Re: [pfSense] Routing Issue
You should not have to route anything manually. Your data center or ISP routes the /25 to 212.168.31.130. In essence, packets are sent there for you. PfSense then "knows" the LAN side is the /25 and sends them to the LAN. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Tuesday, May 10, 2016 3:13 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Routing Issue Let my try to explain it completely ;) i configured something like that in my first Router. I think CARP etc. is not the problem here: WAN (wan) -> igb0 -> v4: 212.168.31.131/29 FCSE_PUB (lan) -> igb1 -> v4: 212.168.31.2/25 HA_SYNC (opt1) -> igb3 -> v4: 10.0.0.1/24 The /29 Network is just a transfer-Net for the /25 Subnet. So i have to route the /25 thought the /29. In my Case it should be the .130 (CARP IP) I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP IP) VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway. Connection etc. is working but when i make connections thought the VPN i will always see the IP from the WAN Interface but /25 are Public IPs so i want to have the (.1 CARP IP) show on remote Servers like google.com and so on. In Linux i just can setup the next hop like: ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0 When it set the route with route add 212.168.31.0/25 212.168.31.130 i am not able to reach anythink. NAT is not needed i think because we use public IPs. So thats the reason why i am confused. traceroute -i igb1 web.de traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets 1 * * * 2 * * * On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on my site. > Am 10.05.2016 um 21:57 schrieb Steve Yates : > > I'm a bit confused whether the /25 is your LAN subnet or another interface. > The OpenVPN tunnel network has to be a subnet that is on no other interfaces > including the remote PC's LAN. For example we have our data center using a > /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for > OpenVPN. 192.168.199.0/24 is just used to route packets from the remote PC > to behind the router. > > You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and > should be "/29" like the others. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel > Eschner > Sent: Tuesday, May 10, 2016 2:32 PM > To: list@lists.pfsense.org > Subject: [pfSense] Routing Issue > > Hi there, > > i try to configure 2 PFsense Firewalls as the Following Setup: > > My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: > > x.x.x.131/29 PF1 > x.x.x.132/29 PF2 > x.x.x.130/130 CARP Interface (Redundant) > > After that i added x.x.x.2/25 and to another interface and created > also a CARP Interface with IP 1 (default gateway for Clients) > > Now i want to route the /25 thought the .130 IP for example that openvpn have > the IP from the /25 network. > When i establish a BPN Connection it shows me always the IP .131 > > Can it be changed for example change Outbound NAT or so that the .1 is shown > in the Interface? > All IPs are Public IPs > > Hope you understand what i mean ;) > > Cheers > > Daniel > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing Issue
When i delete the Route everything works fine but the /25 is handled that as a Privat Network: traceroute -i igb1 web.de traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets 1 lee.de (212.168.31.129) 0.442 ms 0.366 ms 0.324 ms 2 r1ffm.de.vianw.net (212.168.1.221) 4.573 ms 4.814 ms 4.766 ms 3 xe-5-3-2-0.fra-006-score-1-re0.interoute.net (89.202.134.177) 7.794 ms 5.978 ms 10.017 ms > Am 10.05.2016 um 22:12 schrieb Daniel Eschner : > > Let my try to explain it completely ;) > > i configured something like that in my first Router. > I think CARP etc. is not the problem here: > > > WAN (wan) -> igb0 -> v4: 212.168.31.131/29 > FCSE_PUB (lan) -> igb1 -> v4: 212.168.31.2/25 > HA_SYNC (opt1) -> igb3 -> v4: 10.0.0.1/24 > > The /29 Network is just a transfer-Net for the /25 Subnet. > So i have to route the /25 thought the /29. In my Case it should be the .130 > (CARP IP) > > I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP > IP) > VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway. > > Connection etc. is working but when i make connections thought the VPN i will > always see the IP from the WAN Interface but /25 are Public IPs so i want to > have the (.1 CARP IP) show on remote Servers like google.com and so on. > In Linux i just can setup the next hop like: > > ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0 > > When it set the route with route add 212.168.31.0/25 212.168.31.130 > i am not able to reach anythink. > > NAT is not needed i think because we use public IPs. So thats the reason why > i am confused. > > traceroute -i igb1 web.de > traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 > traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets > 1 * * * > 2 * * * > > > On the Router-Site from my ISP all traffic to the /25 is routed to the .130 > on my site. > > > >> Am 10.05.2016 um 21:57 schrieb Steve Yates : >> >> I'm a bit confused whether the /25 is your LAN subnet or another interface. >> The OpenVPN tunnel network has to be a subnet that is on no other interfaces >> including the remote PC's LAN. For example we have our data center using a >> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 >> for OpenVPN. 