• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Static Routing between Lan Vlan OpenVPN

Scheduled Pinned Locked Moved L2/Switching/VLANs
14 Posts 3 Posters 645 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    darwood
    last edited by Jan 14, 2024, 4:46 AM

    I'm struggling to figure out how to fix this routing issue.

    The part that I'm having trouble with is the LINK_SER gateway.

    LINK_SER is another router, it's owned and managed by a software company that providers certain services to us. I can not change any aspect of it. It sits on the LAN using IP 10.0.0.13. It's in fact a gateway to remote servers. The only one I'm interested in is 10.20.1.100.

    It works for (default) lan clients, lan clients can ping the server 10.20.1.100.

    Lan clients traffic for 10.20.1.100 follows the route to 10.0.0.13 gateway.

    Lan clients can connect and ping as expected.

    I have identical rules in vlan30, basically allow all. Vlan30 clients can ping lan clients. But Vlan30 clients can not ping 10.20.1.100, and traffic does not reach the LINK_SER gateway. Using ping on pfsense with Source address as Vlan30, 100% packet loss, same ping with source address lan, is successful. All other Vlans can not ping 10.20.1.100.

    Here's a brief overview of the network:

    Internet
    |
    pfsense 23.09.1 (WAN)
    | | | |
    LAN 10.0.0.0/24 VLAN20 VLAN30 OpenVPN
    10.0.20.0 10.0.30.0 10.0.90.0
    /system/routing/gateways
    WAN_GW Default IPV4 WAN (PUBLIC IP)
    LINK_SER LAN (10.0.0.13) (Link Gateway to servers) (I can not make changes to this config)

    /system/routing/static routes
    10.20.1.0/24 Gateway LINK_SER Interface LAN (Link Gateway to servers)

    /firewall/rules/lan
    IPv4 Source 10.20.1.0/24 Port * Destination 10.0.0.13 (allow from Gateway Servers)

    I am clearly missing something.

    So the short is:

    I need to ping server 10.20.1.101 which is reachable via LINK_SER gateway on LAN @ 10.0.0.13 from VLAN30.

    pfsense does not seem to be following the static routing for vlans.

    J V 2 Replies Last reply Jan 14, 2024, 5:57 AM Reply Quote 0
    • J
      JonathanLee
      last edited by JonathanLee Jan 14, 2024, 5:54 AM Jan 14, 2024, 5:46 AM

      That is on a different subnet are you sure it is cider notation /24?

      10.20.1.100/24?? this is the 10.20.1.x as 10.20.1 is network and x is hosts

      and 10.0.0.13/24??? this is 10.0.0.x so 10.0.0 is network and x is host

      Both networks are different private address schemes they need to know how to talk to each other as they both have different broadcast addresses. You have one broadcast address at 10.0.0.255 and the other is 10.20.1.255.

      • 10.0.0.1 - 10.0.0.254 useable hostrange

      • 10.20.1.1 - 10.20.1.254 useable hostrange

      That can't work as it only gives you a subnet of 255.255.255.0 for use with the last octet only so you need a static route set up.

      System---->Routing---->Static Routes

      Set this to anything that wants that server point it to that gateway to get it.

      Set each subnet to have a static route for what you need. I think the others are already on that subnet so they know how to get to it in the routing table.

      I would look at each network that is trying to access that server and if it is needed and or no pings that is the subnet that needs a static route also.

      Also does the VLAN have rules for approving traffic to that host?

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • J
        JonathanLee @darwood
        last edited by Jan 14, 2024, 5:57 AM

        @darwood said in Static Routing between Lan Vlan OpenVPN:

        Lan clients traffic for 10.20.1.100 follows the route to 10.0.0.13 gateway.

        If this is the gateway what is the cider notation being used here?

        Make sure to upvote

        D 1 Reply Last reply Jan 14, 2024, 7:04 AM Reply Quote 0
        • D
          darwood @JonathanLee
          last edited by darwood Jan 14, 2024, 7:06 AM Jan 14, 2024, 7:04 AM

          @JonathanLee

          I wasn't as clear as I could have been.

