Project 1 : PFSense Routing

1337

@WrCombs said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

update: I was able to get the Windows 10 VM onto the internet. Took me forever to figure it out: but the VM was using the wrong setup for the network adapter..

Using the following diagram :

Seems pretty simple to me, Setup the VM to use a Internal Adapter (?) and use Static Routing to hop the connection through the 2 routers and out to the internet.

thoughts?

I can't see any static routing defined here.

But first, Rule no 1 - always give each device a name and write IPs, subnets and CIDR on the network diagram.

Router 1 (left) is connected to the internet. It routes but that is the default route, right? Everything on it's LAN is routed to the default gateway on the WAN. That gateway is either defined as a static IP or through DHCP.

But it's the same with Router 2, connected to the client. It's default gateway for the client LAN and routes everything to the default gateway on it's outside (which is router 1).

If you had both routers on the same LAN it would have been different. Then a client could route some traffic though Router 1 and some traffic through Router 2.

I haven't done it yet, as I said above the diagram, I was using the wrong Adapter setting in Oracle VirtualBox on the windows 10 device,

I stated: Seems pretty simple to me, Setup VM to use Internal (instead of NAT) (?) and use static routing to hop the connection through the 2 routers and out to the internet.

Then asked for Thoughts on my Plan of Action, the Diagram was to give a visual of what I was planning.

@Dashrender I mis read what you said, I thought you said " awesome, then try it with Dynamic Routing"
I haven't done it yet.

Well, I don't see the exercise as an attempt at setting up static routes but rather an attempt at creating a double NAT setup. But that might be a useful exercise by itself.

Please add names for each router and device and write IPs and subnets you intend to use (for each interface). On the internet side you can write public IP, DHCP is that is what you have.

now I'm confused.

What part? Double NAT vs Static routes? Having a network diagram with detailed info?

Dashrender

@WrCombs said in Project 1 : PFSense Routing:

update: I was able to get the Windows 10 VM onto the internet. Took me forever to figure it out: but the VM was using the wrong setup for the network adapter..

Using the following diagram :

Seems pretty simple to me, Setup the VM to use a Internal Adapter (?) and use Static Routing to hop the connection through the 2 routers and out to the internet.

thoughts?

You should expand upon this for networks, as Pete mentions.

Dashrender

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

update: I was able to get the Windows 10 VM onto the internet. Took me forever to figure it out: but the VM was using the wrong setup for the network adapter..

Using the following diagram :

Seems pretty simple to me, Setup the VM to use a Internal Adapter (?) and use Static Routing to hop the connection through the 2 routers and out to the internet.

thoughts?

I can't see any static routing defined here.

But first, Rule no 1 - always give each device a name and write IPs, subnets and CIDR on the network diagram.

Router 1 (left) is connected to the internet. It routes but that is the default route, right? Everything on it's LAN is routed to the default gateway on the WAN. That gateway is either defined as a static IP or through DHCP.

But it's the same with Router 2, connected to the client. It's default gateway for the client LAN and routes everything to the default gateway on it's outside (which is router 1).

If you had both routers on the same LAN it would have been different. Then a client could route some traffic though Router 1 and some traffic through Router 2.

I haven't done it yet, as I said above the diagram, I was using the wrong Adapter setting in Oracle VirtualBox on the windows 10 device,

I stated: Seems pretty simple to me, Setup VM to use Internal (instead of NAT) (?) and use static routing to hop the connection through the 2 routers and out to the internet.

Then asked for Thoughts on my Plan of Action, the Diagram was to give a visual of what I was planning.

@Dashrender I mis read what you said, I thought you said " awesome, then try it with Dynamic Routing"
I haven't done it yet.

Well, I don't see the exercise as an attempt at setting up static routes but rather an attempt at creating a double NAT setup. But that might be a useful exercise by itself.

Please add names for each router and device and write IPs and subnets you intend to use (for each interface). On the internet side you can write public IP, DHCP is that is what you have.

Nothing about the diagram implies any NATing or double NATing... Though in a home setup, we assume NATing will take place.

1337

@Dashrender said in Project 1 : PFSense Routing:

Nothing about the diagram implies any NATing or double NATing... Though in a home setup, we assume NATing will take place.

Correct. Need more details in the network diagram to be certain.

scottalanmiller

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

update: I was able to get the Windows 10 VM onto the internet. Took me forever to figure it out: but the VM was using the wrong setup for the network adapter..

Using the following diagram :

Seems pretty simple to me, Setup the VM to use a Internal Adapter (?) and use Static Routing to hop the connection through the 2 routers and out to the internet.

thoughts?

I can't see any static routing defined here.

But first, Rule no 1 - always give each device a name and write IPs, subnets and CIDR on the network diagram.

Router 1 (left) is connected to the internet. It routes but that is the default route, right? Everything on it's LAN is routed to the default gateway on the WAN. That gateway is either defined as a static IP or through DHCP.

But it's the same with Router 2, connected to the client. It's default gateway for the client LAN and routes everything to the default gateway on it's outside (which is router 1).

If you had both routers on the same LAN it would have been different. Then a client could route some traffic though Router 1 and some traffic through Router 2.

I haven't done it yet, as I said above the diagram, I was using the wrong Adapter setting in Oracle VirtualBox on the windows 10 device,

I stated: Seems pretty simple to me, Setup VM to use Internal (instead of NAT) (?) and use static routing to hop the connection through the 2 routers and out to the internet.

Then asked for Thoughts on my Plan of Action, the Diagram was to give a visual of what I was planning.

