Re: [pfSense] Routing Issue

[Steve Yates]

You should not have to route anything manually.  Your data center or ISP routes 
the /25 to 212.168.31.130.  In essence, packets are sent there for you.  
PfSense then "knows" the LAN side is the /25 and sends them to the LAN.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Tuesday, May 10, 2016 3:13 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] Routing Issue

Let my try to explain it completely ;)

i configured something like that in my first Router.
I think CARP etc. is not the problem here:


WAN (wan)   -> igb0   -> v4: 212.168.31.131/29
FCSE_PUB (lan)  -> igb1   -> v4: 212.168.31.2/25
HA_SYNC (opt1)  -> igb3   -> v4: 10.0.0.1/24

The /29 Network is just a transfer-Net for the /25 Subnet.
So i have to route the /25 thought the /29. In my Case it should be the .130 
(CARP IP)

I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP 
IP) VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway.

Connection etc. is working but when i make connections thought the VPN i will 
always see the IP from the WAN Interface but /25 are Public IPs so i want to 
have the  (.1 CARP IP) show on remote Servers like google.com and so on.
In Linux i just can setup the next hop like:

ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0

When it set the route with route add 212.168.31.0/25 212.168.31.130 i am not 
able to reach anythink.

NAT is not needed i think because we use public IPs. So thats the reason why i 
am confused.

traceroute -i igb1 web.de
traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 
traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
 1  * * *
 2  * * *


On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on 
my site.



> Am 10.05.2016 um 21:57 schrieb Steve Yates :
> 
> I'm a bit confused whether the /25 is your LAN subnet or another interface.  
> The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
> including the remote PC's LAN.  For example we have our data center using a 
> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for 
> OpenVPN.  192.168.199.0/24 is just used to route packets from the remote PC 
> to behind the router.
> 
> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and 
> should be "/29" like the others.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel 
> Eschner
> Sent: Tuesday, May 10, 2016 2:32 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] Routing Issue
> 
> Hi there,
> 
> i try to configure 2 PFsense Firewalls as the Following Setup:
> 
> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:
> 
> x.x.x.131/29 PF1
> x.x.x.132/29 PF2
> x.x.x.130/130 CARP Interface (Redundant)
> 
> After that i added x.x.x.2/25 and to another interface and created 
> also a CARP Interface with IP 1 (default gateway for Clients)
> 
> Now i want to route the /25 thought the .130 IP for example that openvpn have 
> the IP from the /25 network.
> When i establish a BPN Connection it shows me always the IP .131
> 
> Can it be changed for example change Outbound NAT or so that the .1 is shown 
> in the Interface?
> All IPs are Public IPs
> 
> Hope you understand what i mean ;)
> 
> Cheers
> 
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing Issue

[Daniel Eschner]

When i delete the Route everything works fine but the /25 is handled that as a 
Privat Network:

 traceroute -i igb1 web.de
traceroute: Warning: web.de has multiple addresses; using 82.165.229.138
traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
 1  lee.de (212.168.31.129)  0.442 ms  0.366 ms  0.324 ms
 2  r1ffm.de.vianw.net (212.168.1.221)  4.573 ms  4.814 ms  4.766 ms
 3  xe-5-3-2-0.fra-006-score-1-re0.interoute.net (89.202.134.177)  7.794 ms  
5.978 ms  10.017 ms



> Am 10.05.2016 um 22:12 schrieb Daniel Eschner :
> 
> Let my try to explain it completely ;)
> 
> i configured something like that in my first Router.
> I think CARP etc. is not the problem here:
> 
> 
> WAN (wan)   -> igb0   -> v4: 212.168.31.131/29
> FCSE_PUB (lan)  -> igb1   -> v4: 212.168.31.2/25
> HA_SYNC (opt1)  -> igb3   -> v4: 10.0.0.1/24
> 
> The /29 Network is just a transfer-Net for the /25 Subnet.
> So i have to route the /25 thought the /29. In my Case it should be the .130 
> (CARP IP)
> 
> I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP 
> IP)
> VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway.
> 
> Connection etc. is working but when i make connections thought the VPN i will 
> always see the IP from the WAN Interface but /25 are Public IPs so i want to 
> have the  (.1 CARP IP) show on remote Servers like google.com and so on.
> In Linux i just can setup the next hop like:
> 
> ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0
> 
> When it set the route with route add 212.168.31.0/25 212.168.31.130
> i am not able to reach anythink.
> 
> NAT is not needed i think because we use public IPs. So thats the reason why 
> i am confused.
> 
> traceroute -i igb1 web.de
> traceroute: Warning: web.de has multiple addresses; using 82.165.229.138
> traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
> 1  * * *
> 2  * * *
> 
> 
> On the Router-Site from my ISP all traffic to the /25 is routed to the .130 
> on my site.
> 
> 
> 
>> Am 10.05.2016 um 21:57 schrieb Steve Yates :
>> 
>> I'm a bit confused whether the /25 is your LAN subnet or another interface.  
>> The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
>> including the remote PC's LAN.  For example we have our data center using a 
>> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 
>> for OpenVPN.  192.168.199.0/24 is just used to route packets from the remote 
>> PC to behind the router.
>> 
>> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and 
>> should be "/29" like the others.
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel 
>> Eschner
>> Sent: Tuesday, May 10, 2016 2:32 PM
>> To: list@lists.pfsense.org
>> Subject: [pfSense] Routing Issue
>> 
>> Hi there,
>> 
>> i try to configure 2 PFsense Firewalls as the Following Setup:
>> 
>> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:
>> 
>> x.x.x.131/29 PF1
>> x.x.x.132/29 PF2
>> x.x.x.130/130 CARP Interface (Redundant)
>> 
>> After that i added x.x.x.2/25 and to another interface and created also a 
>> CARP Interface with IP 1 (default gateway for Clients)
>> 
>> Now i want to route the /25 thought the .130 IP for example that openvpn 
>> have the IP from the /25 network.
>> When i establish a BPN Connection it shows me always the IP .131
>> 
>> Can it be changed for example change Outbound NAT or so that the .1 is shown 
>> in the Interface?
>> All IPs are Public IPs
>> 
>> Hope you understand what i mean ;)
>> 
>> Cheers
>> 
>> Daniel
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing Issue

