Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to use the opt gateway?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    18 Posts 4 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      baumhak
      last edited by

      Hi all!!
      I need a big problem here on my company.
      I need to use a second gateway for the site-to-site openvpn connection (in the client side)

      I try to put an static route on client pfsense, but this not work,

      Somebody have an idea?

      thanks an sorry my bad english…........

      1 Reply Last reply Reply Quote 0
      • S
        sai
        last edited by

        take 2: diagrams, ip addresses, lights , action !

        1 Reply Last reply Reply Quote 0
        • R
          rcc
          last edited by

          Maybe my configuration is similar:

          VPN-Router           
          connects to 10.x.x.x
          configured to give clients
          DHCP-Leases 10.204.4.x/subnet?                            WAN PPPoE, dynamic
              OPT1                                                              |
                  |_________________________________________|
                                                |
                                          pfsense
                                                |
                                              LAN
                                      192.68.1.x/24

          worked wonderfully until yesterday. Since then I totally fubard my pfSense-configuration.
          Any suggestions?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            worked wonderfully until yesterday. Since then I totally fubard my pfSense-configuration.
            Any suggestions?

            since you're not telling what you changed or what the problem is we cannot help you.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • R
              rcc
              last edited by

              I changed nearly everything and tried an additional NAT-rule for ssh into the LAN.
              Now I´m considering starting completely over and resetting the pfSense box to factory defaults.
              Is this right:
              Setting OPT1 to DHCP, WAN to PPPoE, using the provider´s account (WAN always works. I just cant figure out how to route LAN-Clients to the OPT1 net. Pinging the OPT1-router works, though, from within the LAN.)
              Following the excellent Multi-WAN document, it should work then. I don´t need any load-balancing though.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                If you want to route your LAN subnet your router in front of OPTx has to know the route back.
                But i assume you dont want to route that, but to NAT LAN to OPTx.

                1: Enable Advance outbound NAT.
                2: Create a rule that NAT's from LAN to OPTx.

                From now on connection going out OPTx seem as if they come from the OPTx interface itself.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • R
                  rcc
                  last edited by

                  Well, it´s slowly making click in my head… cliek...

                  how would that rule look like?

                  OPT1 (10.204.4.x DHCP) -> pfSense -> LAN-clients (192.68.1.x, fixed IP)
                  LAN --------------------> pfSense -> OPT1

                  1 Reply Last reply Reply Quote 0
                  • R
                    rcc
                    last edited by

                    I would not have started to use this thread if I did not think the thread-starter might profit from the solutions given here.
                    Thanks, Froeschli, for your efforts so far.
                    So, on with my problem:

                    If you want to route your LAN subnet your router in front of OPTx has to know the route back.
                    But i assume you dont want to route that, but to NAT LAN to OPTx.

                    I'm totally unused to subnetting. I have set the subnetmask to /24 and to /32 in my efforts to configure OPT1. I can't figure out what you mean by OPTx since I only have one optional interface, OPT1 by that means.
                    You're probably right by saying the router in front of OPT1 doesn't need to know the route back, since the LAN-clients open the connection.

                    1: Enable Advance outbound NAT.

                    I did that.

                    2: Create a rule that NAT's from LAN to OPTx.

                    on the same page that says "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))"?
                    I tried that.
                    How, exactly, should this rule look like, in my special case, to work?
                    Pinging the router behind OPT1 from LAN only works when I set "Automatic outbound NAT rule generation (IPsec passthrough)"
                    I verify that by turning off the WAN-IF.

                    I will provide any diagnostic output, as long as it is useful for the problem-solving. But I consider myself too noobish to find out the corresponding functions on my own.

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      @rcc:

                      I'm totally unused to subnetting. I have set the subnetmask to /24 and to /32 in my efforts to configure OPT1. I can't figure out what you mean by OPTx since I only have one optional interface, OPT1 by that means.
                      You're probably right by saying the router in front of OPT1 doesn't need to know the route back, since the LAN-clients open the connection.

                      Subnetting is the basic behind routing.
                      You should read up on it. just ask google. There are more than enough infos around.
                      If you have specific questions: ask.
                      You wrote that you get your OPT1 IP via DHCP.
                      You should not have to set anything if you get the Ip via DHCP.

                      OPTx because it applies also if you have more than one OPT.

                      The router in front of pfSense DOES need to know the route back to the client if you route.
                      That's how routing works.
                      It only does not have to know the route back if you NAT from LAN to OPT1
                      –> Connections appear to come from the OPT1 Interface and not from your LAN.

                      @rcc:

                      1: Enable Advance outbound NAT.

                      I did that.

                      2: Create a rule that NAT's from LAN to OPTx.

                      on the same page that says "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))"?
                      I tried that.
                      How, exactly, should this rule look like, in my special case, to work?
                      Pinging the router behind OPT1 from LAN only works when I set "Automatic outbound NAT rule generation (IPsec passthrough)"
                      I verify that by turning off the WAN-IF.

                      I will provide any diagnostic output, as long as it is useful for the problem-solving. But I consider myself too noobish to find out the corresponding functions on my own.

                      Hmmm.
                      I kind of remember that hoba or cmb once wrote that LAN per default get's NATed to all interfaces.
                      Or not? I'm not sure about that.
                      A rule would look like in the attachment.
                      (I NAT from LAN (10.0.0.0/24) to OPT2)

                      AoN.PNG
                      AoN.PNG_thumb

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • R
                        rcc
                        last edited by

                        Subnetting is the basic behind routing.
                        You should read up on it.

                        I will, I will… need ... time. (tries not to fall asleep right now because of three different jobs...)

