Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Passing public /29 through one pfSense firewall to another

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 2 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      FoolishlyWise
      last edited by FoolishlyWise

      In a bit of a strange situation where I'm having to use two pfSense firewalls - one 'main' one that does everything you'd expect it to, and then another which has a L2TP tunnel as an interface and acts as a gateway for it. I'm unable to use L2TP on my main firewall as it instantly takes the WAN down and webconfig just hangs. Tried differnet hardware etc, to no avail. Interestingly, no such behaviour on a virtual machine. No matter -

      The 2nd firewall (L2TP firewall) has a /32 assigned to the L2TP interface, with a /30 and /29 routed to it. The /30 is assigned to the LAN interface and outbound NAT is disabled so I can connect it to my main pfSense router. Main pfSense router has an OPT interface with DHCP giving it an IP from the /30 as its public IP.

      However, I have no idea how to get the /29 to pass through from the L2TP firewall to my main firewall.

      I believe it's a static route setting but having looked around, don't actually know how to configure it. I can assign /29 IPs on the L2TP firewall, but they aren't passed through to the main one...

      What static routes do I need to set, and where to get the /29 to route to my main pfSense firewall?!

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You would need to assign the /29 on the main firewall.

        And add a static route to the other pfSense device for the /29 subnet via the main firewall.

        I would not use DHCP there for the transport subnet. Just assign each ens statically from the /30.
        That doesn't need to be a public IP either. Since you are using it only to route the /29 it could be any private IP.

        Steve

        1 Reply Last reply Reply Quote 0
        • F Offline
          FoolishlyWise
          last edited by

          @stephenw10 Thanks Steve - I may be being completely thick/stupid here - so based off your instructions, I've
          a) Assigned the /29 as VIPs on the main firewall as they'll be used as 1:1 NAT;
          b) Set a static route from the main firewall that goes to the gateway of the L2TP-only firewall.

          However this hasn't worked. I might've worded my setup in a confusing way, so I've attached a diagram to show what's going on which might help explain things better and what I'm trying to achieve. The L2TP duty pfSense instance connects to the L2TP service and has the IPs routed to it. I am trying to pass these to my main firewall.

          Screenshot 2020-12-19 at 18.24.10.png

          Note your point re the /30 - however, I have it for use so might as well use it for something - but will likely change it to a private IP once I can get things working and return it back to the L2TP provider!

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            How are you testing? Do you see anything blocked in the firewall logs?

            Can connect from somewhere external to either end of the /30?

            You will need an interface with a gateway on it in order to get reply-to tags on states opened through it. DHCP will do that automatically though.
            Ping should work anyway even with an asymmetric route.

            Steve

            F 1 Reply Last reply Reply Quote 0
            • F Offline
              FoolishlyWise @stephenw10
              last edited by

              For testing, I've got a VM (172.16.11.126) that I try to 1:1 NAT to 81.x.x.27 (one of the IPs from the /29) to replicate what I'd be doing with it in lab 'production'

              Setting the gateway for 172.16.11.126 to the auto-DHCP-created gateway via a rule allows me to access the internet with the IP assigned to the interface (81.x.x.226) just fine. When I set 1:1 NAT from an address out the /29, I get nothing on the test VM. No connection incoming or outgoing, plus nothing in the firewall logs...

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                If you ping into something in the /29 from an external IP do you see those pings actually arriving anywhere? Maybe that /29 is not being routed to you correctly?

                Steve

                F 1 Reply Last reply Reply Quote 0
                • F Offline
                  FoolishlyWise @stephenw10
                  last edited by

                  I thought it wasn't being routed correctly too, however if I try assign it to a device (eg if I connect a test VM onto an OPT interface) to the L2TP pfSense instance, I can assign any /29 IP there just fine via just 1:1 mapping it... leads me to believe I'm missing something in the way its being routed from the L2TP pfSense to my main one.

                  Really really appreciate your help so far. I'm also trying to see if there's something obvious that's been missed or if it's some sort of issue elsewhere but can't think of what it could be.

                  stephenw10S 1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator @FoolishlyWise
                    last edited by

                    What does your static route look like for that?

