Re: [pfSense Support] default gateway on LAN ???
On 1/23/06, Chris Buechler <[EMAIL PROTECTED]> wrote: > Ideally, I'd do what Bill described, since the routing is much nicer, > and the filtering capabilities are much better. One note on that. Since we currently can't filter traffic coming in off the IPSec tunnel, this setup would actually increase your security posture. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] default gateway on LAN ???
I'd do the same as Bill described. But regardless, in the diagram you provided, you don't need or want a default route on your LAN to accomplish this. You don't need any routes on the VPN pfsense box, and on the primary at both sites you would need routes pointing the remote VPN subnet to the LAN IP of the VPN pfsense box. This will generate an ICMP redirect for VPN-bound packets, though after the first the sending host should remember it for a while, so it isn't going to be sending one redirect per packet. Sending ICMP redirects isn't pretty, but it generally isn't going to cause you problems, especially in a limited situation like this. Ideally, I'd do what Bill described, since the routing is much nicer, and the filtering capabilities are much better. Bill Marquette wrote: I know this doesn't answer your question and I'm not trying to, but I'd like to offer my opinion FWIW. I'd attach the LAN leg from your pfSense VPN boxes (machine 2 in each location) to a third leg on the Internet firewall in each location and static route out it. Sending ICMP redirects from the primary gateway telling clients to use a different gateway tends to be somewhat problematic. --Bill On 1/23/06, David Strout <[EMAIL PROTECTED]> wrote: Here is a quick visual of what I have in a coulpe of locations ... Let me know if it comes through. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] default gateway on LAN ??? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 01-23-2006 4:36 pm David Strout wrote: I have a ? / feature request. If pfS IS NOT the default GW on the LAN then I suppose that the only way to direct all traffic out the "REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an alternate IP address (that of the default GW for the LAN). I believe you can enter a route with destination 0.0.0.0/0, which is the same as your default route. Mind you, that will override your WAN's default gateway (or they might fight with each other and really screw stuff up, depending on the situation). I think that this would be a real nice feature addition for those who are adding pfS to their already existing LAN, for say a dedicated test platform, or dedicated VPN concentrator or a plethora of other reasons. in that type of situation, you either need your pfsense WAN interface connected to your LAN (hence the default gateway will be correct), or if you have public IP's to spare, the LAN interface can be on your LAN, and the WAN on the Internet, and you would still not need any static routes unless your LAN contains subnets other than the primary LAN subnet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] default gateway on LAN ???
I know this doesn't answer your question and I'm not trying to, but I'd like to offer my opinion FWIW. I'd attach the LAN leg from your pfSense VPN boxes (machine 2 in each location) to a third leg on the Internet firewall in each location and static route out it. Sending ICMP redirects from the primary gateway telling clients to use a different gateway tends to be somewhat problematic. --Bill On 1/23/06, David Strout <[EMAIL PROTECTED]> wrote: > > > Here is a quick visual of what I have in a coulpe of locations ... > > Let me know if it comes through. > -- > David L. Strout > Engineering Systems Plus, LLC > > > ----- Original Message ----- > Subject: Re: [pfSense Support] default gateway on LAN ??? > From: [EMAIL PROTECTED] > To: support@pfsense.com > Date: 01-23-2006 4:36 pm > > > David Strout wrote: > > I have a ? / feature request. If pfS IS NOT the default GW on the LAN > > then I suppose that the only way to direct all traffic out the > > "REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an > > alternate IP address (that of the default GW for the LAN). > > I believe you can enter a route with destination 0.0.0.0/0, which is the > same as your default route. Mind you, that will override your WAN's > default gateway (or they might fight with each other and really screw > stuff up, depending on the situation). > > > > I think that this would be a real nice feature addition for those who > > are adding pfS to their already existing LAN, for say a dedicated test > > platform, or dedicated VPN concentrator or a plethora of other > > reasons. > > in that type of situation, you either need your pfsense WAN interface > connected to your LAN (hence the default gateway will be correct), or if > you have public IP's to spare, the LAN interface can be on your LAN, and > the WAN on the Internet, and you would still not need any static routes > unless your LAN contains subnets other than the primary LAN subnet. > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] default gateway on LAN ???
Here is a quick visual of what I have in a coulpe of locations ...Let me know if it comes through.--David L. StroutEngineering Systems Plus, LLC- Original Message -Subject: Re: [pfSense Support] default gateway on LAN ???From: [EMAIL PROTECTED]To: support@pfsense.comDate: 01-23-2006 4:36 pmDavid Strout wrote:> I have a ? / feature request. If pfS IS NOT the default GW on the LAN > then I suppose that the only way to direct all traffic out the > "REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an > alternate IP address (that of the default GW for the LAN).I believe you can enter a route with destination 0.0.0.0/0, which is the same as your default route. Mind you, that will override your WAN's default gateway (or they might fight with each other and really screw stuff up, depending on the situation). > I think that this would be a real nice feature addition for those who > are adding pfS to their already existing LAN, for say a dedicated test > platform, or dedicated VPN concentrator or a plethora of other > reasons.in that type of situation, you either need your pfsense WAN interface connected to your LAN (hence the default gateway will be correct), or if you have public IP's to spare, the LAN interface can be on your LAN, and the WAN on the Internet, and you would still not need any static routes unless your LAN contains subnets other than the primary LAN subnet. -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] multigwnet.gif Description: GIF image - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] default gateway on LAN ???
