Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense reading wrong ip address in system logs

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      casoah
      last edited by

      https://forum.pfsense.org/index.php?topic=74669.msg408078#msg408078
      I made a thread there but the issue isn't explicitly related to OpenVPN.

      Here's the setup:
      OpenWRT(10.10.10.1) -> (10.10.10.196)pfsense(192.168.1.1) -> OpenWRT(192.168.1.150)

      Basically, I have OpenWRT connected to pfsense, pfsense connects to a vpn server and encrypts the connections. On a lan port from pfsense, an ethernet cable connects back to a new port on OpenWRT. Connections are routed through this new connection which has an ip of 192.168.1.150.

      I am trying to make it so one of the computers does not go through the vpn, this computer is connected through OpenWRT with an ip of 10.10.10.212

      According to the arp tables, pfsense correctly sees the computer as 10.10.10.212
      The problem is, this firewall rule does not work, this computer still goes through the vpn.

      When I login to pfsense from that the computer(10.10.10.212) and I check the pfsense system log it reads it as 192.168.1.150
      192.168.1.150 is the ip address OpenWRT is assigned by pfsense. It should be reading 10.10.10.212

      Here's a crude drawing if the setup doesn't make sense.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        If pfSense sees the computer as 192.168.1.150 whereas it realy has 10.10.10.212 than your OpenWRT makes NAT for it.

        Why do you try to bypass this computer from VPN on pfSense? Just set a static route on OpenWRT to direct its traffic to WAN.

        1 Reply Last reply Reply Quote 0
        • C
          casoah
          last edited by

          Yea I know, but I'm curious as to why pfsense is doing this.

          What i'm confused if openwrt is making a nat, how can pfsense see it in the first place with arp?
          I can ping 10.10.10.212 from pfsense

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            It's not pfSense doing anything like this. You are double-NATing.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Dude your drawing shows both wan and lan of pfsense plugged into ports on the router running openwrt switch ports?  WTF???

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Nice loop… the whole setup makes a lot of "sense"... Keep getting amazed every day what kind of complete BS are people able to invent.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Look the lan rules, wan network as your source in your lan rules?

                  Sometimes I just at a complete lack of words to how people think this through…  When would that rule come into play???

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • C
                    casoah
                    last edited by

                    @johnpoz:

                    Dude your drawing shows both wan and lan of pfsense plugged into ports on the router running openwrt switch ports?  WTF???

                    The ports are vlan'd on openwrt.

                    The lan port of pfsense plugs back into openwrt, and I have openwrt set that the computers go through that interface.

                    1 Reply Last reply Reply Quote 0
                    • C
                      casoah
                      last edited by

                      @johnpoz:

                      Look the lan rules, wan network as your source in your lan rules?

                      Sometimes I just at a complete lack of words to how people think this through…  When would that rule come into play???

                      The first firewall lan rule?
                      wan isn't the source, it's the gateway the connection should go through.

                      1 Reply Last reply Reply Quote 0
                      • C
                        casoah
                        last edited by

                        @doktornotor:

                        Nice loop… the whole setup makes a lot of "sense"... Keep getting amazed every day what kind of complete BS are people able to invent.

                        You realize I can just toss the setup away at any time right?
                        I just want to know why pfsense reads the ip in the system logs as 192.168.1.150 when I can ping 10.10.10.212 from pfsense and the other way around.

                        The whole reason the setup is like this is because the wndr3700 supports vlan tagging. It also supports multiple gateways with mwan3. The problem is if I had openwrt connect to the vpn server I can only get around 20megabits even with the cpu overclocked to 800mhz. So I just hooked up pfsense behind it and used that for the vpn processing.

                        I could just get rid of the wndr3700, but the ipv6 implementation works a lot better than pfsense by default for Comcast users. There's a large thread on dslreports about that.

                        EDIT: I got it, I just had to disable ip masquerading on openwrt.
                        You guys could have mentioned that instead of bashing btw

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          @casoah:

                          You realize I can just toss the setup away at any time right?

                          Yes, so do it… yesterday was too late.

                          @casoah:

                          EDIT: I got it, I just had to disable ip masquerading on openwrt.
                          You guys could have mentioned that instead of bashing btw

                          You have been told at least twice that you are double-NATing.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.