Traffic beetween two different routers and LANs
-
I have two routers behind an isp provider gateway: a pfsense and a commercial router.
Each one has its own public ip, its own local network.I want to allow traffic beetween the two lans.
I set up static route between the lans and opened firewall ports but it doesn't work.LAN 1 192.168.0.1 /24
LAN 2 172.16.0.0 /16 (pfsense)lan ip pfsense 172.16.1.1
lan ip router : 192.168.0.1Static route on pfsense
network : 192.168.0.0/24
gateway : 192.168.0.1
interface LANFirewall rules Lan
Proto Source Port Destination Port Gateway
* LAN net * 192.168.0.0/24 * 192.168.106.1
* 192.168.0.0/24 * LAN net * *Is there aything wrong on this pfsense side ?
-
Create a vpn between the two routers.
Each wan has a public ip, if you try to open up traffic between the two you are opening it up to the whole world. -
Are the routers physically co-located or not? If they are co-located, is there some reason you can't switch all of it over to just pfsense? This would solve your LAN talking to LAN issues and many other possible issues.
-
Maybe I don't understand your network topology? There is a WAN with the ISP gateway (the ISP access device and/or at the ISP on the other end of a cable somewhere), pfSense WAN IP, commercial router WAN IP. These form a little subnet. Let's say they have the following addresses:
ISP gateway: 11.22.33.1/29
pfSense WAN: 11.22.33.2/29
commercial router: 11.22.33.3/29Then your static rout from pfSense needs to specify 192.168.0.0/24 is reached through 11.22.33.3
Similarly on commercial router add a route to 172.16.0.0/16 through 11.22.33.2
pfSense WAN needs to allow incoming from commercial router 11.22.33.3
commercial router WAN needs to allow incoming from pfSense 11.22.33.2
(open appropriate ports that you actually want to use between the 2 networks…)Will the traffic between those 2 WAN IPs stay entirely in your house? I am not sure, certainly ARP and other broadcasts will go across the cable to your ISP also.
Can external people get in? They would have to use a source IP of one of your WAN IPs to get through the firewall rules, and then the replies would not go back to them. So no-one can connect via this. Maybe there are DOS attacks possible? What are the security implication of using your front-end WAN ISP subnet for some local communications?
Edit addition:
Create a vpn between the two routers.
That is the way to ensure security, keep it all as an internal private network with VPN connection, just as if the networks were in physically separate places.
-
Yes, the routers are physically co located.
My company uses a commecial router. And I have to establish a vpn between this router and pfsense partner gateway.
I can't establish it, support is not very helpfull. So I set up a new pfsense in my lan
to prove that vpn parameters are right. -
I assume this is an IPsec VPN issue?
Anyway - I'm not sure I'm understand where all the equipment is and exactly how its all attaching. I guess, for me anyway, a picture would be worth 1000 keystrokes.
-
To Phil Davis,
These addresses are public :
ISP gateway: 11.22.33.1/29
pfSense WAN: 11.22.33.2/29
Commercial router: 11.22.33.3/29and I don't want that my traffic go through wan ip, just, if possible, a routed lan to lan traffic
-
<–----LAN--------------------------------------><------------------WAN--------------------------------->
---172.16.0.1----[ PFSENSE ]–----------------- Public IP 1---
------[ Switch ]–---| |----[ ISP ] - Public ip 2–--
---192.168.0.1---[ Commercial Router]–----- --- Public IP 3---In Status: System logs: System, we can read :
kernel: arpresolve: can't allocate llinfo for 192.168.0.1 -
The diagram using dashes does not render so well:)
The only physical connection between 172.16.0.0/24 and 192.168.0.0/24 networks is the common WAN network, with your 2 WAN IPs. Without touching hardware, you have to either:
a) add a route and firewall rule to each router so that they route each other's subnet across the WAN network to each other, or;
b) setup a VPN across the WAN network between the 2.
I don't use IPsec, so if you are forced to use an IPsec VPN, then someone else will need to help if you need detailed settings advice.
If you can use OpenVPN, then I can help with config questions. That obviously requires OpenVPN support on the commercial router.
If you have a spare NIC on the pfSense router, you could connect a cable from a switch in the commercial router network to your pfSense. To get 2-way things working you would need to add a route on commercial router so it knows about the pfSense. Even better, if commercial router also has a spare NIC you can cable from pfSense to commercial router and make a little subnet between them, firewall what you want on either end of that cable,… so many ways to skin a cat.
Let us know what way is possible/you prefer to proceed and what questions you need answered... -
I was thinking run from commercial router LAN side to pfsense WAN side (2nd NIC) and open all the ports pfsense WAN to commercial router LAN. Not sure how well it would work because I avoid insane networks, so never done anything like it (on purpose).
You would have to disable the block LAN on WAN feature for the second WAN interface on pfsense.