                        It only does not have to know the route back if you NAT from LAN to OPT1
                        –> Connections appear to come from the OPT1 Interface and not from your LAN.

                        Well, yes that's what I thought. Something's probably going wrong here. Have to check the switches and cables. (and RTFM the switche's documentation. Perhaps there are some ethernet loops around - I didn 't set up teh network )
                        I need input in form of "open shell, type " rm -f /boot/*" and enjoy.

                        1 Reply Last reply Reply Quote 0
                        • R
                          rcc
                          last edited by

                          O.K. I changed the whole setup:

                          VPN-Router –dhcp 10.x.x.x --------WAN--
                                                                                    |-pfSense-LAN 192.68.1.x
                          Cable-Router--dhcp 192.168.1.x----OPT1--

                          What works:
                          -booting pfsense with OPT1 disconnected, all traffic is routed over WAN.
                          -booting pfsense with WAN disconnected, all traffic is routed over OPT1.

                          What works not:
                          Routing with both WAN and OPT1 connected.

                          I am using an advanced outbound NAT-rule, in the way GruensFroeschli suggested. When I start the Firewall only with OPT1 connected and then connect the WAN-if, after getting it´s dhcp-address the WAN´s Gateway is set to the OPT1-Gateway. But it should be the VPN-router.

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            Do you have a rule in place that NAT's from LAN to WAN too?

                            If you go with AoN enabled you need 2 rules.
                            One that NATs from LAN to WAN.
                            and one that NATs from LAN to OPT1.

                            I hope this is a typo that you seem have the same subnet on LAN and on OPT1

                            Somehow i think you're going at the whole thing the wrong way.
                            What do you have to access in front of WAN?
                            What do you have to access in front of OPT1?

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • R
                              rcc
                              last edited by

                              Do you have a rule in place that NAT's from LAN to WAN too?

                              If you go with AoN enabled you need 2 rules.
                              One that NATs from LAN to WAN.
                              and one that NATs from LAN to OPT1.

                              Yes, the rule for WAN was automgically added.

                              I hope this is a typo that you seem have the same subnet on LAN and on OPT1

                              oops. the OPT1-router is now in 10.0.0.x, subnetmask 255.255.255.224

                              Somehow i think you're going at the whole thing the wrong way.
                              What do you have to access in front of WAN?
                              What do you have to access in front of OPT1?

                              In front of OPT1 the clients should acces the internet for general purposes.
                              In front of WAN they should have acces to a VPN that a large Company provides for accessing special Webpages that are only reachable via their Blackbox-dhcp-router. It provides also general Web-Access, but only at 2 mBit.

                              1 Reply Last reply Reply Quote 0
                              • GruensFroeschliG
                                GruensFroeschli
                                last edited by

                                Search the forum for policy routing.

                                I wouldnt use OPT1 for general Internet.
                                pfSense always uses WAN for services that run on pfSense itself (ie. DNS lookups)

                                Change your Internet back to WAN and VPN to OPT1

                                You have to setup rules on the LAN tab which push the traffic on the right interface.

                                A rule at the top:
                                Rule #1: Source: LAN,    destination: "special IP's only accessable via VPN",            gateway: OPT1
                                Rule #2: Source: LAN,    destination: (NOT)"special IP's only accessable via VPN"    gateway: default

                                what confuses me:

                                What works:
                                -booting pfsense with OPT1 disconnected, all traffic is routed over WAN.
                                -booting pfsense with WAN disconnected, all traffic is routed over OPT1.

                                You should not be able to access the internet if you disconnect WAN (or in your current case OPT1).
                                As i wrote, pfSense always uses WAN to lookup IP's.
                                if WAN is down you shouldnt be able to resolve IP's.

                                Also if WAN is down and your LAN rule still has as gateway default (*) traffic will just not be able to leave the pfSense.
                                Since you dont have a default gateway to the internet.

                                We do what we must, because we can.

                                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rcc
                                  last edited by

                                  Thank you very much, Froeschli.
                                  Everything works now. And best of it - I know why!
                                  I´ve switched cables, applied the LAN rules, and now its twinkling wonderfully on every interface.

                                  if WAN is down you shouldnt be able to resolve IP's

                                  maybe this is not the case where pfsense is booted without the WAN interface connected.
                                  I won´t test that now, because everything works as expected.

                                  Cheers!

                                  1 Reply Last reply Reply Quote 0
                                  • GruensFroeschliG
                                    GruensFroeschli
                                    last edited by

                                    @rcc:

                                    maybe this is not the case where pfsense is booted without the WAN interface connected.
                                    I won´t test that now, because everything works as expected.

                                    Yeah probably.
                                    If it comes up only with OPT1 connected and it is set as DHCP client it should recieve a default gateway.

                                    But you should be able to reproduce that.
                                    After all it wont help you if you have a working system now and sometimes it just wont work ;)

                                    We do what we must, because we can.

                                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      rcc
                                      last edited by

                                      just for the fun of it:
                                      I could reproduce this behavior.
                                      However, when rebooted with all interfaces connected, the box behaves as stated by you, Froeschli.
                                      It´s just another feature: Automatic NAT-Override for idiot admins (aNATofia ™)

                                      edit: additional pun, made by the manufacturers of the vpn router:

                                      the router´s type name is: VIGOR 2800i  ("Is a masterpiece.")

                                      1 Reply Last reply Reply Quote 0
                                      • GruensFroeschliG
                                        GruensFroeschli
                                        last edited by

                                        :D :D :D

                                        But you just got me wondering what happens if you set the WAN to static and not as DHCP client, unplug the WAN and reboot.
                                        It might be that then the default gateway stays on WAN.
                                        I have to try when i get home.

                                        We do what we must, because we can.

                                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.