          10.0.0.13 is the IP assigned to the other router by pfsense. The other router has it's own fiber connection. This router is acting as a gateway to 10.20.1.101 The ip range on the note is 10.20.1.0/24, but as far as I can tell only three ip's have ever been in use. 10.20.1.101~103

          The Lan clients can ping 10.20.1.101~3 correctly.

          Lan is defined as 10.0.0.0/24 GW is 10.0.0.254

          Lan and Vlan30 have the same rules in the same order.

          For testing:
          I set a rule on Vlan30, top of the list : Action Pass, Interface Vlan30, IPV4, Protocol Any, source Any, Destination Address 10.20.1.102, and under advanced, GW is LINK_SER which is defined as 10.0.0.13 under /system/routing/gateways.

          Using pfsense ping, and host 10.20.1.102, source set to Lan, Ping is successful
          Using pfsense ping and host 10.20.1.102, source set to Vlan30, Ping fails.

          Using pfsense ping and host set to another lan client 10.0.0.14 (random machine), source set to Vlan30, Ping is successful.

          BUT
          Using pfsense ping and host set to 10.0.0.13. source set to Lan, Ping is successful
          however
          Using pfsense ping and host set to 10.0.0.13 source set to Vlan30, Ping fails.

          Vlan30 won't follow the static route setup in /system/routing/static routes. So it doesn't know when I want to ping 10.20.1.102 to use LINK_SER gateway(which is router at 10.0.0.13)

          It also seems that Vlan30 can't ping that device, even though it can ping other lan clients on the same subnet.

          J 1 Reply Last reply Jan 14, 2024, 8:45 AM Reply Quote 0
          • J
            JonathanLee @darwood
            last edited by JonathanLee Jan 14, 2024, 8:49 AM Jan 14, 2024, 8:45 AM

            @darwood what about floating rule as it’s essentially on the same interface??
            Better yet just creat a NAT rule for that traffic with destinations out that other interface…

            Make sure to upvote

            D 1 Reply Last reply Jan 14, 2024, 3:52 PM Reply Quote 0
            • D
              darwood @JonathanLee
              last edited by darwood Jan 14, 2024, 4:07 PM Jan 14, 2024, 3:52 PM

              @JonathanLee

              I have tried adding a NAT rule under outbound. Tried with VLAN30 and LAN as the NAT Address.

              But this did not work. Ping to other machines on LAN from VLAN30 works, but Ping to 10.20.1.102 fails from VLAN30. Also ping to 10.0.0.13 also fails from VLAN30, but from LAN works.

              I should be able to ping 10.0.0.13 from Vlan30 as I can ping other clients on LAN, but this is not the case.

              What would allow a ping to clients on LAN from VLAN30, but would block a ping from VLAN30 to that client, but if the ping comes from LAN it works.

              firewall/NAT/Portforward
              Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination 10.20.1.0/24, Destination Port *, Nat Address VLAN30 address, Nat Port *
              Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination Lan subnets, Destination Port *, Nat Address VLAN30 address, Nat Port *

              (not at the same time)

              firewall/NAT/Portforward
              Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination 10.20.1.0/24, Destination Port *, Nat Address LAN address, Nat Port *
              Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination Lan subnets, Destination Port *, Nat Address LAN address, Nat Port *

              firewall/Rules/Floating
              Interface VLAN30, Protocol IPv4* Source VLAN30 subnets, Port *, Destination 10.20.1.0/24, Port 0, Gateway LINK_SER, Queue none

              And tested using pfsense ping from Lan/VLAN30. Same results ping successful from LAN, fails from VLAN30(it fails from anything other than LAN). Ping from Vlan30 to other LAN machines are successful.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann @darwood
                last edited by Jan 14, 2024, 5:25 PM

                @darwood said in Static Routing between Lan Vlan OpenVPN:

                I have identical rules in vlan30, basically allow all. Vlan30 clients can ping lan clients. But Vlan30 clients can not ping 10.20.1.100, and traffic does not reach the LINK_SER gateway.

