Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] - MultiWAN - Gateway Issue (Update: Bridge passing traffic issue)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 784 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      calibanorg
      last edited by

      Hi there

      I have this ignoring problem i don't get clue what to do:

      • All devices from LAN 1 have access to the Internet. But it is not possible to access devices in the local network (for example network printer or other network devices). If i do a tracert to a local ip address it goes directly over the gateway that the WAN gets from the ISP (public IP)

      • If i take out the Gateway in the LAN1 Firewall rules then i have access to the Local devices but no Internet access

      I assume i have a gateway problem but i'm not able to resolve this that i have access to the Local and also have access to the Internet. Can anyone give me a hint what i'm doing wrong?

      FYI: The VPN connection trough the LAN2 port works as expected. No issue there.

      Findings:

      I figured that i'm not able to pass trough WIFI to the LAN Interface (vs versa as well). So if client is in LAN i can ping LAN devices and have access to the internet. Same thing with WIFI. I'm investigating my firewall rules - any hints are welcome :)

      Here my configuration so fare:

      WIFI_LAN -> WAN -> Router -> Internet
      LAN2 -> VPN -> WAN -> Router -> Internet

      WAN Configuration:

      Interface: vr0 > WAN > DHCP (public IP)
      Firewall Rules:  Block Private Network > Yes / Block network yes

      LAN 1 Configuration:

      vr1 > LAN  > Bridge0 > noip
      ath0 > WIFI > Bridge0 > noip
      bridge0 > LAN1 > static (10.10.2.x)

      for LAN1 (bridge0) i activated the DHCP Server with specific range (10.10.2.1 - 20), DNS1: 8.8.8.8 DNS2: 8.8.4.4

      Firewall Rules:
      LAN: IPV4* Source* Port* Destination* Port* Gateway* Queue*
      WIFI: IPV4* Source* Port* Destination* Port* Gateway* Queue*
      LAN1: IPV4* Source* Port* Destination* Port* Gateway "WAN" Queue*

      Bridge Configuration -> System -> Advanced -> System Tunables
      net.link.bridge.pfil_member = 0
      net.link.bridge.pfil_bridge = 1

      WIFI Config:
      Mode: Access Point
      Allow INtra-BSS communication: Yes

      LAN2 Configuration

      I configured the openvpn client (used strongvpn setup) and used the WAN as interface in the configuration

      opnvpn01 > VPN > noip

      Firewall Rules:
      OpenVPN: IPV4* Source* Port* Destination* Port* Gateway "VPN" Queue*
      VPN: IPV4* Source* Port* Destination* Port* Gateway* Queue*

      Gateways:
      VPN > Interface "VPN" Gateway "VPN IP" Monitor IP "None"
      WAN > Interface "WAN" Gateway "PublicIP" Monitor IP "PublicIP"

      NAT Outbound (Manual):

      Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
      Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
      Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
      Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
      Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
      Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Without trying to work out all the detail posted above, I will give you the principle. If you specify a gateway on a rule then that is called policy-routing and it overrides any normal routing that would happen, so if you have LAN1 and LAN2, then on LAN2 put a pass all to WAN gateway rule, then everything is forced out WAN gateway, even traffic destined for LAN1.
        To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.
        The traffic from LAN2 to LAN1 will match that first rule and will be handed to the ordinary routing table to be delivered locally to LAN1.

        Principle: put ordinary pass rules for local traffic before policy-routing rules that force general traffic out a gateway.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • C
          calibanorg
          last edited by

          To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.

          Yes that was the missing piece. I added the 1) rule on the LAN1 (Bridge) and now i can ping from wifi to lan vice versa without issue. :D

          New Complete Firewall Rules:

          LAN (vr01)

          1. IPv4+6 * * * * * * none

          WIFI (ath0)

          1. IPv4+6 * * * * * * none

          LAN1 (Bridge)

          1. IPv4 * LAN1 net * LAN1 net * * none
          2. IPv4 * LAN1 net * * * Gateway "WAN" none

          Thanks for the help.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.