Configuration advice
-
After some time ive managed to get the provider of the dedicated line to change the configuration in their equipment so now i have some new possibilities.
The device "192.168.10.2" now routes trafic for 192.168.11.0/24,192.168.12.0/24,192.168.13.0/24,192.168.14.0/24 towards 192.168.10.1 which is my pfsense box. I have added a static route in pfsense for the 192.168.100.0/22 net and from my primary lan (192.168.10.0/24), i have no trouble at all reaching host on the 100/22 net.
Unfortually i have encountered some trouble. I cannot seem to get my other lans to communicate with the 100/22 net. First i thought that it was my IPSEC setup but my second Vlan, 11/24 is also unable to communicate with hosts on the 100/22 net. I have added the appropiate rule for the vlan2 interface and at my ipsec interface but i cant get anything trough.
An other strange behavior is that when a host on the 192.168.100.0 net pings a host on 192.168.10.0 net, the host responds like it should. But when i try to ping the pfsense box interface, nothing. I have checked the rules tvice and iam certain that iam permitting protocoll "any" from network 192.168.100.0/22.
I have posted sometimes here before and asking for help regarding other issues and it has always been an configuration error from my side ::) , which has been easiely resolved with your advices so does anyone have any ideas what to check next regarding this one :)
-
If you have access to any of the computers behind those remote subnets, try setting up static route on it to point to 192.168.10.1. This should have routes setup for 11-14 subnets on it already. Then try to ping. you used to be able to setup routes to different subnets on pfsense, but with 2.1 and I think 2.0, you can no longer do that. This is why I use openvpn to push those "special" routes.
-
Ive added a manual route on the remote computer but the result is still the same. Could this be related to that i cant at all ping my pfsensebox from my remote sites? Its the same interface that lies in the 192.168.10.0/24 net. I can reach the hosts in this net but not the firewall interface. So i guess when traffic is routed to this interface, it gets blocked like my icmp packets.
When you say you cant do static routes to different subnets in v2.1, why cant you use this function?
/Mike
-
Sorry, I don't want to confuse. You cannot route to a different subnet while pfsense does not have an interface in that subnet.
I used to route to my lab network from the data center by setting up a route/gateway combo but, since the gateway was behind a FW, when I moved to 2.0, this became invalid. I switched to openvpn so that I could push the route. You can route to different subnets so long as the gateway is in the same subnet with an interface of pfsense. -
I think i understand =).
In the gateway section, i have only created one gateway which is bound to the 192.168.10.0 interface. It points to 192.168.10.2. Should i also create a second gateway with the same ip address as my first but bound towards the 192.168.11.0 interface?
In the gateway section i also have my default wan connection, just for your information.
-
Now i have also found an other problem. From the net that actual works towards my remote site, ive tried accessing a terminal server. It connects all fine but i get disconnected every 10 seconds. Ive tested to set my client to the second gateway directly and the problem disappears. So something happens when the traffic passes my pfsense box. The ping packeges works alright but the rdp packages gets broken. Can i somehow find a log or something showing me whats happening?
/Mike
-
An update again =)
Ive managed to solve the above error with the following changes after some googling =). Under the rules for my static route ive changed advanced -state -no state.
I feel lost here. What exactly does this mean?
/Mike
-
Ive done some more reading up in this issue and now i understand the no state option and why it works now. Since traffic goes directly from hosts on the 192.168.100.0 net towards hosts on 192.168.10.0 net the routing is assymetric.
But the main issue still remains.
I am unable to ping 192.168.10.1 from 192.168.100.0. I can ping every host but not the pfsense interface. The right rule are in place at the interface. When i try a ping from 192.168.100.0 net towards 192.168.11.0 i get TTL Expired.
When i try a tracert from 192.168.100.0 net towards 192.168.11.0 net i get a routing loop that keeps on looping at my second gateway which is 192.168.10.2.
When i remove the rules at my interface for 192.168.100.0 the pings just timeout instead and the tracert stops looping.
Is this a non resolveable issue which i cant solve with pfsense and my setup? I dont know what to try next.
-
okay, on the pfsense box there should be a route setup for 192.168.100.0/22 that has 192.168.10.2 as a gateway.
The default LAN rule should allow host in 192.168.10.0/24 to get to 192.168.100.0/22. If 192.168.100.0/22 is also relying on pfsense to handle its internet, then you are going to have to create an allow rule inbound on the LAN to accept traffic and also a NAT rule to transform the source. If not, then you must have a rule at the remote location's default gateway that states that if you are going to 192.168.10,11,12,13,14,15.0/24, that you must go to 192.168.100.2/32 or the gateway's IP on the other side of the MPLS. It sounds like you might have that already. There is also a setting in advanced config that disables firewall rule checking is the source and destination are on the same interface.
