Pfsense reading wrong ip address in system logs



  • https://forum.pfsense.org/index.php?topic=74669.msg408078#msg408078
    I made a thread there but the issue isn't explicitly related to OpenVPN.

    Here's the setup:
    OpenWRT(10.10.10.1) -> (10.10.10.196)pfsense(192.168.1.1) -> OpenWRT(192.168.1.150)

    Basically, I have OpenWRT connected to pfsense, pfsense connects to a vpn server and encrypts the connections. On a lan port from pfsense, an ethernet cable connects back to a new port on OpenWRT. Connections are routed through this new connection which has an ip of 192.168.1.150.

    I am trying to make it so one of the computers does not go through the vpn, this computer is connected through OpenWRT with an ip of 10.10.10.212

    According to the arp tables, pfsense correctly sees the computer as 10.10.10.212
    The problem is, this firewall rule does not work, this computer still goes through the vpn.

    When I login to pfsense from that the computer(10.10.10.212) and I check the pfsense system log it reads it as 192.168.1.150
    192.168.1.150 is the ip address OpenWRT is assigned by pfsense. It should be reading 10.10.10.212

    Here's a crude drawing if the setup doesn't make sense.



  • If pfSense sees the computer as 192.168.1.150 whereas it realy has 10.10.10.212 than your OpenWRT makes NAT for it.

    Why do you try to bypass this computer from VPN on pfSense? Just set a static route on OpenWRT to direct its traffic to WAN.



  • Yea I know, but I'm curious as to why pfsense is doing this.

    What i'm confused if openwrt is making a nat, how can pfsense see it in the first place with arp?
    I can ping 10.10.10.212 from pfsense


  • Banned

    It's not pfSense doing anything like this. You are double-NATing.


  • LAYER 8 Global Moderator

    Dude your drawing shows both wan and lan of pfsense plugged into ports on the router running openwrt switch ports?  WTF???


  • Banned

    Nice loop… the whole setup makes a lot of "sense"... Keep getting amazed every day what kind of complete BS are people able to invent.


  • LAYER 8 Global Moderator

    Look the lan rules, wan network as your source in your lan rules?

    Sometimes I just at a complete lack of words to how people think this through…  When would that rule come into play???



  • @johnpoz:

    Dude your drawing shows both wan and lan of pfsense plugged into ports on the router running openwrt switch ports?  WTF???

    The ports are vlan'd on openwrt.

    The lan port of pfsense plugs back into openwrt, and I have openwrt set that the computers go through that interface.



  • @johnpoz:

    Look the lan rules, wan network as your source in your lan rules?

    Sometimes I just at a complete lack of words to how people think this through…  When would that rule come into play???

    The first firewall lan rule?
    wan isn't the source, it's the gateway the connection should go through.



  • @doktornotor:

    Nice loop… the whole setup makes a lot of "sense"... Keep getting amazed every day what kind of complete BS are people able to invent.

    You realize I can just toss the setup away at any time right?
    I just want to know why pfsense reads the ip in the system logs as 192.168.1.150 when I can ping 10.10.10.212 from pfsense and the other way around.

    The whole reason the setup is like this is because the wndr3700 supports vlan tagging. It also supports multiple gateways with mwan3. The problem is if I had openwrt connect to the vpn server I can only get around 20megabits even with the cpu overclocked to 800mhz. So I just hooked up pfsense behind it and used that for the vpn processing.

    I could just get rid of the wndr3700, but the ipv6 implementation works a lot better than pfsense by default for Comcast users. There's a large thread on dslreports about that.

    EDIT: I got it, I just had to disable ip masquerading on openwrt.
    You guys could have mentioned that instead of bashing btw


  • Banned

    @casoah:

    You realize I can just toss the setup away at any time right?

    Yes, so do it… yesterday was too late.

    @casoah:

    EDIT: I got it, I just had to disable ip masquerading on openwrt.
    You guys could have mentioned that instead of bashing btw

    You have been told at least twice that you are double-NATing.


Log in to reply