How to use the opt gateway?

baumhak

Hi all!!
I need a big problem here on my company.
I need to use a second gateway for the site-to-site openvpn connection (in the client side)

I try to put an static route on client pfsense, but this not work,

Somebody have an idea?

thanks an sorry my bad english…........

sai

take 2: diagrams, ip addresses, lights , action !

rcc

Maybe my configuration is similar:

VPN-Router
connects to 10.x.x.x
configured to give clients
DHCP-Leases 10.204.4.x/subnet? WAN PPPoE, dynamic
OPT1 |
|_________________________________________|
|
pfsense
|
LAN
192.68.1.x/24

worked wonderfully until yesterday. Since then I totally fubard my pfSense-configuration.
Any suggestions?

GruensFroeschli

worked wonderfully until yesterday. Since then I totally fubard my pfSense-configuration.
Any suggestions?

since you're not telling what you changed or what the problem is we cannot help you.

rcc

I changed nearly everything and tried an additional NAT-rule for ssh into the LAN.
Now I´m considering starting completely over and resetting the pfSense box to factory defaults.
Is this right:
Setting OPT1 to DHCP, WAN to PPPoE, using the provider´s account (WAN always works. I just cant figure out how to route LAN-Clients to the OPT1 net. Pinging the OPT1-router works, though, from within the LAN.)
Following the excellent Multi-WAN document, it should work then. I don´t need any load-balancing though.

GruensFroeschli

If you want to route your LAN subnet your router in front of OPTx has to know the route back.
But i assume you dont want to route that, but to NAT LAN to OPTx.

1: Enable Advance outbound NAT.
2: Create a rule that NAT's from LAN to OPTx.

From now on connection going out OPTx seem as if they come from the OPTx interface itself.

rcc

Well, it´s slowly making click in my head… cliek...

how would that rule look like?

OPT1 (10.204.4.x DHCP) -> pfSense -> LAN-clients (192.68.1.x, fixed IP)
LAN --------------------> pfSense -> OPT1

rcc

I would not have started to use this thread if I did not think the thread-starter might profit from the solutions given here.
Thanks, Froeschli, for your efforts so far.
So, on with my problem:

If you want to route your LAN subnet your router in front of OPTx has to know the route back.
But i assume you dont want to route that, but to NAT LAN to OPTx.

I'm totally unused to subnetting. I have set the subnetmask to /24 and to /32 in my efforts to configure OPT1. I can't figure out what you mean by OPTx since I only have one optional interface, OPT1 by that means.
You're probably right by saying the router in front of OPT1 doesn't need to know the route back, since the LAN-clients open the connection.

1: Enable Advance outbound NAT.

I did that.

2: Create a rule that NAT's from LAN to OPTx.

on the same page that says "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))"?
I tried that.
How, exactly, should this rule look like, in my special case, to work?
Pinging the router behind OPT1 from LAN only works when I set "Automatic outbound NAT rule generation (IPsec passthrough)"
I verify that by turning off the WAN-IF.

I will provide any diagnostic output, as long as it is useful for the problem-solving. But I consider myself too noobish to find out the corresponding functions on my own.

GruensFroeschli

@rcc:

I'm totally unused to subnetting. I have set the subnetmask to /24 and to /32 in my efforts to configure OPT1. I can't figure out what you mean by OPTx since I only have one optional interface, OPT1 by that means.
You're probably right by saying the router in front of OPT1 doesn't need to know the route back, since the LAN-clients open the connection.

Subnetting is the basic behind routing.
You should read up on it. just ask google. There are more than enough infos around.
If you have specific questions: ask.
You wrote that you get your OPT1 IP via DHCP.
You should not have to set anything if you get the Ip via DHCP.

OPTx because it applies also if you have more than one OPT.

The router in front of pfSense DOES need to know the route back to the client if you route.
That's how routing works.
It only does not have to know the route back if you NAT from LAN to OPT1
–> Connections appear to come from the OPT1 Interface and not from your LAN.

@rcc:

1: Enable Advance outbound NAT.

I did that.

2: Create a rule that NAT's from LAN to OPTx.

on the same page that says "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))"?
I tried that.
How, exactly, should this rule look like, in my special case, to work?
Pinging the router behind OPT1 from LAN only works when I set "Automatic outbound NAT rule generation (IPsec passthrough)"
I verify that by turning off the WAN-IF.

I will provide any diagnostic output, as long as it is useful for the problem-solving. But I consider myself too noobish to find out the corresponding functions on my own.

Hmmm.
I kind of remember that hoba or cmb once wrote that LAN per default get's NATed to all interfaces.
Or not? I'm not sure about that.
A rule would look like in the attachment.
(I NAT from LAN (10.0.0.0/24) to OPT2)

AoN.PNG_thumb

rcc

Subnetting is the basic behind routing.
You should read up on it.