                Sure? Have you sniff the traffic to prove this?

                I have tried adding a NAT rule under outbound. Tried with VLAN30 and LAN as the NAT Address.

                Can you post a screenshot?

                firewall/NAT/Portforward
                Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination 10.20.1.0/24, Destination Port *, Nat Address VLAN30 address, Nat Port *
                Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination Lan subnets, Destination Port *, Nat Address VLAN30 address, Nat Port *

                (not at the same time)

                firewall/NAT/Portforward
                Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination 10.20.1.0/24, Destination Port *, Nat Address LAN address, Nat Port *
                Interface VLAN30, Source VLAN30 subnets, Source Port *, Destination Lan subnets, Destination Port *, Nat Address LAN address, Nat Port *

                This rules make no sense at all.

                D 1 Reply Last reply Jan 14, 2024, 6:35 PM Reply Quote 0
                • D
                  darwood @viragomann
                  last edited by Jan 14, 2024, 6:35 PM

                  @viragomann

                  I am remote to this pfsense router atm. But I can ssh in to the pfsense.

                  From Vlan30 to 10.0.0.13
                  ping -S 10.0.30.254 10.0.0.13
                  PING 10.0.0.13 (10.0.0.13) from 10.0.30.254: 56 data bytes
                  ^C
                  --- 10.0.0.13 ping statistics ---
                  3 packets transmitted, 0 packets received, 100.0% packet loss

                  From Vlan30 to 10.0.0.15 - same vlan to a different LAN IP
                  ping -S 10.0.30.254 10.0.0.15
                  PING 10.0.0.15 (10.0.0.15) from 10.0.30.254: 56 data bytes
                  64 bytes from 10.0.0.15: icmp_seq=0 ttl=64 time=0.531 ms
                  64 bytes from 10.0.0.15: icmp_seq=1 ttl=64 time=0.911 ms
                  64 bytes from 10.0.0.15: icmp_seq=2 ttl=64 time=0.361 ms

                  From LAN to 10.0.0.13
                  ping -S 10.0.0.254 10.0.0.13
                  PING 10.0.0.13 (10.0.0.13) from 10.0.0.254: 56 data bytes
                  64 bytes from 10.0.0.13: icmp_seq=0 ttl=255 time=0.749 ms
                  64 bytes from 10.0.0.13: icmp_seq=1 ttl=255 time=0.461 ms
                  64 bytes from 10.0.0.13: icmp_seq=2 ttl=255 time=0.510 ms
                  ^C
                  --- 10.0.0.13 ping statistics ---
                  3 packets transmitted, 3 packets received, 0.0% packet loss
                  round-trip min/avg/max/stddev = 0.461/0.573/0.749/0.126 ms

