• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] - MultiWAN - Gateway Issue (Update: Bridge passing traffic issue)

Scheduled Pinned Locked Moved Routing and Multi WAN
3 Posts 2 Posters 781 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    calibanorg
    last edited by Apr 24, 2015, 1:46 PM Apr 21, 2015, 9:26 PM

    Hi there

    I have this ignoring problem i don't get clue what to do:

    • All devices from LAN 1 have access to the Internet. But it is not possible to access devices in the local network (for example network printer or other network devices). If i do a tracert to a local ip address it goes directly over the gateway that the WAN gets from the ISP (public IP)

    • If i take out the Gateway in the LAN1 Firewall rules then i have access to the Local devices but no Internet access

    I assume i have a gateway problem but i'm not able to resolve this that i have access to the Local and also have access to the Internet. Can anyone give me a hint what i'm doing wrong?

    FYI: The VPN connection trough the LAN2 port works as expected. No issue there.

    Findings:

    I figured that i'm not able to pass trough WIFI to the LAN Interface (vs versa as well). So if client is in LAN i can ping LAN devices and have access to the internet. Same thing with WIFI. I'm investigating my firewall rules - any hints are welcome :)

    Here my configuration so fare:

    WIFI_LAN -> WAN -> Router -> Internet
    LAN2 -> VPN -> WAN -> Router -> Internet

    WAN Configuration:

    Interface: vr0 > WAN > DHCP (public IP)
    Firewall Rules:  Block Private Network > Yes / Block network yes

    LAN 1 Configuration:

    vr1 > LAN  > Bridge0 > noip
    ath0 > WIFI > Bridge0 > noip
    bridge0 > LAN1 > static (10.10.2.x)

    for LAN1 (bridge0) i activated the DHCP Server with specific range (10.10.2.1 - 20), DNS1: 8.8.8.8 DNS2: 8.8.4.4

    Firewall Rules:
    LAN: IPV4* Source* Port* Destination* Port* Gateway* Queue*
    WIFI: IPV4* Source* Port* Destination* Port* Gateway* Queue*
    LAN1: IPV4* Source* Port* Destination* Port* Gateway "WAN" Queue*

    Bridge Configuration -> System -> Advanced -> System Tunables
    net.link.bridge.pfil_member = 0
    net.link.bridge.pfil_bridge = 1

    WIFI Config:
    Mode: Access Point
    Allow INtra-BSS communication: Yes

    LAN2 Configuration

    I configured the openvpn client (used strongvpn setup) and used the WAN as interface in the configuration

    opnvpn01 > VPN > noip

    Firewall Rules:
    OpenVPN: IPV4* Source* Port* Destination* Port* Gateway "VPN" Queue*
    VPN: IPV4* Source* Port* Destination* Port* Gateway* Queue*

    Gateways:
    VPN > Interface "VPN" Gateway "VPN IP" Monitor IP "None"
    WAN > Interface "WAN" Gateway "PublicIP" Monitor IP "PublicIP"

    NAT Outbound (Manual):

    Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
    Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
    Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
    Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
    Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
    Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No

    1 Reply Last reply Reply Quote 0
    • P
      phil.davis
      last edited by Apr 24, 2015, 10:39 AM Apr 24, 2015, 10:16 AM

      Without trying to work out all the detail posted above, I will give you the principle. If you specify a gateway on a rule then that is called policy-routing and it overrides any normal routing that would happen, so if you have LAN1 and LAN2, then on LAN2 put a pass all to WAN gateway rule, then everything is forced out WAN gateway, even traffic destined for LAN1.
      To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.
      The traffic from LAN2 to LAN1 will match that first rule and will be handed to the ordinary routing table to be delivered locally to LAN1.

      Principle: put ordinary pass rules for local traffic before policy-routing rules that force general traffic out a gateway.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • C
        calibanorg
        last edited by Apr 24, 2015, 1:44 PM

        To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.

        Yes that was the missing piece. I added the 1) rule on the LAN1 (Bridge) and now i can ping from wifi to lan vice versa without issue. :D

        New Complete Firewall Rules:

        LAN (vr01)

        1. IPv4+6 * * * * * * none

        WIFI (ath0)

        1. IPv4+6 * * * * * * none

        LAN1 (Bridge)

        1. IPv4 * LAN1 net * LAN1 net * * none
        2. IPv4 * LAN1 net * * * Gateway "WAN" none

        Thanks for the help.

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received