Default gateway residing on different subnet



  • I have two site connected together via a layer 3 gateway provided by my ISP. Site 2 has no internet access, but is reacable via a private IP address. What I am trying to do is get internet access to site 2 via site 1. Both sites are running pfsense 2.1.3.

    Here is a quick breakdown of my setup:

    
    Site 2 ------- ISP Router ------- ISP Router ------- Site 1 ------- Internet
    10.0.4.3 ---- 10.0.4.1 ----------- 10.0.2.1 -------- 10.0.2.3 
    
    

    I have tried the following:

    route del default
    route add -net 10.0.2.3 -iface igb0
    route add default 10.0.2.3
    
    

    But my traceroute still shows traffic trying to go out 10.0.4.1.

    I do have a route setup for 172.0.2.0/24 via 172.0.4.1

    I have two other sites that are directly connected to site 1 via wireless links, and they work just fine (they are on the 10.0.2.0/24 subnet as well though). I'm fairly sure my NAT & firewall rules are setup correctly at site 1.

    Any ideas on what I can do here?


  • Rebel Alliance Developer Netgate

    What you're attempting with the gateway is not possible. You have to use a gateway in the same subnet as the device.

    You have a couple choices:

    Scenario #1:
    1. Site 2 uses its ISP router as its default gateway
    2. The ISP router is configured to send all traffic from Site 2 over to Site 1
    3. Site 1 has a static route for site 2 back via the ISP router at 10.0.2.1
    4. Firewall rules on Site 1 pass in the traffic from Site 2
    5. Site 1 does outbound NAT to ensure Site 2 can reach the Internet

    Scenario #2 (if the ISP won't setup that routing)
    1. Setup an OpenVPN tunnel between site 2 and site 1, shared/static key peer to peer
    2. Site 2, assign the OpenVPN interface, enable it with an IP type of 'none'
    3. Site 2, use the OpenVPN gateway on the LAN firewall rules to direct traffic over OpenVPN
    4. Site 1, allow the traffic in over the VPN
    5. Site 1 needs outbound NAT setup

    The reason #2 works is because the VPN gives them a "direct" connection which can be used as a gateway. The first choice is better, less overhead, but the ISP may not cooperate on the routing.



  • That is basically what I came up with. My biggest issue is that I require the pfsense unit to have internet, not the clients. I already have an openvpn tunnel between the two sites (tap bridged to the lan) for internet access to the clients, however I needed pfsense to have internet access to install packages. I will have to talk to our ISP to find out if they will make changes to accommodate us.



  • Hey

    Follow this article http://forum.ovh.co.uk/showthread.php?6507-ESXi-pfSense-and-failover-IP
    Tested by me, works perfectly, and if you want to block internet for LAN users, just add necessary rule on your firewall.