192.168.199.0/24 is just used to route packets from the remote >> PC to behind the router. >> >> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and >> should be "/29" like the others. >> >> -- >> >> Steve Yates >> ITS, Inc. >> >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel >> Eschner >> Sent: Tuesday, May 10, 2016 2:32 PM >> To: list@lists.pfsense.org >> Subject: [pfSense] Routing Issue >> >> Hi there, >> >> i try to configure 2 PFsense Firewalls as the Following Setup: >> >> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: >> >> x.x.x.131/29 PF1 >> x.x.x.132/29 PF2 >> x.x.x.130/130 CARP Interface (Redundant) >> >> After that i added x.x.x.2/25 and to another interface and created also a >> CARP Interface with IP 1 (default gateway for Clients) >> >> Now i want to route the /25 thought the .130 IP for example that openvpn >> have the IP from the /25 network. >> When i establish a BPN Connection it shows me always the IP .131 >> >> Can it be changed for example change Outbound NAT or so that the .1 is shown >> in the Interface? >> All IPs are Public IPs >> >> Hope you understand what i mean ;) >> >> Cheers >> >> Daniel >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing Issue
Let my try to explain it completely ;) i configured something like that in my first Router. I think CARP etc. is not the problem here: WAN (wan) -> igb0 -> v4: 212.168.31.131/29 FCSE_PUB (lan) -> igb1 -> v4: 212.168.31.2/25 HA_SYNC (opt1) -> igb3 -> v4: 10.0.0.1/24 The /29 Network is just a transfer-Net for the /25 Subnet. So i have to route the /25 thought the /29. In my Case it should be the .130 (CARP IP) I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP IP) VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway. Connection etc. is working but when i make connections thought the VPN i will always see the IP from the WAN Interface but /25 are Public IPs so i want to have the (.1 CARP IP) show on remote Servers like google.com and so on. In Linux i just can setup the next hop like: ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0 When it set the route with route add 212.168.31.0/25 212.168.31.130 i am not able to reach anythink. NAT is not needed i think because we use public IPs. So thats the reason why i am confused. traceroute -i igb1 web.de traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets 1 * * * 2 * * * On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on my site. > Am 10.05.2016 um 21:57 schrieb Steve Yates : > > I'm a bit confused whether the /25 is your LAN subnet or another interface. > The OpenVPN tunnel network has to be a subnet that is on no other interfaces > including the remote PC's LAN. For example we have our data center using a > /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for > OpenVPN. 192.168.199.0/24 is just used to route packets from the remote PC > to behind the router. > > You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and > should be "/29" like the others. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner > Sent: Tuesday, May 10, 2016 2:32 PM > To: list@lists.pfsense.org > Subject: [pfSense] Routing Issue > > Hi there, > > i try to configure 2 PFsense Firewalls as the Following Setup: > > My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: > > x.x.x.131/29 PF1 > x.x.x.132/29 PF2 > x.x.x.130/130 CARP Interface (Redundant) > > After that i added x.x.x.2/25 and to another interface and created also a > CARP Interface with IP 1 (default gateway for Clients) > > Now i want to route the /25 thought the .130 IP for example that openvpn have > the IP from the /25 network. > When i establish a BPN Connection it shows me always the IP .131 > > Can it be changed for example change Outbound NAT or so that the .1 is shown > in the Interface? > All IPs are Public IPs > > Hope you understand what i mean ;) > > Cheers > > Daniel > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing Issue
I'm a bit confused whether the /25 is your LAN subnet or another interface. The OpenVPN tunnel network has to be a subnet that is on no other interfaces including the remote PC's LAN. For example we have our data center using a /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for OpenVPN. 192.168.199.0/24 is just used to route packets from the remote PC to behind the router. You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and should be "/29" like the others. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Tuesday, May 10, 2016 2:32 PM To: list@lists.pfsense.org Subject: [pfSense] Routing Issue Hi there, i try to configure 2 PFsense Firewalls as the Following Setup: My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: x.x.x.131/29 PF1 x.x.x.132/29 PF2 x.x.x.130/130 CARP Interface (Redundant) After that i added x.x.x.2/25 and to another interface and created also a CARP Interface with IP 1 (default gateway for Clients) Now i want to route the /25 thought the .130 IP for example that openvpn have the IP from the /25 network. When i establish a BPN Connection it shows me always the IP .131 Can it be changed for example change Outbound NAT or so that the .1 is shown in the Interface? All IPs are Public IPs Hope you understand what i mean ;) Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Routing Issue
