Adding Netgate 3100 to existing network

phreed · Sep 13, 2023, 8:09 PM

I have an EERO mesh network to which I am adding a Netgate 3100.

I believe the outbound NAT on the Netgate is incorrectly configured.
For example, ping google.com from the Raspberry Pi loses all packets.

How would you recommend testing the NAT?
I am using the "Firewall / NAT / Outbound : Automatic outbound NAT rule generation"

Phizix · Sep 13, 2023, 7:24 PM

@phreed

Is there a reason you are wanting the EERO above the Netgate 3100. I would have expected a mesh node to be a client of the Netgate and on the same network as the Pi, or are you wanting all your wireless clients isolated from the LAN. Maybe using VLANs instead?

This loolks like a double NAT situation.

Phizix

phreed · Sep 13, 2023, 8:27 PM

@Phizix
There are other people currently using the EERO mesh.
Eventually, I may want the following but I need to get there in a way that does not inconvenience the other people.
Also, I want to be able to take this setup to be portable (Everything from the Netgate down goes in a travel case.)

Internet

phreed · Sep 13, 2023, 8:11 PM

@Phizix said in Adding Netgate 3100 to existing network:

This looks like a double NAT situation.

Yes, it seems like it should be pretty common.

Phizix · Sep 13, 2023, 8:16 PM

@phreed,

OK, I see you just updated the original post image. This is clearer.

I assume your "misc" is able to access the internet fine. What are the rules on the LAN side of the 3100?
Phizix

P.S. forgot to ask, what gateway is the LAN pointed to and what gateway is the WAN pointed to?

stephenw10 · Sep 13, 2023, 8:27 PM

I don't see the RasPi on your diagram but I assume it's behind your 3100.

Your outbound NAT rules show that you have a subnet conflict. You have set the 3100 LAN to 172.16.0.0/12 (1048574 hosts) and that conflict with the WAN subnet being passed via DHCP.

You should almost certainly have your LAN subnet set to /24. 172.16.0.0/12 as the entire available private IP range from 172.16 and you only need a small part of that.
It still have to be a different subnet to the eero LAN so for example setting the 3100 LAN to 172.16.100.1/24 will work.

Steve

stephenw10 · Sep 13, 2023, 8:34 PM

Mmm, just noticed your diagram shows an IP that doesn't conflict but no subnet so it just correcting that to /24 may be enough. So the LAN should be 172.17.1.1/24

phreed · Sep 13, 2023, 8:45 PM

Here is a more complete picture.

Yes, misc is able to reach the internet without issue.

From 172.17.1.111

ip route
default via 172.17.1.1 dev enx9cbf0d001279 proto dhcp src 172.17.1.111 metric 20100 
blackhole 10.1.100.0/26 proto 80 
10.1.100.17 dev calieb72027faf7 scope link 
10.1.100.18 dev cali3867c773915 scope link 
169.254.0.0/16 dev enx9cbf0d001279 scope link metric 1000 
172.16.0.0/12 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100

stephenw10 · Sep 13, 2023, 8:44 PM

@phreed said in Adding Netgate 3100 to existing network:

172.16.0.0/12 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100

Fix that. The subnet should be /24 to avoid a conflict.

phreed · Sep 13, 2023, 9:05 PM

@stephenw10 said in Adding Netgate 3100 to existing network:

@phreed said in Adding Netgate 3100 to existing network:

172.16.0.0/12 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100

Fix that. The subnet should be /24 to avoid a conflict.

I deleted the route and pinged; then restored it as 172.16.0.0/24 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100 and pinged again.
That did not seem to help

stephenw10 · Sep 13, 2023, 9:08 PM

That subnet is defined in the 3100 in the LAN config. You need to set it there.

phreed · Sep 13, 2023, 9:25 PM

@stephenw10
Do you mean in Interfaces / LAN (mvneta1)?

If I make that change when I save I get...

The following input errors were detected:
IPv4 address 172.17.1.1/24 is being used by or overlaps with: WAN (172.16.0.22/12)

stephenw10 · Sep 13, 2023, 9:45 PM

Ah, Ok, then both segments are incorrect you definitly don't need a /12 subnet anywhere.

Ok, use a different private subnet on the 3100 LAN like: 192.168.100.1/24

phreed · Sep 13, 2023, 10:06 PM

@stephenw10
That seems to correct the problem.

There can be no overlap between the subnet and its parent?
I guess that makes sense.

stephenw10 · Sep 13, 2023, 10:18 PM

Yes you cannot have the same subnet on more than one interface it breaks routing.

But you shouldn't have a /12 subnet on any interface. That's >1M hosts! If you're using the 172.16.0.0/12 private range you should choose a smaller subnet from inside that.

So I recommend you change the subnet the eero is using on it's LAN at some point.

Steve

phreed · Sep 13, 2023, 10:20 PM

@stephenw10
That makes sense.
Thanks