Routing Question - No Public WAN



  • Hi Guys,

    i need your help on this.
    Thats my Current Network:

    i need to accomplish that the Green Ones Can communicate without a Problem in both directions.
    Also the Green one use TCP and Multicast. (but mayb i can solve this with an IGMP Proxy)

    There are also Other Clients in the Cisco VLAN which should NOT communicate with the LAN Side.
    So i think i need the Firewall enabled.

    On the Cisco Side i cant change anything.
    The Subnet ist 10.3.17.0/24 - and its a VLAN for me.
    The IP From the Cisco Router is 10.3.17.254 and its my Gateway for my WAN Side.

    There is also a Site 2 Site VPN Tunnel to a Branch Office on LAN (10.3.16.0/24)

    LAN1 is a DMZ / Guest Network.

    How would you Build / rebuild this network??
    I tryed it with down NATs and Virtual IPs but that doesnt work.

    I cant figure it out - mayb im looking too long for a solution.
    Or im missing something.
    (Thought it would be easy) …

    kind regrads,

    Franz



  • It seems that you need to use Static Routing and create a couple of firewall rules. I cannot help you as much as I want, because the only static routing I know is on a Cisco router from 13 years ago (a catalyst if I can recall right). But maybe some theory can help.

    Inside the same lan all the clients can comunicate each other while they are on the same subnet. Outside the lan, with a diferent subnet is a different story. You need a device that resolve the routes, thats why you need a router. The pfsense performs dynamic routing by default on its interfaces, so you may have no troubles between them, regardless they are LAN or WAN.

    The firewall rules permit all the lan traffic going in any direction by default, and let the wan traffic flows in only if a lan client requests it.

    Here, we are all good. To prevent a DMZ lan (I will call it just DMZ) to reach the working enviroment lan (I'll call it just LAN), you must isolate them (or only one, so the DMZ can't reach the LAN, or the LAN blocks the incoming DMZ traffic). This can be done with the firewall rules.

    If you need to reach some clients outside your lan, then it would be no problem if there are a route for it, local dynamic (generated by pfsense for al the devices connected to it's interface) or remote dynamic/static (gave by your ISP, through your Gateway). But, in some cases, this doesn't exist, so you need to create a local static route.

    In "System -> Routing -> Routes" You will see where to add a static route. Here you will tell the pfsense (and it's clients) the directons to follow when a given IP is entered. It's not complicated, but you need to know 2 things:
    1.- How the route is Device by Device (You must observe it a hop at time)
    2.- You must avoid putting any route that the pfsense can reach with their interfaces (Why?, I don´t know exactly, but it is advised in the "Routes" page.

    I wish to be more helpful, but for now thats all I know.

    Good luck!



  • Thank you for your Response !

    Well actually the static routing should happen on the Cisco Router - or ?
    And thats the Device i dont have access to.

    Also i tryed it with WAN Rules to allow access.
    (also with Virtual IPs and NAT)

    But the Strange thing was:

    i can Ping my LAN Side Pfsense IP (from 10.3.17.x to 10.3.17.1) - no problem.
    but i cant ping the 10.3.16.21

    so i createt new Rules with Log.
    I then saw that my Rules are accepted and pass.

    But i got Time Out for the Ping.

    –-----

    Then i createt a Virtual IP 10.3.17.80 and 1:1 NAT to 10.3.16.21.
    Same result, Rules Pass in Log (icmp and TCP) but no ping response or connection.


    So my Ideas - it doesnt work yet cause i use differnt Gateways. (10.3.16.1 and 10.3.17.1) and its ASYNC
    it doenst work cause my Packets get Lost on the Cisco End (10.3.17.254)
    or i did something completly wrong.


    and thats why i asked here for help :)



  • oh i forgot something,

    On the Cisco Side, the Devices use 10.3.17.1 as Gateway.
    Maybe thats one of the Main Problems cause WAN is not designed that way ?
    (cant use 10.3.17.254 - cause i cant add rules here - but it would be the easiest way - if it is even possible to Add a Rule there (they are not managed by me) for 10.3.17.0/24 - since thats his own VLAN network)

    i dont know - im running out of ideas …


  • Rebel Alliance Global Moderator

    So are you natting with pfsense or not??