[Daniel Eschner]

Let my try to explain it completely ;)

i configured something like that in my first Router.
I think CARP etc. is not the problem here:


WAN (wan)   -> igb0   -> v4: 212.168.31.131/29
FCSE_PUB (lan)  -> igb1   -> v4: 212.168.31.2/25
HA_SYNC (opt1)  -> igb3   -> v4: 10.0.0.1/24

The /29 Network is just a transfer-Net for the /25 Subnet.
So i have to route the /25 thought the /29. In my Case it should be the .130 
(CARP IP)

I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP 
IP)
VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway.

Connection etc. is working but when i make connections thought the VPN i will 
always see the IP from the WAN Interface but /25 are Public IPs so i want to 
have the  (.1 CARP IP) show on remote Servers like google.com and so on.
In Linux i just can setup the next hop like:

ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0

When it set the route with route add 212.168.31.0/25 212.168.31.130
i am not able to reach anythink.

NAT is not needed i think because we use public IPs. So thats the reason why i 
am confused.

traceroute -i igb1 web.de
traceroute: Warning: web.de has multiple addresses; using 82.165.229.138
traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
 1  * * *
 2  * * *


On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on 
my site.



> Am 10.05.2016 um 21:57 schrieb Steve Yates :
> 
> I'm a bit confused whether the /25 is your LAN subnet or another interface.  
> The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
> including the remote PC's LAN.  For example we have our data center using a 
> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for 
> OpenVPN.  192.168.199.0/24 is just used to route packets from the remote PC 
> to behind the router.
> 
> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and 
> should be "/29" like the others.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
> Sent: Tuesday, May 10, 2016 2:32 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] Routing Issue
> 
> Hi there,
> 
> i try to configure 2 PFsense Firewalls as the Following Setup:
> 
> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:
> 
> x.x.x.131/29 PF1
> x.x.x.132/29 PF2
> x.x.x.130/130 CARP Interface (Redundant)
> 
> After that i added x.x.x.2/25 and to another interface and created also a 
> CARP Interface with IP 1 (default gateway for Clients)
> 
> Now i want to route the /25 thought the .130 IP for example that openvpn have 
> the IP from the /25 network.
> When i establish a BPN Connection it shows me always the IP .131
> 
> Can it be changed for example change Outbound NAT or so that the .1 is shown 
> in the Interface?
> All IPs are Public IPs
> 
> Hope you understand what i mean ;)
> 
> Cheers
> 
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing Issue

[Steve Yates]

I'm a bit confused whether the /25 is your LAN subnet or another interface.  
The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
including the remote PC's LAN.  For example we have our data center using a /29 
for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for 
OpenVPN.  192.168.199.0/24 is just used to route packets from the remote PC to 
behind the router.

You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and should 
be "/29" like the others.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Tuesday, May 10, 2016 2:32 PM
To: list@lists.pfsense.org
Subject: [pfSense] Routing Issue

Hi there,

i try to configure 2 PFsense Firewalls as the Following Setup:

My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:

x.x.x.131/29 PF1
x.x.x.132/29 PF2
x.x.x.130/130 CARP Interface (Redundant)

After that i added x.x.x.2/25 and to another interface and created also a CARP 
Interface with IP 1 (default gateway for Clients)

Now i want to route the /25 thought the .130 IP for example that openvpn have 
the IP from the /25 network.
When i establish a BPN Connection it shows me always the IP .131

Can it be changed for example change Outbound NAT or so that the .1 is shown in 
the Interface?
All IPs are Public IPs

Hope you understand what i mean ;)

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Routing Issue

[Daniel Eschner]

Hi there,

i try to configure 2 PFsense Firewalls as the Following Setup:

My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:

x.x.x.131/29 PF1
x.x.x.132/29 PF2
x.x.x.130/130 CARP Interface (Redundant)

After that i added x.x.x.2/25 and to another interface and created also a CARP 
Interface with IP 1 (default gateway for Clients)

Now i want to route the /25 thought the .130 IP for example that openvpn have 
the IP from the /25 network.
When i establish a BPN Connection it shows me always the IP .131

Can it be changed for example change Outbound NAT or so that the .1 is shown in 
the Interface?
All IPs are Public IPs

Hope you understand what i mean ;)

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Routing issue

[Nenhum_de_Nos]

Hail,

I have a strange issue. I get default route by OSPF. And that is fine. But I, 
then, need not to
have default routes and gateways configured in. So far, so good. Now I need to 
set a route to
another network, no default route then.