> > I have a ? / feature request. If pfS IS NOT the default GW on the LAN > > then I suppose that the only way to direct all traffic out the > > "REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an > > alternate IP address (that of the default GW for the LAN).> I believe you can enter a route with destination 0.0.0.0/0, which is the > same as your default route. Mind you, that will override your WAN's > default gateway (or they might fight with each other and really screw > stuff up, depending on the situation). If you have a LAN setup w/ the PRIMARY GW as something other tha! n the pfS LAN IP then you have to route traffic appropriately and therefore you need to have pfS point to it (PRIMARY GW) as the default GW for the LAN. Say for example; LAN subnet 192.168.100.0/24 and to have a default GW of 192.168.100.1 then you plunk in a pfS box to do site to site VPN, then you have to route to have two way conversation (from the other side of the VPN) w/ clients that have 192.168.100.1 as their default GW.> > I think that this would be a real nice feature addition for those who > > are adding pfS to their already existing LAN, for say a dedicated test > > platform, or dedicated VPN concentrator or a plethora of other > > reasons.> in that type of situation, you either need your pfsense WAN interface > connected to your LAN (hence the default gateway will be correct), or if > you have public IP's to spare, the LAN interface can be on your LAN, and > the WAN o! n the Internet, and you would still not need any static routes > unless your LAN contains subnets other than the primary LAN subnet.Maybe I am missing something then, as I have this exact setup. And for site2site communications through the VPN (where pfS IS NOT the default GW on either end of the tunnel) I have to enter static routes for the talks to establish. Keeping in mind that the PRIMARY GW has static routes in it for the "far" end subnets of the tunnel with the GW as the pfS LAN IP for those subnets. I could provide a diagram via gif snapshot but fear that it will not come through (as I have had issues with this before).
Re: [pfSense Support] default gateway on LAN ???
David Strout wrote: I have a ? / feature request. If pfS IS NOT the default GW on the LAN then I suppose that the only way to direct all traffic out the "REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an alternate IP address (that of the default GW for the LAN). I believe you can enter a route with destination 0.0.0.0/0, which is the same as your default route. Mind you, that will override your WAN's default gateway (or they might fight with each other and really screw stuff up, depending on the situation). I think that this would be a real nice feature addition for those who are adding pfS to their already existing LAN, for say a dedicated test platform, or dedicated VPN concentrator or a plethora of other reasons. in that type of situation, you either need your pfsense WAN interface connected to your LAN (hence the default gateway will be correct), or if you have public IP's to spare, the LAN interface can be on your LAN, and the WAN on the Internet, and you would still not need any static routes unless your LAN contains subnets other than the primary LAN subnet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] default gateway on LAN ???
Another quick quirp ... it would also be a nice addition to have the LAN interface DHCPable to it can be IP'd by DHCP . just to provide the maximum flexability. I realize that when doing the initial setup that setting the interface statically is imperative, but considering the prior post this setup just came to mind and would be a GREAT addition to an already GREAT product !!!--David L. StroutEngineering Systems Plus, LLC- Original Message -Subject: [pfSense Support] default gateway on LAN ???From: [EMAIL PROTECTED]To: support@pfsense.comDate: 01-23-2006 4:21 pm I have a ? / feature request. If pfS IS NOT the default GW on the LAN then I suppose that the only way to direct all traffic out the "REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an alternate IP address (that of the default GW for the LAN).I would be nice to have a default GW field for the LAN interface that builds a static route for this type of seniaro (of course if you leave it blank then NO static would be created and pfS would be the defacto default GW for LAN subnet).I think that this would be a real nice feature addition for those who are adding pfS to their already existing LAN, for say a dedicated test platform, or dedicated VPN concentrator or a plethora of other reasons.ONE NOTE:I have added the static route in the SYSTEM > STATIC ROUTES: section on various installs and have had varying luck with this setup. I have seen it work fine and then do an upgrade and then it breaks the "rules" and the system will NOT stop throwing up the "rules.debug" error. After deleteing the static route all settled down and the system stabilized. As I said, this ONLY happened on some upgrades (mostly in the 0.9x vers). Maybe there was some underlying issue w/ pf / BSD ... I'm not sure I never troubleshot it further than deleting the static route and resuming normal operation.Just thought that this would be a real nice (and VERY handy) feature addition to pfS ... as long as it doesn't break anything. And can be accomplished w/ BSDs' pf.Regards,--David L. StroutEngineering Systems Plus, LLC
