Issue with routing



  • UPDATE:

    Ok after I put some thought into it I need to re-phrase whats going on.

    1. I want Comtrend DSL router to handle DHCP in range 192.168.1.0/24
    2. LAN of pfSense interface set to static 192.168.1.51 (connected to Comtrend)
    3. WAN interface on pfSense set to one of public IP addresses xxx.xxx.xxx.66 (thru comtrend)
    4. IPSec configured, can connect thru xxx.66 public address, can ping 192.168.1.51
    5. All remote clients thru IPSec range 192.168.2.0 can see LAN interface of pfSense (192.168.1.51)
    6. pfSense itself can see both LAN clients in 192.168.1.0/24 range and can see IPSec 192.168.2.0/24 clients) also has access to internet
    7. LAN clients connected to comtrend (192.168.1/0) can't see IPSec clients (192.168.2.0/24) and vice versa

    My Phase 2 is set to 192.168.1.0/24 network, and I can see pfSense so thats working ok, whats strange pfSense itself sees all users, just the end users can't see each other.

    I've tried setting gateway on pfSense LAN interface to 192.168.1.1 (which is comtrend) but after that I no longer can connect via IPSec. Its all black magic to me why pfSense sees ok both networks but those networks can't see each other. I don't think this is routing issue from DSL router but pfSense itself (probably both, since I would assume DSL router will need to know gateway to IPSec subnet)

    It would be probably easier to use pfSense as DHCP and disable that completely on DSL router but I want to use pfSense as VPN only appliance.


    Original message:

    Hello,
    I'm very new to pFSense so I apologise for wrong terminology. This is very new to me.

    Goal: Provide mobility access to office lan network.

    I have small host running esxi 6 running couple vm's. I would like to provide IPSec tunel from outside of the office so I can access those VM's.
    VM is configured properly with 2 NICs (one for lan one for wan).

    Office network is 192.168.1.0/24 this is where all VM's operate. pFsense was assigned 192.168.1.51 lan IP.
    I'm using DSL service with 6 static IP's thru a Comtrend VI-3223u router.

    • Router has static public address of lets say xxx.xxx.xxx.65
    • PFSense connects to the router and has assigned xxx.xxx.xxx.66 ip address on WAN
    • PFSense connects to the router and has assigned 192.168.1.51 LAN ip address

    I've managed to set up pFSense IPSec and can establish tunel. However I can't access anything except pFsense itself.
    Remote client gets 192.168.2.0/24 ip range. So just assume its 192.168.2.1

    When connection is established I can see pfSense from remote client (I can ping / access 192.168.1.51).
    I can ssh into pfSense and thru shell I can ping other servers on the lan and access them (lets say 192.168.1.60) I can also see remote client from pfSense end (can ping 192.168.2.1)

    However remote client doesn't see any lan servers and vice versa lan servers do not see 192.168.2.0 network (can't ping etc)

    The comtrend router where I have both LAN and WAN plugged in sets local network as 192.168.1.0/24. I thought this could be internal routing problem but not sure since I can clearly see all devices from pfSense VM.

    Firewall rules are set to allow all traffic on IPSec, I have not set up any static routes however tried couple configurations nothing worked. For NAT I have automatic settings there.

    This is bit weird setup as I want to use Comtrend as router, and pfSense is used to provide IPSec and properly lock traffic there. I'm also considering using this as firewall for the VM's if I ever decide to get them on the public ip ranges.

    I'm using pfSense 2.2.8.

    I'm usually stubborn enough to play with it as long as it takes to get it working by just playing with different settings but I'm out of options, apparently need to refresh my networking knowledge a bit more.

    I would greatly appreciate any tips regarding this setup, did anyone ran into similar issues before ?



  • Your clients in 192.168.1.x/24 have the default gateway 192.168.1.1 so they send all traffic outside the lan direct to the comtrend dsl router.

    can't work in this way…