I create the gateway, and as I have no other one the WebUI sets it as default:

GW_OI (default) OSPF_1  172.16.1.1  172.16.1.1

no matter how much times I unclick on the default box. When I create it, it is 
not click as well.

Although this shows, my routes won't show that router as default:

netstat -rn -f inet

Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
default192.168.199.2  UG1 0 1267 em0_vl
127.0.0.1  link#5 UH  0 6723lo0
172.16.1.0/24  link#10U   0  392 em0_vl
172.16.1.2 link#10UHS 00lo0
172.18.1.2 192.168.199.2  UGH100 em0_vl
192.168.1.0/24 link#7 U   0 2409242779ue0
192.168.1.1link#7 UHS 00lo0
192.168.197.0/24   192.168.199.2  UG1 00 em0_vl
192.168.198.0/32   172.16.1.1 UGS 00 em0_vl =>
192.168.198.0/24   192.168.199.2  UG1 05 em0_vl
192.168.199.0/24   link#9 U   0   24 em0_vl
192.168.199.3  link#9 UHS 00lo0

My main concern is this be great now, but later then it changes something, as 
in a reboot. This is
a test environment but will soon get in production.

Anyone have seen this ? Is it really harmless ?

thanks,

matheus


-- 
We will call you Cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] routing issue

[Gabor Debreczeni-Kis]

2012.04.05. 11:37 keltezéssel, Chris Buechler írta:

On Thu, Apr 5, 2012 at 5:32 AM, Gabor Debreczeni-Kis  wrote:

Dear List Members,

I'm using pfsense as a pptp vpn server (version 2.0.1) at one of my customer
and have a problem with static routing and gateways.
We're using pptp to make LAN-to-LAN connections between various locations
and the main office.

In short - don't do that. PPTP is not intended for and not good for
site to site VPNs. Use OpenVPN or IPsec.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


I know you're right but this is not my decision and I cannot tell to the 
people that this is a bad idea because in the same situation a 
freebsd+mpd5+quagga zebra combo worked fine in the last 3 years.
But I want to use pfsense, and it's working fine too (if I use the 
written "hack" then it works like charm), the only issue is with the 
gateways.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] routing issue

[Chris Buechler]

On Thu, Apr 5, 2012 at 5:32 AM, Gabor Debreczeni-Kis  wrote:
> Dear List Members,
>
> I'm using pfsense as a pptp vpn server (version 2.0.1) at one of my customer
> and have a problem with static routing and gateways.
> We're using pptp to make LAN-to-LAN connections between various locations
> and the main office.

In short - don't do that. PPTP is not intended for and not good for
site to site VPNs. Use OpenVPN or IPsec.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] routing issue

[Gabor Debreczeni-Kis]

Dear List Members,

I'm using pfsense as a pptp vpn server (version 2.0.1) at one of my 
customer and have a problem with static routing and gateways.
We're using pptp to make LAN-to-LAN connections between various 
locations and the main office.
I know that pptp is not the best method for this but the customer's 
routers are only supporting pptp vpn connections, so there is no other 
options, this is not my decision.

Mainly the pptp is working, the problem is with the static routes.

The pfsense machine's network is 172.30.254.0/24, where the pfsense 
itself is the 172.30.254.254 and the pptp server side ip is 172.30.254.252

The pptp clients getting their tunnel ip from 172.30.253.0/24
To make the LAN-to-LAN working I need to add the following gateway and 
static route:

gateway 172.30.253.5
static route: 172.20.83.0/24 with gateway 172.30.253.5
The problem is that when I'm adding the gateway at System:Gateways at 
the Interface I have no option to choose pptp interface, only LAN and WAN.

I think there should be an option here PPTP VPN like at the firewall.
When I try to save it I get the following error:

The following input errors were detected:

 * The gateway address 172.30.253.5 does not lie within the chosen
   interface's subnet.

And here comes the fun part:
If I'm adding the static route at the System: Static routes and I'm 
choosing the add a new gateway and I add the new gateway here then it works!
The gateway addedd, static route added, routing table is fine and 
everything works like a charm!


The problem is that after reboot or after waiting 1 day it will lost 
these static routes (because the gateways are invalid as it thinks) so 
this "hack" not working.

How this problem can be solved?
I think there should be an interface option PPTP VPN at System: 
Gateways  like at the firewall.


At my other customer I'm using freebsd, mpd5 and quagga zebra for the 
same job with the same routing logic and it works like charm. Here we 
decided to use pfsense because of the easier configuration.


Any ideas welcome,
Thank you in advance.

Best Regards:
Gabor Debreczeni-Kis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list