                    Even if that was missing entirely you should still traffic arriving for those IPs at the L2TP pfSense if it's routed to you.

                    Steve

                    F 1 Reply Last reply Reply Quote 0
                    • F Offline
                      FoolishlyWise @stephenw10
                      last edited by

                      This is the static route on the main pfSense instance. Gateway created automatically by DHCP.

                      Screenshot 2020-12-20 at 10.46.11.png

                      Can't ping (and I've made sure there's an IMCP rule present to pass) - so still confused.

                      I think another option would be to assign the /29 to the LAN interface of the L2TP pfSense, then address the main one with an IP from that /29. I'd burn 3 addresses instead of 1, which is a lot considering it's only a /29 but it would at least get me somewhere.

                      The aim has been to get the L2TP pfSense to route the /29 as-is, without having to waste any addresses, using the /30 as the transport network. Fast appreciating that my day job isn't in IT/network admin based on the frustration this is causing!

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        That static route appears to be on the wrong firewall, it needs to be on the L2TP pfSense to route traffic to main firewall.

                        Steve

                        F 1 Reply Last reply Reply Quote 0
                        • F Offline
                          FoolishlyWise @stephenw10
                          last edited by

                          Added a static route from the /29 to 81.x.x.225 (created the gateway on the L2TP instance for the interface address) and still nothing. Even tried creating a gateway for 81.x.x.226 (the IP given to the main firewall) to go via that and still nothing.

                          Have also attempted various combos of having/not having a static route on the main firewall routing traffic via the receiving interface to no avail. Nothing in the firewall logs that's showing issues either. The /29 works fine if allocated to an interface so know it's being routed down the tunnel fine.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            The static route needs to be on the L2TP firewall and it needs to be for the /29 subnet via the .226 address on the main firewall.

                            Any static route on the main firewall needs to be removed of you will have a routing loop.

                            The hosts inside that /29 do not need a static route. The only outbound routing should be policy based on the firewall rules passing traffic from that interface.

                            Steve

                            F 1 Reply Last reply Reply Quote 0
                            • F Offline
                              FoolishlyWise @stephenw10
                              last edited by

                              I'm losing the plot here I think. Right - static route has been added to the L2TP instance which looks like the below:

                              Screenshot 2020-12-20 at 20.13.17.png

                              No static routes or anything are added to the main firewall. Still no luck in getting it to route - adding a 1:1 NAT to the test machine or even standing up a test interface with the /29 assigned on the main firewall results in... nothing.

                              Its configured like the following:
                              a) L2TP instance takes L2TP tunnel, auths, establishes connection
                              b) /30 is assigned to LAN on L2TP instance
                              c) Main firewall picks up .226 of that /30
                              d) Static route is configured like the above cap
                              e) /29 is assigned to an interface on the main firewall.
                              f) Client connected picks up a public IPv4 but uses

                              An allow-all rule is present on the interface which has got the /29 assigned with the gateway being the one provided on the L2TP instance.

                              Where do you think on the above steps I could be screwing up?

                              PS: I owe you a drink or three. Thank you so much for helping.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator
                                last edited by

                                Send some pings to some IP in the /29 from an external address.

                                Check the state table in each pfSense, you should see states for that ping traffic coming in over the L2TP interface and out towards the main firewall. And states allowing it into the main firewall and out to wherever the target is, on the assigned interface for example.
                                If any state is missing check the firewall log for blocked traffic.

                                Ultimately run packet captures to determine if those packets are actually arriving at all.

                                Steve

                                F 1 Reply Last reply Reply Quote 0
                                • F Offline
                                  FoolishlyWise @stephenw10
                                  last edited by

                                  Assigning an IP from the /29 to an interface means I can ping that IP from an external address. That shows, at least, the block is being routed to the main firewall. Couldn't get any internet access, 1:1 NAT etc working though. Have now run out of time trying to diagnose, but ISP has swapped my /29 for a /28, which is more than enough for what I need for now even considering the 4 lost addresses (3+1 interface) - so have just put it on an interface on the L2TP instance and gone the easy way.

                                  Thanks so much for your help though - absolute legend!

                                  1 Reply Last reply Reply Quote 1
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.