Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems setting up correct routing for different internal networks

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 432 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      th
      last edited by

      Hi, I'm having troubles setting up routing in pfSense (as part of bigger problems...).

      My pfSense has WAN (igb0) connected to my ISP, and LAN (igb1) (10.0.0.0/24) is connected to a switch. I also have a wireless card, OPT2 (ath0_wlan0) (10.1.0.0/24), and LAN and OPT2 are bridged. DHCP is running on LAN and OPT2.

      I want to stop using the wireless card in the pfSense router, and instead use a Ubiquiti AP running OpenWrt which is connected to the switch. The Ubiquiti has two wireless networks configured on it, one for me (MYNET, also 10.0.0.0/24 by using the pfSense DHCP server) and one for guests (GUESTS, 192.168.3.0/24, using a DHCP server on the Ubiquiti).

      I know it might seem weird, but I want to have separate private networks for MYNET and GUESTS. And since laptops connected to MYNET should have access to machines on my home network I figure it's best to use the pfSense DHCP server. But since devices connected to GUESTS should not have anything to do with my home network, I figured a DHCP server on the Ubiquiti putting them on a completely different network was a good idea.

      When I wirelessly connect a laptop to MYNET everything works as expected. I can surf, and I can connect to machines on my home network.

      But when I wirelessly connect a laptop to GUESTS nothing works. I can't surf and I can't connect to anything on my home network.

      Here's a (simplified and slightly anonymized) tcpdump output from pfSense's igb0, when the laptop is connecting to a www server when using MYNET:

      17:40:21.598915 IP AA.BB.CC.137.30945 > XX.YY.ZZ.35.80: Flags [S], seq 1761383132
      17:40:21.600829 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.30945: Flags [S.], seq 1236209384, ack 1761383133
      17:40:21.604541 IP AA.BB.CC.137.30945 > XX.YY.ZZ.35.80: Flags [.], ack 1
      17:40:21.604591 IP AA.BB.CC.137.30945 > XX.YY.ZZ.35.80: Flags [P.], seq 1:19, ack 1
      17:40:21.606431 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.30945: Flags [.], ack 19
      17:40:21.635453 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.30945: Flags [P.], seq 1:568, ack 19
      17:40:21.635501 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.30945: Flags [F.], seq 568, ack 19
      17:40:21.639749 IP AA.BB.CC.137.30945 > XX.YY.ZZ.35.80: Flags [.], ack 568
      17:40:21.640069 IP AA.BB.CC.137.30945 > XX.YY.ZZ.35.80: Flags [F.], seq 19, ack 569
      17:40:21.642043 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.30945: Flags [.], ack 20
      

      And then trying the same thing when the laptop is connected to GUESTS:

      17:41:13.668985 IP AA.BB.CC.137.23445 > XX.YY.ZZ.35.80: Flags [S], seq 2171037162
      17:41:13.670965 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.23445: Flags [S.], seq 3417218341, ack 2171037163
      17:41:13.671012 IP XX.YY.ZZ.35.80 > 192.168.3.208.44424: Flags [S.], seq 3417218341, ack 2171037163
      17:41:13.973662 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.23445: Flags [S.], seq 3417218341, ack 2171037163
      17:41:13.973707 IP XX.YY.ZZ.35.80 > 192.168.3.208.44424: Flags [S.], seq 3417218341, ack 2171037163
      17:41:14.693800 IP AA.BB.CC.137.23445 > XX.YY.ZZ.35.80: Flags [S], seq 2171037162
      17:41:14.695898 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.23445: Flags [S.], seq 3417218341, ack 2171037163
      17:41:14.695942 IP XX.YY.ZZ.35.80 > 192.168.3.208.44424: Flags [S.], seq 3417218341, ack 2171037163
      17:41:16.733771 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.23445: Flags [S.], seq 3417218341, ack 2171037163
      17:41:16.733822 IP XX.YY.ZZ.35.80 > 192.168.3.208.44424: Flags [S.], seq 3417218341, ack 2171037163
      17:41:16.773788 IP AA.BB.CC.137.23445 > XX.YY.ZZ.35.80: Flags [S], seq 2171037162
      17:41:16.775771 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.23445: Flags [S.], seq 3417218341, ack 2171037163
      17:41:16.775813 IP XX.YY.ZZ.35.80 > 192.168.3.208.44424: Flags [S.], seq 3417218341, ack 2171037163
      17:41:20.829694 IP XX.YY.ZZ.35.80 > AA.BB.CC.137.23445: Flags [S.], seq 3417218341, ack 2171037163
      17:41:20.829748 IP XX.YY.ZZ.35.80 > 192.168.3.208.44424: Flags [S.], seq 3417218341, ack 2171037163
      

      So pfSense tries sending packets addressed to 192.168.3.208 (my laptop) out on igb0 (WAN) instead of sending them on igb1 (LAN) where they would have a chance of reaching my Ubiquiti.

      Running tcpdump on igb1 verifies that when the laptop is connected to MYNET, packets to 10.0.0.217 (my laptop) are sent on igb1 (and reaches my laptop), but when connected to GUESTS all I see are the SYN packets sent by the laptop, and nothing else.

      As far as I can tell I need to set up policy based routing to make pfSense send the 192.168.3.208 packets out on igb1 (to the switch), but all search hits so far has been about policy based routing when the pfSense is connected to two WANs, and my problem is the opposite; one WAN, but two different internal networks, and I can't get it to work.

      Now I know I'm doing weird stuff, but I still think it should be possible. Or is there a tutorial somewhere with a better setup, achieving the network separation I'm aiming for? Do I have to use a physical port on the pfSense machine and put the Ubiquiti there, instead of having it connected to the switch?

      There might be other things I need to fix as well, but right now I just want to learn how to set up policy based routing to get this particular part of my problems solved. If possible...

      Thanks,

      bingo600B 1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600 @th
        last edited by

        @th

        OpenWRT on a UBI AP , i didn't know you could do that.

        Well to me it seems like you should use multi vlans between the pfSense & the AP.

        If your AP doesn't support that, you really don't want to try two different ip ranges on the AP.

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.