Changing LAN IP/Gateway breaks 2.1
-
Hi,
Long time lurker, first time poster here. I've been trying to get v2.1 in production and keep running up against this wall. Here's my setup:
Internet
|
Wan Gateway xxx.yyy.32.1
|
pfSense Wan IP xxx.yyy.32.11
|
pfSense Lan IP 10.0.0.10
|
Lan gateway 10.0.0.1 with static route 10.0.0.0/8 to 10.0.0.1
|
Cisco Layer 3 switch with various subnets (10.0.0.0 through 10.0.17.0)So my workstation is at 10.0.1.50. I setup pfSense with a LAN IP of 10.0.1.100 so that I can reach it. I leave the WAN interface disconnected and get it all configured. But when I move it to the rack and change it's IP, gateway and static route, all traffic running through the pfSense box stops working. I can reach the configurator from my workstation. From the configurator I can ping internet addresses and all LAN addresses in different subnets, but I cannot ping or utilize any other protocol from a LAN machine to any WAN address. I can also ping the pfSense box from an internet address. If I set "allow all" rules on both LAN and WAN, it makes no difference.
I should also mention that this behavior does not happen in 2.0.3. On the same two sets of hardware that I have tried this on. I've read about not using any LAN gateways, but that isn't an option for me as it won't be able to find the other LAN subnets configured on the switch.
Any help sorting this out would be greatly appreciated.
-
You only need to setup the "LAN" gateway in System->Routing, then use it in the static route. Do not set any gateway in Interfaces->LAN.
That should work fine - I do this to reach test subnets that are behind L3 devices sitting on LAN. -
Thanks Phil,
I did do exactly that per Jim's advice in this thread: https://forum.pfsense.org/index.php?topic=74109.0 and it worked!
Methinks there should probably be a warning on the interface configurator page about this. I configured it exactly as I had my 2.0.3 box and it failed spectacularly on 2.1. I think a warning on the LAN config page would save people a lot of grief as I've run across a few threads discussing this issue. It certainly made me pull some hair out for a few days!
(It looks right but why TF doesn't it work?!!?!?)
-
I think a warning on the LAN config page
This is what's in 2.1.1
On local LANs the upstream gateway should be "none".
-
(It looks right but why TF doesn't it work?!!?!?)
Because the pfSense LAN IP is not a gateway from pfSense to anywhere. A "gateway" in network terms is an IP address on another box, that gets you closer to other destination subnets.
If you set it to yourself, then packets can go into a bit of an infinite spin, and exhuast their TTL.
When you have other private subnets behind LAN, you could, in principle, have pfSense LAN gateway set to the other router on LAN that gets you to those "back-end" subnets. But pfSense does not need that to be done.
I think the real problem that blows it all up is selecting LAN gateway as "default gateway" (or when pfSense kindly does that for you without you realising).
In any case, on pfSense never set a gateway on a LAN-style interface.