                  Rules currently loaded.
                  pfctl -s rules
                  scrub from any to <vpn_networks> fragment no reassemble
                  scrub from <vpn_networks> to any fragment no reassemble
                  scrub on mvneta0.4090 inet all fragment reassemble
                  scrub on mvneta0.4090 inet6 all fragment reassemble
                  scrub on mvneta0.4091 inet all fragment reassemble
                  scrub on mvneta0.4091 inet6 all fragment reassemble
                  scrub on mvneta0.20 inet all fragment reassemble
                  scrub on mvneta0.20 inet6 all fragment reassemble
                  scrub on mvneta0.30 inet all fragment reassemble
                  scrub on mvneta0.30 inet6 all fragment reassemble
                  anchor "openvpn/" all
                  anchor "ipsec/                  " all
                  pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000000001
                  pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000000002
                  block drop in log quick inet6 all label "Block all IPv6" ridentifier 1000000003
                  block drop out log quick inet6 all label "Block all IPv6" ridentifier 1000000004
                  block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" ridentifier 1000000101
                  block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" ridentifier 1000000102
                  block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103
                  block drop out log inet all label "Default deny rule IPv4" ridentifier 1000000104
                  block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105
                  block drop out log inet6 all label "Default deny rule IPv6" ridentifier 1000000106
                  block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000107
                  block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000107
                  block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000108
                  block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000108
                  block drop log quick from <snort2c> to any label "Block snort2c hosts" ridentifier 1000000109
                  block drop log quick from any to <snort2c> label "Block snort2c hosts" ridentifier 1000000110
                  block drop in log quick proto tcp from <sshguard> to (self) port = 2424 label "sshguard" ridentifier 1000000301
                  block drop in log quick proto tcp from <sshguard> to (self) port = http label "GUI Lockout" ridentifier 1000000351
                  block drop in log quick from <virusprot> to any label "virusprot overload table" ridentifier 1000000400
                  block drop in log quick on mvneta0.4090 from <bogons> to any label "block bogon IPv4 networks from WAN" ridentifier 11001
                  block drop in log on ! mvneta0.4090 inet from <REDACTEDWANIP>/29 to any ridentifier 1000001470
                  block drop in log inet from <REDACTEDWANIP> to any ridentifier 1000001470
                  block drop in log on mvneta0.4090 inet6 from <REDACTEDWANIPIPV6> to any ridentifier 1000001470
                  block drop in log quick on mvneta0.4090 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" ridentifier 12001
                  block drop in log quick on mvneta0.4090 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" ridentifier 12002
                  block drop in log quick on mvneta0.4090 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" ridentifier 12003
                  block drop in log quick on mvneta0.4090 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" ridentifier 12004
                  block drop in log quick on mvneta0.4090 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" ridentifier 12005
                  block drop in log on ! mvneta0.4091 inet from 10.0.0.0/24 to any ridentifier 1000002520
                  block drop in log inet from 10.0.0.254 to any ridentifier 1000002520
                  block drop in log on mvneta0.4091 inet6 from <REDACTEDWANIPIPV6> to any ridentifier 1000002520
                  pass in quick on mvneta0.4091 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002541
                  pass in quick on mvneta0.4091 inet proto udp from any port = bootpc to 10.0.0.254 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002542
                  pass out quick on mvneta0.4091 inet proto udp from 10.0.0.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000002543
