WAN_DSL => => LAN, vlan10 => wan ip clients / wifi router => clients
Now, on vlan 20 with ip 172.16.2.2, i've got a wifi wan setup which has an IP 172.16.2.1, .. if i set the gateway monitor to 18.104.22.168 it pings fine, ..
If I create vlan20 on my clients set default gateway to 172.16.2.1 I can go on the internet, just fine
However if i ping from the router through ip 172.16.2.2 to 22.214.171.124 then it doesn't work, if i change the monitor IP to 126.96.36.199 i can again ping it. Why is this. After changing the ip to 188.8.131.52 I can't ping 184.108.40.206 anymore.
So basicly from IP 172.16.2.2 which is a member of vlan 20 I can only reach the gateway monitor, aside from that i can't reach anything from that IP, how ever if i go to any client and i set the default gateway to 172.16.2.1 i can just use the internet. And yes I've set the gateway for 172.16.2.2 to 172.16.2.1.
WAN_DSL => => LAN, vlan10 => wan ip clients / wifi router => clients
Am I the only one to whom the above "network diagram" makes no sense whatsoever?
I hope it makes more sense now, .. i added an attachment with an image
wan static/28: wan addresses
lan 192.168.1.0/24: clients
vlan10 172.16.1.0/24: management range/making servers reach certain clients
vlan20 172.16.2.0/24: bridge network
Not sure what is really going on from your diagram. A logical diagram would be useful, because on the physical diagram I have to try and guess where the broadcast domain of each VLAN actually might be…
Clients are in 192.168.1.0/24 on the diagram. So I don't see how you can "set the default gateway to 172.16.2.1".
Anyway, it sounds like vlan20 is a path to the internet (WAN-STYLE interface). When you specify an alternate monitor IP, pfSense explicitly makes a route to that IP out through the corresponding gateway. So anything behind pfSense, and pfSense itself, should reach that IP address by using the specified (vlan20) interface/gateway. That is the behavior you seem to be describing with 220.127.116.11 and 18.104.22.168
If you want any other traffic to go over that "vlan20 WAN", then you have to put policy-routing rules on LAN/s - i.e. Pass rules that specify the gateway in the advanced section.
But maybe you have "clients" sitting in the vlan20 also and want them to go back to pfSense (as if they were a "LAN-style" subnet) and then be routed out either WAN ("real" WAN or vlan20) according to your failover/load-balancing needs. I posted about that quite a while ago. If you need that, then say so and I can find the post.
static wan / static/28 from isp >>
172.16.1.1/24(nat) static wan
gets IP from wireless >>
gets routable from pfsense static/28 and >>
so to me it's really strange that pfsense can't use 172.16.2.2 to connect to the internet while all my other clients in vlan20 can and yes i added firewall rules to allow all.
I hope this makes sense, .. so basicly on vlan20 pfsense is kinda a client .. not sure if i can call it that but if i set client to ip 172.16.2.100 and i add route to 172.16.2.1 it works just fine so i don't really understand why this isn't the case for pfsense.
#client linux box $ ifconfig eth0.20 eth0.20 Link encap:Ethernet HWaddr 94:de:80:ab:49:bf inet addr:172.16.2.100 Bcast:172.16.2.255 Mask:255.255.255.0 inet6 addr: fe80::96de:80ff:feab:49bf/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:26971 errors:0 dropped:0 overruns:0 frame:0 TX packets:21172 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:12384361 (12.3 MB) TX bytes:3447072 (3.4 MB) $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0.10 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.10 172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.20 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 $ ping -n google.be PING google.be (22.214.171.124) 56(84) bytes of data. 64 bytes from 126.96.36.199: icmp_req=1 ttl=48 time=16.1 ms 64 bytes from 188.8.131.52: icmp_req=2 ttl=48 time=15.2 ms $ ping -n yahoo.com PING yahoo.com (184.108.40.206) 56(84) bytes of data. 64 bytes from 220.127.116.11: icmp_req=1 ttl=41 time=155 ms 64 bytes from 18.104.22.168: icmp_req=2 ttl=41 time=156 ms $ sudo route del -net default $ sudo route add -net default gw 172.16.2.1 $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.16.2.1 0.0.0.0 UG 0 0 0 eth0.20 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0.10 