Routing multiple gateways
Hello all. Apologies If this is in the wrong category but not sure whether problem here lies with routing or NAT or some other strangeness but would appreciate any pointers.
I'm setting up a network as per image. We have pfsense boxes at two different offices which filter internet traffic. We are now adding the 10.1.100.0/10.2.100.0 link between sites. However I am unable to get traffic flowing between client machines at each site.
-Connectivity from client machines to pfsense boxes is ok.
-Connectivity between pfsense boxes is ok and I am able to ping both ways across the inter-site link.
I am unable to ping from a client machine on one site to a client on the other. This makes me think I have a routing/filtering issue.
-I have added rules on pfsense boxes to allow all traffic from LAN.
-Default GW on pfsense points to the internet feed however I have added a second GW for 10.1.0.0/16 and 10.2.0.0/16 on each side to route traffic between offices.
You need on both sites a static route entry pointing to the other sides pfSense for that subnet.
–> System --> Routing --> Routes
Yes forgot to mention, I have added routes. Still no joy..
A bit more info. I'm still struggling with this and it's starting to drive me a bit mad.
I ran packet capture on each of the pfsense boxes whilst pinging from the other and I can see the request and then response packets. I then ran the ping from the client boxes and ran the capture again. This time I could see the ping request packets but no response. Totally confused. If the ping request is making it to the target interface what would stop the response?
I have added an 'Allow all' rule to prevent the firewall stopping traffic. Even if there's a routing issue I would have thought that I would see the response being issued - even if it didn't make it back to the client.
Any clues gratefully received….
I assumed that was a typo on your diagram since you said you can ping between your two pfSense, but can you really do that?
According to your diagram the interlink interfaces of the pfSenses are
10.1.100.0/24 and 10.2.100.0/24.
These IP-ranges can never communicate with each other.
Yes I am able to ping between the two subnets as the router which links the two has has an interface in each subnet and handles the outing between them. Perhaps the problems stem from the fact a packet from a client would be translated to a new subnet by pfsense, then again by the router and it's getting a bit confused somewhere along the way? Not sure how to troubleshoot this though…
… there is another router between the two pfSense?
This is not clear in your description.
In this case you also need to add the same static routes on this other router.
Yes, sorry was trying to put together diagram quickly and maybe oversimplified it a little. The router is a vyatta which apparently learns the routes itself. This does appear to be working as the pfsense boxes have connectivity to one another. It's getting the client traffic thru pfsense and across the link that is not currently working.
Thanks for the info so far GF. I'm sure I've missed something obvious but I just can't seem to see it.
I dont think that the vyatta can learn routes just like that.
There has to be some learning protocol involved.
And as long as you didn't set up the pfSense to participate with this protocol there is not "learning just like that".
Most probably the reason why the both pfSense can talk to each other is because when they send traffic for the other pfSense to the vyatta, the vyatta "sees" both pfSense on a local interface.
However not the subnet behind these pfSense.
Try adding static routes for the subnets behind the pfSenses pointing to the pfSense on the vyatta.
Thanks GF. You are correct vyatta needed to be told about the routes, so not the fault of pfsense at all. Very happy this is now working and traffic is flowing nicely.