                  block drop in log on ! mvneta0.20 inet from 10.0.20.0/24 to any ridentifier 1000003570
                  block drop in log inet from 10.0.20.254 to any ridentifier 1000003570
                  block drop in log on mvneta0.20 inet6 from <REDACTEDWANIPIPV6> to any ridentifier 1000003570
                  pass in quick on mvneta0.20 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000003591
                  pass in quick on mvneta0.20 inet proto udp from any port = bootpc to 10.0.20.254 port = bootps keep state label "allow access to DHCP server" ridentifier 1000003592
                  pass out quick on mvneta0.20 inet proto udp from 10.0.20.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000003593
                  block drop in log on ! mvneta0.30 inet from 10.0.30.0/24 to any ridentifier 1000004620
                  block drop in log inet from 10.0.30.254 to any ridentifier 1000004620
                  block drop in log on mvneta0.30 inet6 from <REDACTEDWANIPIPV6> to any ridentifier 1000004620
                  pass in quick on mvneta0.30 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000004641
                  pass in quick on mvneta0.30 inet proto udp from any port = bootpc to 10.0.30.254 port = bootps keep state label "allow access to DHCP server" ridentifier 1000004642
                  pass out quick on mvneta0.30 inet proto udp from 10.0.30.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000004643
                  pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000005711
                  pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000005712
                  pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000005713
                  pass out route-to (mvneta0.4090 <REDACTEDWANIP>) inet from <REDACTEDWANIP> to ! <REDACTEDWANIP>/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000005811
                  pass in quick on mvneta0.4091 proto tcp from any to (mvneta0.4091) port = http flags S/SA keep state label "anti-lockout rule" ridentifier 10001
                  pass in quick on mvneta0.4091 proto tcp from any to (mvneta0.4091) port = 2424 flags S/SA keep state label "anti-lockout rule" ridentifier 10001
                  anchor "userrules/" all
                  pass out on mvneta0.30 route-to (mvneta0.4091 10.0.0.13) inet from <OPT3__NETWORK> to 10.20.1.0/24 flags S/SA keep state label "USER_RULE" label "id:1705199260" label "gw:LINK_SER" ridentifier 1705199260
                  pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN OpenVPN Corp Network wizard" label "id:1656005485" ridentifier 1656005485
                  pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN OpenVPN Secuirty wizard" label "id:1656006325" ridentifier 1656006325
                  pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN OpenVPN Secuirty wizard" label "id:1656006394" ridentifier 1656006394
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from any to (self) port 21 >< 2425 flags S/SA keep state label "USER_RULE" label "id:1705251456" ridentifier 1705251456
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto udp from any to <REDACTEDWANIP> port = openvpn keep state label "USER_RULE: OpenVPN OpenVPN Corp Network wizard" label "id:1656005484" ridentifier 1656005484
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto udp from any to <REDACTEDWANIP> port = rsf-1 keep state label "USER_RULE: OpenVPN OpenVPN Secuirty wizard" label "id:1656006324" ridentifier 1656006324
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto udp from any to <REDACTEDWANIP> port = 1196 keep state label "USER_RULE: OpenVPN OpenVPN Secuirty wizard" label "id:1656006393" ridentifier 1656006393
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from any to 10.0.0.15 port = submission flags S/SA keep state label "USER_RULE: NAT SMTP to KACKT STARTTLS" label "id:1689123396" ridentifier 1689123396
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from any to 10.0.0.15 port = smtp flags S/SA keep state label "USER_RULE: NAT " label "id:1689127029" ridentifier 1689127029
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from any to 10.0.0.15 port = imaps flags S/SA keep state label "USER_RULE: NAT " label "id:1689127190" ridentifier 1689127190
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from any to 10.0.0.15 port = imap flags S/SA keep state label "USER_RULE: NAT " label "id:1689129076" ridentifier 1689129076