I will, I will… need ... time. (tries not to fall asleep right now because of three different jobs...)

It only does not have to know the route back if you NAT from LAN to OPT1
–> Connections appear to come from the OPT1 Interface and not from your LAN.

Well, yes that's what I thought. Something's probably going wrong here. Have to check the switches and cables. (and RTFM the switche's documentation. Perhaps there are some ethernet loops around - I didn 't set up teh network )
I need input in form of "open shell, type " rm -f /boot/*" and enjoy.

rcc

O.K. I changed the whole setup:

VPN-Router –dhcp 10.x.x.x --------WAN--
|-pfSense-LAN 192.68.1.x
Cable-Router--dhcp 192.168.1.x----OPT1--

What works:
-booting pfsense with OPT1 disconnected, all traffic is routed over WAN.
-booting pfsense with WAN disconnected, all traffic is routed over OPT1.

What works not:
Routing with both WAN and OPT1 connected.

I am using an advanced outbound NAT-rule, in the way GruensFroeschli suggested. When I start the Firewall only with OPT1 connected and then connect the WAN-if, after getting it´s dhcp-address the WAN´s Gateway is set to the OPT1-Gateway. But it should be the VPN-router.

GruensFroeschli

Do you have a rule in place that NAT's from LAN to WAN too?

If you go with AoN enabled you need 2 rules.
One that NATs from LAN to WAN.
and one that NATs from LAN to OPT1.

I hope this is a typo that you seem have the same subnet on LAN and on OPT1

Somehow i think you're going at the whole thing the wrong way.
What do you have to access in front of WAN?
What do you have to access in front of OPT1?

rcc

Do you have a rule in place that NAT's from LAN to WAN too?

If you go with AoN enabled you need 2 rules.
One that NATs from LAN to WAN.
and one that NATs from LAN to OPT1.

Yes, the rule for WAN was automgically added.

I hope this is a typo that you seem have the same subnet on LAN and on OPT1

oops. the OPT1-router is now in 10.0.0.x, subnetmask 255.255.255.224

Somehow i think you're going at the whole thing the wrong way.
What do you have to access in front of WAN?
What do you have to access in front of OPT1?

In front of OPT1 the clients should acces the internet for general purposes.
In front of WAN they should have acces to a VPN that a large Company provides for accessing special Webpages that are only reachable via their Blackbox-dhcp-router. It provides also general Web-Access, but only at 2 mBit.

GruensFroeschli

Search the forum for policy routing.

I wouldnt use OPT1 for general Internet.
pfSense always uses WAN for services that run on pfSense itself (ie. DNS lookups)

Change your Internet back to WAN and VPN to OPT1

You have to setup rules on the LAN tab which push the traffic on the right interface.

A rule at the top:
Rule #1: Source: LAN, destination: "special IP's only accessable via VPN", gateway: OPT1
Rule #2: Source: LAN, destination: (NOT)"special IP's only accessable via VPN" gateway: default

what confuses me:

What works:
-booting pfsense with OPT1 disconnected, all traffic is routed over WAN.
-booting pfsense with WAN disconnected, all traffic is routed over OPT1.

You should not be able to access the internet if you disconnect WAN (or in your current case OPT1).
As i wrote, pfSense always uses WAN to lookup IP's.
if WAN is down you shouldnt be able to resolve IP's.

Also if WAN is down and your LAN rule still has as gateway default (*) traffic will just not be able to leave the pfSense.
Since you dont have a default gateway to the internet.

rcc

Thank you very much, Froeschli.
Everything works now. And best of it - I know why!
I´ve switched cables, applied the LAN rules, and now its twinkling wonderfully on every interface.

if WAN is down you shouldnt be able to resolve IP's

maybe this is not the case where pfsense is booted without the WAN interface connected.
I won´t test that now, because everything works as expected.

Cheers!

GruensFroeschli

@rcc:

maybe this is not the case where pfsense is booted without the WAN interface connected.
I won´t test that now, because everything works as expected.

Yeah probably.
If it comes up only with OPT1 connected and it is set as DHCP client it should recieve a default gateway.

But you should be able to reproduce that.
After all it wont help you if you have a working system now and sometimes it just wont work ;)

rcc

just for the fun of it:
I could reproduce this behavior.
However, when rebooted with all interfaces connected, the box behaves as stated by you, Froeschli.
It´s just another feature: Automatic NAT-Override for idiot admins (aNATofia )

edit: additional pun, made by the manufacturers of the vpn router:

the router´s type name is: VIGOR 2800i ("Is a masterpiece.")

GruensFroeschli

:D :D :D

But you just got me wondering what happens if you set the WAN to static and not as DHCP client, unplug the WAN and reboot.
It might be that then the default gateway stays on WAN.
I have to try when i get home.