Static Route Across Subnets?

DaHai8

Due to the shenanigans of my ISP, I am forced to use their router. I also have pfSense installed with multiple Lans (to keep IoT isolated, etc).
So here is what I am dealing with:

192.168.1.3 (SteamLink Pi)
192.168.1.1 (ISP Router)
192.168.1.2 (pfSense WAN)
172.29.3.175 (Windows PC running Steam - Lan Port 3)

While I can Ping and Tracert from 172.29.3.175 (WIndows PC) to 192.168.1.3 (SteamLink Pi) with <5m ping times,
I cannot Ping the Windows PC from the SteamLink Pi. And SteamLink on the Pi reports < 10MB/s connection to the Windows PC.

I tried:

ip route add 172.29.3.175 via 192.168.1.2 dev eth0 proto static

On the SteamLink Pi, but it didn't help.
Should that have worked and I've borked something elsewhere? Or am I missing another piece to this puzzle? Something to set in pfSense?

P.S. Due to the existing wiring in the apartment, all ethernet in the walls are on 192.168.1.0/24. The pfSense box is plugged into one of those outlets and the Pi in another. Due to the Pi's tiny Wifi Antenna, I can only get -75db single, so I need to use Ethernet.

patient0

@DaHai8 said in Static Route Across Subnets?:

172.29.3.175 (Windows PC running Steam - Lan Port 3)

Is the Windows PC on LAN port 3 of pfSense and 172.29.3.175/24 is the pfSense LAN network?
In general all access from pfSense WAN to pfSense LAN is blocked by default.

What are you trying to accomplish?

DaHai8

@patient0 : Thanks for the response.
I'm trying to get SteamLink on the Pi connected back to my PC.
Yes, the Windows PC is on LAN Port 3 of pfSense and 172.29.3.175/24 is the pfSense LAN network.
And because the pfSense WAN is not directly connected to a Public IP (it is local port 192.168.1.2 of the ISP's router IP), I have "Block private networks and loopback addresses" turned off on the WAN port.
P.S. "Block bogon networks" is also diabled on the WAN port

patient0

@DaHai8 said in Static Route Across Subnets?:

I'm trying to get SteamLink on the Pi connected back to my PC.

You can disable NAT and turn pfSense into a router as long as it stays behind the ISP router.

I have "Block private networks and loopback addresses" turned off on the WAN port.
P.S. "Block bogon networks" is also diabled on the WAN port

The default is still block everything just without the explicit block rules for the two. You will need explicit allow rules on the WAN interface (on any interface for that matter, default is always blocking).

If you keep the NAT then you will need to setup port forwarding rules for the ports/protocols you want to be forwarded to the Windows PC.

DaHai8

@patient0 : Thank you! It's better, but I still seem to be missing/screwing up something.

Here is my NAT Port Forwarding:

Apologies for the change in the PC IP Address (from .175 to .100). I switched it to Ethernet to squeeze out a bit more bandwidth.

Still, I'm only getting a 'Far' connection at 75MBs (up from 'Poor' before). But that's not the best I got (85MBs) when I ran a cable across the apartment from the Pi directly into my 172.29.3.x switch (same one the PC is on).

And I still cannot Ping the PC from the Pi, even with ICMP opened

Thoughts?
Thanks!

patient0

@DaHai8 said in Static Route Across Subnets?:

Still, I'm only getting a 'Far' connection at 75MBs (up from 'Poor' before). But that's not the best I got (85MBs) when I ran a cable across the apartment from the Pi directly into my 172.29.3.x switch (same one the PC is on).

NAT will take some resources to process, on what device does pfSense run?

And I still cannot Ping the PC from the Pi, even with ICMP opened

I'm not sure about that, there is an old thread about "Port Forwarding Ping from WAN to LAN–- does not work?" according to it, it is possible.
Maybe someone better informed can help with that.

DaHai8

@patient0 : Thanks for the reply!

pfSense is running on:

8GB Ram DDR4
128GB SSD
4x2.5GB Network Ports (but the home network routers and switches are only 1GB)

Not too worried about Ping, just using it as a sanity check - but I will check out that link, since Tracert also fails.

tinfoilmatt

@DaHai8 Windows Firewall blocks incoming ping from any subnet other than its own by default.

patient0

@DaHai8 said in Static Route Across Subnets?:

pfSense is running on: (N100)

That CPU is certainly more than capable of handling that kind of speed.

I'm really not sure why the speed is reduced. Btw: Are we talking 85/75 Mbit or MByte?

DaHai8

@patient0 :
The SteamLink Network test reports in Mb/s (70Mb/s). Sorry for the confusion. I did read that SteamLink caps the rate at 100Mb/s regardless.

I'm going try to get Ping and Traceroute working so I can see if the packets are taking a detour or not.

Thank you for all your help!!!

DaHai8

@tinfoilmatt :
I enabled File and Print Sharing (Echo Request - ICMPv4-In) for both Domain and Private,Public in Windows Defender.

Still not getting Pings to go through, so perhaps another setting elsewhere.

DaHai8

I finally got Ping working in Windows. Had to accept ANY source for Remote Address in Windows Defender Firewall for Private.Public Profile.
And I am getting sub ms response times from the Pi to Windows (~0.56ms). So the route seems to be direct without any detours.

Traceroute still fails, but that could be the ISP modem/router not allowing it.

So, it appears ~75Mb/s is the best I can expect. 5x faster than before!!!

Thanks Everyone!

P.S. ICMP also needed to be added to the Firewall Rules in pfSense on the WAN interface to allow Pings through