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from any to 10.0.0.15 port = https flags S/SA keep state label "USER_RULE: NAT 443 to KACKT for MailPlus app" label "id:1700154071" ridentifier 1700154071
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from REDACTEDEXTERNALIP to <REDACTEDWANIP> port = 6690 flags S/SA keep state label "USER_RULE: Passed via EasyRule" label "id:1700862156" ridentifier 1700862156
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from REDACTEDEXTERNALIP to <REDACTEDWANIP> port = microsoft-ds flags S/SA keep state label "USER_RULE: Passed via EasyRule" label "id:1700865372" ridentifier 1700865372
                  pass in quick on mvneta0.4090 reply-to (mvneta0.4090 <REDACTEDWANIP>) inet proto tcp from REDACTEDEXTERNALIP to 10.0.0.10 port = http-alt flags S/SA keep state label "USER_RULE: NAT " label "id:1704146078" ridentifier 1704146078
                  pass in quick on mvneta0.4091 inet from 10.20.1.0/24 to 10.0.0.13 flags S/SA keep state label "USER_RULE: Allow from LINK_SER" label "id:1656006751" ridentifier 1656006751
                  pass in quick on mvneta0.4091 inet from 10.0.30.0/24 to 10.0.0.13 flags S/SA keep state label "USER_RULE: Allow from LINK_SER" label "id:1705216069" ridentifier 1705216069
                  pass in quick on mvneta0.4091 inet from 10.20.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow from LINK_SER" label "id:1656006686" ridentifier 1656006686
                  pass in quick on mvneta0.4091 inet from <LAN__NETWORK> to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101
                  pass in quick on mvneta0.20 inet proto tcp from any to 10.0.0.15 port = smtp flags S/SA keep state label "USER_RULE" label "id:1697941554" ridentifier 1697941554
                  pass in quick on mvneta0.20 inet proto tcp from any to 10.0.0.10 port = http-alt flags S/SA keep state label "USER_RULE" label "id:1704221032" ridentifier 1704221032
                  pass in quick on mvneta0.20 inet proto udp from any to 10.0.0.15 port = submission keep state label "USER_RULE" label "id:1697941439" ridentifier 1697941439
                  pass in quick on mvneta0.20 inet proto udp from any to 10.0.0.254 port = ntp keep state label "USER_RULE" label "id:1689820479" ridentifier 1689820479
                  block drop in quick on mvneta0.20 inet from any to <OPT3__NETWORK> label "USER_RULE: Block Lan" label "id:1656006984" ridentifier 1656006984
                  block drop in quick on mvneta0.20 inet from any to <LAN__NETWORK> label "USER_RULE: Block Lan" label "id:1656006920" ridentifier 1656006920
                  block drop in quick on mvneta0.20 inet proto tcp from any to (self) port = 10433 flags S/SA label "USER_RULE: Block Web Interface" label "id:1656006863" ridentifier 1656006863
                  pass in quick on mvneta0.20 inet from <OPT2__NETWORK> to any flags S/SA keep state label "USER_RULE" label "id:1656003821" ridentifier 1656003821
                  pass in quick on mvneta0.30 inet proto tcp from any to 10.20.1.0/24 flags S/SA keep state (sloppy) label "USER_RULE" label "id:1705250684" ridentifier 1705250684
                  pass in quick on mvneta0.30 inet all flags S/SA keep state label "USER_RULE: Allow Lan" label "id:1656007148" ridentifier 1656007148
                  block drop in quick on mvneta0.30 inet from any to <OPT2__NETWORK> label "USER_RULE: Block Lan" label "id:1656007200" ridentifier 1656007200
                  block drop in quick on mvneta0.30 inet proto tcp from any to (self) port = 10433 flags S/SA label "USER_RULE: Block Web Interface" label "id:1656007110" ridentifier 1656007110
                  pass quick on mvneta0.4091 inet proto tcp from 10.0.0.0/24 to 10.20.1.0/24 flags any keep state (sloppy) label "pass traffic between statically routed subnets" ridentifier 1000006241
                  pass quick on mvneta0.4091 inet from 10.0.0.0/24 to 10.20.1.0/24 flags S/SA keep state (sloppy) label "pass traffic between statically routed subnets" ridentifier 1000006242
                  pass quick on mvneta0.4091 inet proto tcp from 10.20.1.0/24 to 10.0.0.0/24 flags any keep state (sloppy) label "pass traffic between statically routed subnets" ridentifier 1000006243
                  pass quick on mvneta0.4091 inet from 10.20.1.0/24 to 10.0.0.0/24 flags S/SA keep state (sloppy) label "pass traffic between statically routed subnets" ridentifier 1000006244
                  anchor "tftp-proxy/                  " all