    If your not going to nat then yes your going to need routes.. You say your device at 10.3.17.23 is using 10.3.17.1 as default gateway..  Pfsense WAN?  What are the rules on your wan??  by default all rules on pfsense are BLOCK so how could you use that as gateway.  Pfsense auto enabled nat on its "wan" interface… Did you turn all this off??

    Really need to understand how you have pfsense configured here..  And to be honest your 10.3.17 network is a transit.. And should have NO HOSTS on it, unless your going to maintain routes on your actual hosts on the transit network.. Or yeah your going to have all kinds of asynchronous routing issues..

    You mention a gateway of 10.3.17.254 -- what is that device?  And then you list 2 other "routers" and pfsense as router.. So you to me you have a transit network with at min 4 different routers connected to it??  Not sure what your trying to say with Tagged vlans on 4 ports?

    What exactly are you trying to accomplish?  How does this device on 10.3.17.254 come into play?  And we can work out how to connect pfsense to accomplish what you want..  But from your drawing it looks like a mess... If pfsense is going to be a downstream router from your network it should be on a transit network, and there are no hosts on transit networks!!  But you list at least 2 of them 10.3.17.22 and .23



  • Thanks for you Time johnpoz !

    First - i extendet my Drawing:

    So are you natting with pfsense or not??

    At the Moment yes.

    Really need to understand how you have pfsense configured here..

    Actually, at the moment this isnt working at all and i just tested around.
    No NAT Rules Set. i Just test it with Down-nat (no outbound - its automatic)
    Also test with ANY-ANY Rules on WAN side.

    But let my describe this Scenario from the beginning -

    The Internet Uplink is a 100Mbit directional radio from Mountain to Mountain. (i live in Austria)
    The Cisco Network / Switches provice several Networks for each individual Customer on this Mountain. (Hotels, ski lift Stations, flatlets, and so on)
    So its Come in on One Point and is distributed via Fiber (from 100 to 500 meters) to differnt locations.

    Cisco Switches are 48Port.
    Each Customer has 4 Ports on these Switches with their Own VLAN provided.

    Mine is - 10.3.17.0/24
    They Router/Gateway for my Network is 10.3.17.254.
    So Basically it isnt a Transit Network - i Just Used it as one.
    I will call this 10.3.17.0/24 Network for now "Cisco Network".

    Cause you can easly "hack" (and by hack i mean just plug a network cable into the Switch - cause they are easly to access) and my Customer said he dont Trust the other Customers who use the provided Network/Switches - i build the Pfsense Network for my Customer with his own Network 10.3.16.0/24 and the DMZ 10.13.16.0/24 for the Guest-Network.
    Classic WAN-LAN Network.

    As mentioned there is also a OpenVPN Tunnel to a Branch Office. (the Branch office has a Public IP - the Main Office hasnt …)


    Until one week everything worked just fine.
    Now my Customer bought a Fancy KNX System from an Electrican and control several things. (Light, Heating, ..)
    No Problem in my Own Network.
    The KNX Server is is 10.3.16.21
    The Server also Use Multicast for some controls.

    My Customer was so Happy with this System he decided he want to control more !
    And the More are Other Locations in this Cisco Network. (wich are conected via Fibre)

    And the Struggle begans - cause i didnt designed the Network for that Purpose.
    The Customer already had Clients in the Cisco Network - but Only for Internet Usagage - not to communicate with Clients in the secured 10.3.16.0/24 Network.


    Use the 10.3.17.1 (Pfsense WAN) as my Gateway was just a plain stupid idea and i just realized it while i was starting this topic here.
    I ran into this Idea cause if i set 10.3.17.1 as Gateway on my Laptop i could ping 10.3.16.1 without a problem - and thought - easy cheezy i got this.


    Another Idea is - To Hook up my LAN Side with the Cisco Switch - but i think this will also bring trouble since VLAN is designed just for one Broadcast adresse.
    I dont know how the Cisco Switche are configured.
    I cant test it - but its not clean.


    If i cant get this to work there is a Worst Case Solution for the Problem -
    There are Several free Pairs on the Fibre Cables.
    So i can build my own new Network wich is in the 10.3.16.0/24 Network (with new Switches on each location)

    but the best way would be to get this working with the pfsense.
    Cause it gave me headache thinking about to build another Network since there is already one.

    Hope this helps you understand my "Scenario"
    Tryed my best.