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.10 172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.20 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 $ ping -n google.be PING google.be (22.214.171.124) 56(84) bytes of data. 64 bytes from 126.96.36.199: icmp_req=1 ttl=44 time=50.5 ms 64 bytes from 188.8.131.52: icmp_req=2 ttl=44 time=46.9 ms $ ping -n yahoo.com PING yahoo.com (184.108.40.206) 56(84) bytes of data. 64 bytes from 220.127.116.11: icmp_req=1 ttl=48 time=132 ms 64 bytes from 18.104.22.168: icmp_req=2 ttl=48 time=123 ms #pfsense $ ifconfig vr2_vlan20 vr2_vlan20: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:0d:b9:2b:7f:76 inet6 fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 prefixlen 64 scopeid 0x8 inet 172.16.2.2 netmask 0xffffff00 broadcast 172.16.2.255 nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 20 vlanpcp: 0 parent interface: vr2 $ ping -n -S 172.16.2.2 172.16.2.1 PING 172.16.2.1 (172.16.2.1) from 172.16.2.2: 56 data bytes 64 bytes from 172.16.2.1: icmp_seq=0 ttl=64 time=7.980 ms 64 bytes from 172.16.2.1: icmp_seq=1 ttl=64 time=3.489 ms $ping -n -S 172.16.2.2 22.214.171.124 PING 126.96.36.199 (188.8.131.52) from 172.16.2.2: 56 data bytes ^C --- 184.108.40.206 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss $ping -n -S 172.16.2.2 220.127.116.11 PING 18.104.22.168 (22.214.171.124) from 172.16.2.2: 56 data bytes 64 bytes from 126.96.36.199: icmp_seq=0 ttl=47 time=53.467 ms 64 bytes from 188.8.131.52: icmp_seq=1 ttl=47 time=51.842 ms ^C --- 184.108.40.206 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 51.842/52.654/53.467/0.812 ms netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 213.219.132.x UGS 0 2977611 pppoe0 220.127.116.11 172.16.2.1 UGHS 0 124 vr2_vl 127.0.0.1 link#7 UH 0 2 lo0 172.16.1.0/24 link#11 U 0 6461 vr2_vl 172.16.1.1 link#11 UHS 0 2 lo0 172.16.2.0/24 link#8 U 0 2 vr2_vl 172.16.2.2 link#8 UHS 0 0 lo0 212.71.19.x/28 link#3 U 0 4167521 vr2 212.71.19.x link#3 UHS 0 424 lo0 213.219.132.x link#10 UH 0 56727 pppoe0 213.219.170.x link#10 UHS 0 0 lo0</full-duplex></performnud></up,broadcast,running,simplex,multicast>
I understand now why 18.104.22.168 can be pinged cause of the gateway monitor it adds a route for the IP
however it still doesn't make any sense to me why i can't connect to anything from that ip, it should act as any other regular interface.
I think the ping -S just makes the source IP on the ping packet. It does not effect how it is routed, so pfSense is going to route it out the default gateway (which is your other WAN link), and probably there is no effective NAT rule on the way out that WAN that would NAT source IP 172.16.2.n. So the packet will travel out main WAN without being NAT'd, and the Google server will not be able to reply.
You should be able to put policy-routing rules on LAN and then traceroute from a LAN client to see which pfSense WAN the traffic takes.
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0.10
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.10
172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.20
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
$ ping -n -S 172.16.2.100 google.be
PING google.be (22.214.171.124) 56(84) bytes of data.
64 bytes from 126.96.36.199: icmp_req=1 ttl=48 time=15.7 ms
64 bytes from 188.8.131.52: icmp_req=2 ttl=48 time=15.1 ms
$ ping -n -S 172.16.2.100 184.108.40.206
PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data.
64 bytes from 22.214.171.124: icmp_req=1 ttl=48 time=44.5 ms
64 bytes from 126.96.36.199: icmp_req=2 ttl=48 time=15.4 ms
ofcourse it can
edit: maybe you have a point, gateway of 172.16.2.0 is default, going to do some tests, .. however i tried setting the default gateway on the router to 172.16.2.1 and it didn't work.
edit: i get the werid same result, .. however
when i open my browser and i got to myip.nl on my clients the IP changes, .. while when i go to any site when i change the router to use 172.16.2.1 as default then all internet traffic stops. Except IPv6 but that's normal cause i've got native ipv6 which has it's own gateway.
Ok so i added a new firewall rule to use the 172.16.2.2 gateway, .. first and then the default gateway second, however it still keeps on using that verry same IP the IP doesn't change.