers and not firewalls - your traffic flow would be asymmetrical and can cause problems with different times for packets to get there, vs back, or back vs get there.. Its not good scenario.. If your going to connect 1 router to another router in your network - they really need to be connected via a transit (no hosts on it) or your going to have problems.. Even if said routers are not stateful firewall.. When they are its even more problematic..

    Even without states and flows not getting out of sync because of flow paths.. A client could say hey wait a minute, I sent that traffic to my gateway via mac aa:bb:cc, why did the return traffic come from mac xx:yy:zz - that not right.. Not going to accept that..

    TLDR; asymmetrical traffic flow bad! ;)



  • Here is what I am trying to do.

    97b530ca-4ce4-40a3-9e36-e2dd9e8932b3-image.png



  • Now I understand what problem it can have with asymmetrical issue.

    @johnpoz said in LAN2 Subnet Internet access from different router on LAN1 subnet:

    If your going to connect 1 router to another router in your network - they really need to be connected via a transit (no hosts on it) or your going to have problems..

    Okay, so where do I set Transit, do i need extra device or I set on PFSense or Cisco SG350 Switch? Or Untangle.


  • LAYER 8 Global Moderator

    Where? You create a connection on pfsense and your other router on some network you come up with as your "transit" 172.16.0/30 as example...

    What are you not getting about this.. You create your vlan right.. Create another.. Connect 2nd router to this vlan..

    How you connect them physically is up to you - be it via interfaces on each device via vlan, etc. doesn't really matter.

    I drew it up for you - Not getting what is difficult to understand from the drawing? Replace whatever networks you have the samples I put in, add more if you want, etc..

    But your drawing your trying to use this 192.168.2 as your transit.. Which you have hosts on - so yeah that not going to work!!

    If you want to use 192.168.2 like you have drawn.. "EVERY" device on this 192.168.2 vlan would need default route that you want it to use .2 or .1, and then a route to this 10.5.20 network pointing to the pfsense 2.2 IP if you want these devices to talk to back and forth with 10.5 network..


Log in to reply