Hi there, i try to configure 2 PFsense Firewalls as the Following Setup: My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: x.x.x.131/29 PF1 x.x.x.132/29 PF2 x.x.x.130/130 CARP Interface (Redundant) After that i added x.x.x.2/25 and to another interface and created also a CARP Interface with IP 1 (default gateway for Clients) Now i want to route the /25 thought the .130 IP for example that openvpn have the IP from the /25 network. When i establish a BPN Connection it shows me always the IP .131 Can it be changed for example change Outbound NAT or so that the .1 is shown in the Interface? All IPs are Public IPs Hope you understand what i mean ;) Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Routing issue
Hail, I have a strange issue. I get default route by OSPF. And that is fine. But I, then, need not to have default routes and gateways configured in. So far, so good. Now I need to set a route to another network, no default route then. I create the gateway, and as I have no other one the WebUI sets it as default: GW_OI (default) OSPF_1 172.16.1.1 172.16.1.1 no matter how much times I unclick on the default box. When I create it, it is not click as well. Although this shows, my routes won't show that router as default: netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.199.2 UG1 0 1267 em0_vl 127.0.0.1 link#5 UH 0 6723lo0 172.16.1.0/24 link#10U 0 392 em0_vl 172.16.1.2 link#10UHS 00lo0 172.18.1.2 192.168.199.2 UGH100 em0_vl 192.168.1.0/24 link#7 U 0 2409242779ue0 192.168.1.1link#7 UHS 00lo0 192.168.197.0/24 192.168.199.2 UG1 00 em0_vl 192.168.198.0/32 172.16.1.1 UGS 00 em0_vl => 192.168.198.0/24 192.168.199.2 UG1 05 em0_vl 192.168.199.0/24 link#9 U 0 24 em0_vl 192.168.199.3 link#9 UHS 00lo0 My main concern is this be great now, but later then it changes something, as in a reboot. This is a test environment but will soon get in production. Anyone have seen this ? Is it really harmless ? thanks, matheus -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] routing issue
2012.04.05. 11:37 keltezéssel, Chris Buechler írta: On Thu, Apr 5, 2012 at 5:32 AM, Gabor Debreczeni-Kis wrote: Dear List Members, I'm using pfsense as a pptp vpn server (version 2.0.1) at one of my customer and have a problem with static routing and gateways. We're using pptp to make LAN-to-LAN connections between various locations and the main office. In short - don't do that. PPTP is not intended for and not good for site to site VPNs. Use OpenVPN or IPsec. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list I know you're right but this is not my decision and I cannot tell to the people that this is a bad idea because in the same situation a freebsd+mpd5+quagga zebra combo worked fine in the last 3 years. But I want to use pfsense, and it's working fine too (if I use the written "hack" then it works like charm), the only issue is with the gateways. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] routing issue
On Thu, Apr 5, 2012 at 5:32 AM, Gabor Debreczeni-Kis wrote: > Dear List Members, > > I'm using pfsense as a pptp vpn server (version 2.0.1) at one of my customer > and have a problem with static routing and gateways. > We're using pptp to make LAN-to-LAN connections between various locations > and the main office. In short - don't do that. PPTP is not intended for and not good for site to site VPNs. Use OpenVPN or IPsec. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] routing issue
Dear List Members, I'm using pfsense as a pptp vpn server (version 2.0.1) at one of my customer and have a problem with static routing and gateways. We're using pptp to make LAN-to-LAN connections between various locations and the main office. I know that pptp is not the best method for this but the customer's routers are only supporting pptp vpn connections, so there is no other options, this is not my decision. Mainly the pptp is working, the problem is with the static routes. The pfsense machine's network is 172.30.254.0/24, where the pfsense itself is the 172.30.254.254 and the pptp server side ip is 172.30.254.252 The pptp clients getting their tunnel ip from 172.30.253.0/24 To make the LAN-to-LAN working I need to add the following gateway and static route: gateway 172.30.253.5 static route: 172.20.83.0/24 with gateway 172.30.253.5 The problem is that when I'm adding the gateway at System:Gateways at the Interface I have no option to choose pptp interface, only LAN and WAN. I think there should be an option here PPTP VPN like at the firewall. When I try to save it I get the following error: The following input errors were detected: * The gateway address 172.30.253.5 does not lie within the chosen interface's subnet. And here comes the fun part: If I'm adding the static route at the System: Static routes and I'm choosing the add a new gateway and I add the new gateway here then it works! The gateway addedd, static route added, routing table is fine and everything works like a charm! The problem is that after reboot or after waiting 1 day it will lost these static routes (because the gateways are invalid as it thinks) so this "hack" not working. How this problem can be solved? I think there should be an interface option PPTP VPN at System: Gateways like at the firewall. At my other customer I'm using freebsd, mpd5 and quagga zebra for the same job with the same routing logic and it works like charm. Here we decided to use pfsense because of the easier configuration. Any ideas welcome, Thank you in advance. Best Regards: Gabor Debreczeni-Kis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list