You will have to have a route on the remote sites IPSEC for the return traffic to the 192.168.100.0/22 back to 192.168.10.2/32.On the site to site connection, is there a firewall rule in place? Is the default gateway on the 192.168.100.0/22 network setup to allow traffic to 192.168.10,11,12,13,14,15.0/24 networks?
-
Thanks for the help :)
Routesetup for 192.168.100.0/22 with gateway 192.168.10.2 = Its in place
Default Lan rule to allow host towards 192.168.100.0/22 = check
PFsense should not handle internet for the 192.168.100.0/22 but i want to be able to ping my pfsense box so ive also created a inbound rule towards my lan interface for 192.168.100.0/22
The MPLS from 192.168.100.0/22 has a routing for 192.168.11-12-13-14-15.0/24 towards 192.168.10.1
I have tried the settings in advanced regarding static routing filter but i makes no differense.
The site to site connection has no firewalls in place.Could this be related to my outbound nat rules? I use manual outbound nat and here, i havent made any configuration for this. Since it is a static route a thought that the packets didnt pass that way.
The returnroute for my ipsec towards 192.168.100.0/22 is a second phase2 entry for that subnet towards my pfsense box. I then thought my existing static route in pfsense towards 192.168.10.2 would do the trick?
-
The MPLS from 192.168.100.0/22 has a routing for 192.168.11-12-13-14-15.0/24 towards 192.168.10.1
Does the MPLS have an IP address in both subnet one for each side? If so, then the firewall or default gateway at the remote site needs to use the corresponding 192.168.100. <whateveripattheremoteside>as the route to 192.168.10-15.0/24. The MPLS can then route 192.168.11-15.0/24 to 192.168.10.1/24.
pfsense would then have a route for 192.168.100.0/22 to 192.168.10.2/24 gateway.
You probably want to enable the "Bypass firewall rules for traffic on the same interface" option in the advanced config.
This should take care of your main network and any vlan on pfsense.
The remote sites are a little more tricky, but they have no chance of working if the pfsense vlan is not working. Once you have 10,11/24 networks working properly, then move on to remote sites 12-15/24. I would think they would only need a route as 100/22 to 10.1/24. Just like you would have setup for the 11.0/24 network.</whateveripattheremoteside> -
Thanks again.
The MPLS have an ip on each side. The remote site has 192.168.100.1. For what i can tell here the routing seems ok since iam able to ping a host on the 192.168.10.0/24 net from my remote site and from my local site i can ping a host on the remote site of the mpls.
When iam running a tracert towars my vlan 192.168.11.0/24 from 192.168.100.0 i can see that the routing is in place in the mpls gateways but when it reaches my pfsense box it gets looped back towards 192.168.10.2 instead of going to my vlan host.
When i try to ping a host on the 192.168.100.0/22 net from my pfsense box i also get timeout. It feels like this could also be the reason for not be able to ping the pfsense inteface ip from my 192.168.100.0/22 net. Something must be wrong with my routing setup in my pfsense box.
It seems like the checkbox in advanced for the static route filtering doesnt do the trick.
-
Could you paste your routing table from pfsense?
-
default 87.96.188.1 UGS 0 408828554 1500 bce1
127.0.0.1 link#5 UH 0 1745058 16384 lo0
192.168.10.0/24 link#7 U 0 4131193 1500 bce0_vlan40
192.168.10.254 link#7 UHS 0 0 16384 lo0
192.168.11.0/24 link#8 U 0 370222006 1500 bce0_vlan30
192.168.11.254 link#8 UHS 0 0 16384 lo0
192.168.100.0/22 192.168.10.2 UGS 0 6 1500 bce0_vlan40For the moment i have removed the ipsec connections towards my remote offices just for test purpose so now i only have my 2 vlans and my static route towards my mpls
-
What I find interesting is that you have this:
192.168.10.254 link#7 UHS 0 0 16384 lo0I wonder if that is a function of VLAN, but it seems quite odd.
When you traceroute from 11.0/24 computer to 100.0/22, what does the route look like?
-
Sorry for the delay.
When i traceroute from 192.168.11.5 towards 192.168.100.23 it looks like this:
traceroute to 192.168.100.23 (192.168.100.23), 30 hops max, 60 byte packets
1 192.168.10.2 (192.168.10.2) 8.746 ms 8.737 ms 8.731 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * * -
Do you have the routing on 11.5 pointing directly to 10.2? If so, please remove that route and try again.
-
No, i do not have that route.
I only have a default route of that machine which points to 192.168.11.1 which is the default gateway of that vlan.
-
What are the rules on that VLAN interface?
-
On the 192.168.11.0 Vlan ive got
Proto any From 192.168.11.0/24 Destination 192.168.100.0/22 Gateway 192.168.10.2
Proto any From * Destination * Gateway *