Default gateway residing on different subnet

  • I have two site connected together via a layer 3 gateway provided by my ISP. Site 2 has no internet access, but is reacable via a private IP address. What I am trying to do is get internet access to site 2 via site 1. Both sites are running pfsense 2.1.3.

    Here is a quick breakdown of my setup:

    Site 2 ------- ISP Router ------- ISP Router ------- Site 1 ------- Internet ---- ----------- -------- 

    I have tried the following:

    route del default
    route add -net -iface igb0
    route add default

    But my traceroute still shows traffic trying to go out

    I do have a route setup for via

    I have two other sites that are directly connected to site 1 via wireless links, and they work just fine (they are on the subnet as well though). I'm fairly sure my NAT & firewall rules are setup correctly at site 1.

    Any ideas on what I can do here?

  • Rebel Alliance Developer Netgate

    What you're attempting with the gateway is not possible. You have to use a gateway in the same subnet as the device.

    You have a couple choices:

    Scenario #1:
    1. Site 2 uses its ISP router as its default gateway
    2. The ISP router is configured to send all traffic from Site 2 over to Site 1
    3. Site 1 has a static route for site 2 back via the ISP router at
    4. Firewall rules on Site 1 pass in the traffic from Site 2
    5. Site 1 does outbound NAT to ensure Site 2 can reach the Internet

    Scenario #2 (if the ISP won't setup that routing)
    1. Setup an OpenVPN tunnel between site 2 and site 1, shared/static key peer to peer
    2. Site 2, assign the OpenVPN interface, enable it with an IP type of 'none'
    3. Site 2, use the OpenVPN gateway on the LAN firewall rules to direct traffic over OpenVPN
    4. Site 1, allow the traffic in over the VPN
    5. Site 1 needs outbound NAT setup

    The reason #2 works is because the VPN gives them a "direct" connection which can be used as a gateway. The first choice is better, less overhead, but the ISP may not cooperate on the routing.

  • That is basically what I came up with. My biggest issue is that I require the pfsense unit to have internet, not the clients. I already have an openvpn tunnel between the two sites (tap bridged to the lan) for internet access to the clients, however I needed pfsense to have internet access to install packages. I will have to talk to our ISP to find out if they will make changes to accommodate us.

  • Hey

    Follow this article
    Tested by me, works perfectly, and if you want to block internet for LAN users, just add necessary rule on your firewall.

Log in to reply