                  V 1 Reply Last reply Jan 14, 2024, 7:17 PM Reply Quote 0
                  • V
                    viragomann @darwood
                    last edited by Jan 14, 2024, 7:17 PM

                    @darwood
                    This is not helpful. We already know, what is working and what doesn't.

                    Run

                    pfctl -sn

                    to check out the NAT rules.

                    D 1 Reply Last reply Jan 14, 2024, 7:40 PM Reply Quote 0
                    • D
                      darwood @viragomann
                      last edited by darwood Jan 14, 2024, 7:43 PM Jan 14, 2024, 7:40 PM

                      @viragomann said in Static Routing between Lan Vlan OpenVPN:

                      pfctl -sn

                      My bad I had as well but failed to attach it.

                      root: pfctl -sn
                      no nat proto carp all
                      nat-anchor "natearly/" all
                      nat-anchor "natrules/                      " all
                      nat on mvneta0.30 inet from any to 10.20.1.0/24 -> 10.0.30.254 port 1024:65535
                      nat on mvneta0.30 inet from any to <LAN__NETWORK> -> 10.0.30.254 port 1024:65535
                      nat on mvneta0.4091 inet from 10.0.0.0/24 to 10.20.1.0/24 -> 10.0.0.254 port 1024:65535
                      nat on openvpn inet from 10.0.70.0/24 to 10.20.1.0/24 -> (openvpn) port 1024:65535 round-robin
                      nat on openvpn inet from 10.0.80.0/24 to 10.20.1.0/24 -> (openvpn) port 1024:65535 round-robin
                      nat on openvpn inet from 10.0.90.0/24 to 10.20.1.0/24 -> (openvpn) port 1024:65535 round-robin
                      nat on mvneta0.4090 inet from <tonatsubnets> to any port = isakmp -> <REDACTEDWANIP> static-port
                      nat on mvneta0.4090 inet6 from <tonatsubnets> to any port = isakmp -> (mvneta0.4090) round-robin static-port
                      nat on mvneta0.4090 inet from <tonatsubnets> to any -> <REDACTEDWANIP> port 1024:65535
                      nat on mvneta0.4090 inet6 from <tonatsubnets> to any -> (mvneta0.4090) port 1024:65535 round-robin
                      no rdr proto carp all
                      rdr-anchor "tftp-proxy/*" all
                      rdr on mvneta0.4090 inet proto tcp from any to <REDACTEDWANIP> port = imap -> 10.0.0.15
                      rdr on mvneta0.4090 inet proto tcp from <REDACTEDEXTERNALIP> to <REDACTEDWANIP> port = http-alt -> 10.0.0.10
                      rdr on mvneta0.4090 inet proto tcp from any to <REDACTEDWANIP> port = imaps -> 10.0.0.15
                      rdr on mvneta0.4090 inet proto tcp from any to <REDACTEDWANIP> port = smtp -> 10.0.0.15
                      rdr on mvneta0.4090 inet proto tcp from any to <REDACTEDWANIP> port = submission -> 10.0.0.15
                      rdr on mvneta0.4090 inet proto tcp from any to <REDACTEDWANIP> port = https -> 10.0.0.15

                      V 1 Reply Last reply Jan 14, 2024, 7:53 PM Reply Quote 0
                      • V
                        viragomann @darwood
                        last edited by Jan 14, 2024, 7:53 PM

                        @darwood
                        So I cannot find a proper outbound NAT rule.

                        My assumption is that the gateway only allows access from your LAN subnet. If that's the case you need a rule for masquerading the traffic from VLAN 30 with the LAN address.
                        It should look like this:
                        interface: LAN
                        source: VLAN 30 subnet
                        destination:10.20.1.0/24
                        translation: interface address (=LAN address)

                        J D 2 Replies Last reply Jan 14, 2024, 7:55 PM Reply Quote 2
                        • J
                          JonathanLee @viragomann
                          last edited by Jan 14, 2024, 7:55 PM

                          @viragomann would it need to be floating? It’s on the same interface or no??

                          Make sure to upvote

                          V 1 Reply Last reply Jan 14, 2024, 8:00 PM Reply Quote 0
                          • V
                            viragomann @JonathanLee
                            last edited by Jan 14, 2024, 8:00 PM

                            @JonathanLee
                            As I understood, the gateway is connected to LAN. LAN subnet can access the remote devices, but VLAN 30 cannot.

                            So if he masquerade VLAN 30 traffic destined to the remote network with the LAN address it should work.
                            This is done with an outbound NAT rule.

                            1 Reply Last reply Reply Quote 0
                            • D
                              darwood @viragomann
                              last edited by Jan 14, 2024, 9:18 PM

                              @viragomann

                              You are correct, the solution was to create a outbound nat. I had tried this before but I made a mistake for the interface I selected VLAN30, but this was not the correct interface. The interface should have been LAN. Your solution pointed out that mistake.

                              Thank you.

                              1 Reply Last reply Reply Quote 1
                              9 out of 14
                              • First post
                                9/14
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received