@Dashrender I mis read what you said, I thought you said " awesome, then try it with Dynamic Routing"
I haven't done it yet.

Well, I don't see the exercise as an attempt at setting up static routes but rather an attempt at creating a double NAT setup. But that might be a useful exercise by itself.

Please add names for each router and device and write IPs and subnets you intend to use (for each interface). On the internet side you can write public IP, DHCP is that is what you have.

Likely neither. No static and no double NAT. In theory it's likely single NAT with default routes. But another router is needed so that static to the non-default can be established.

WrCombs

I'm still working on setting up the diagram with the IP's

Question though: the Static routing is defined as "upstream gateway" in PFSense correct?

scottalanmiller

@WrCombs said in Project 1 : PFSense Routing:

the Static routing is defined as "upstream gateway" in PFSense correct?

No, upstream gateway is the default.

1337

@scottalanmiller said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

update: I was able to get the Windows 10 VM onto the internet. Took me forever to figure it out: but the VM was using the wrong setup for the network adapter..

Using the following diagram :

Seems pretty simple to me, Setup the VM to use a Internal Adapter (?) and use Static Routing to hop the connection through the 2 routers and out to the internet.

thoughts?

I can't see any static routing defined here.

But first, Rule no 1 - always give each device a name and write IPs, subnets and CIDR on the network diagram.

Router 1 (left) is connected to the internet. It routes but that is the default route, right? Everything on it's LAN is routed to the default gateway on the WAN. That gateway is either defined as a static IP or through DHCP.

But it's the same with Router 2, connected to the client. It's default gateway for the client LAN and routes everything to the default gateway on it's outside (which is router 1).

If you had both routers on the same LAN it would have been different. Then a client could route some traffic though Router 1 and some traffic through Router 2.

I haven't done it yet, as I said above the diagram, I was using the wrong Adapter setting in Oracle VirtualBox on the windows 10 device,

I stated: Seems pretty simple to me, Setup VM to use Internal (instead of NAT) (?) and use static routing to hop the connection through the 2 routers and out to the internet.

Then asked for Thoughts on my Plan of Action, the Diagram was to give a visual of what I was planning.

@Dashrender I mis read what you said, I thought you said " awesome, then try it with Dynamic Routing"
I haven't done it yet.

Well, I don't see the exercise as an attempt at setting up static routes but rather an attempt at creating a double NAT setup. But that might be a useful exercise by itself.

Please add names for each router and device and write IPs and subnets you intend to use (for each interface). On the internet side you can write public IP, DHCP is that is what you have.

Likely neither. No static and no double NAT. In theory it's likely single NAT with default routes. But another router is needed so that static to the non-default can be established.

I have no idea what you want @WrCombs to accomplish. You should probably draw the network diagram.

I can't see anything in his proposed network diagram that the default route wouldn't take care of. I doubt you meant 0.0.0.0/0 when you talked about setting up static routing.

Also, by default pfSense is setup to automatically identify the default gateway on the WAN and set that up as the default route for the LAN. It's under System / Routing / Gateways and then you have static routes under System / Routing / Static Routes. If you want to see pfSenses' routing table it's under Diagnostics / Routes.

scottalanmiller

@Pete-S said in Project 1 : PFSense Routing:

I have no idea what you want @WrCombs to accomplish. You should probably draw the network diagram.

I want there to need to be a non-default route

1337

@scottalanmiller said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

I have no idea what you want @WrCombs to accomplish. You should probably draw the network diagram.

I want there to need to be a non-default route

OK, one scenario I can think of is this:

You have an Edgerouter on your LAN, 192.168.1.0/24, that gives you internet access.
Now you want to add your server fleet (VM host) to the LAN and protect them behind a pfSense firewall/router.

All your servers are located on the server LAN, 10.100.1.0/24.

1. How can you let the W10 client have access to the server LAN, for instance 10.100.1.2, by changing the Edgerouter config?

2. How can you access the server LAN from your W10 client directly (without sending that traffic over the Edgerouter)?

taurex

Just remember @WrCombs that you can set up static routes both on the client VMs or the router VMs. Most of the time, you'd want this to be set up on your routers because it's more manageable this way plus you can use dynamic routing protocols at scale. However, in some real-life scenarios like remote access VPN with split tunnelling, a route to the secure remote network needs to be added on the client machine itself (with L2TP at least).

WrCombs

@Pete-S said in Project 1 : PFSense Routing:

@scottalanmiller said in Project 1 : PFSense Routing:

@Pete-S said in Project 1 : PFSense Routing:

I have no idea what you want @WrCombs to accomplish. You should probably draw the network diagram.

I want there to need to be a non-default route

OK, one scenario I can think of is this:

You have an Edgerouter on your LAN, 192.168.1.0/24, that gives you internet access.
Now you want to add your server fleet (VM host) to the LAN and protect them behind a pfSense firewall/router.

All your servers are located on the server LAN, 10.100.1.0/24.

1. How can you let the W10 client have access to the server LAN, for instance 10.100.1.2, by changing the Edgerouter config?

2. How can you access the server LAN from your W10 client directly (without sending that traffic over the Edgerouter)?

1. Wouldn't updating the Edgerouter Routing Table control that?
   if not then I have No idea, This is a static routing environment so, My guess would be to change the routing table to show the next hop to 10.100.1.2 is to go through 192.168.1.123.

2. Assuming the switch is a dumb switch and is not programmed, I have no idea. How would you ?

The whole reason behind doing this is to understand it, and the more I do it the more and more I get confused, for what ever reason I can't learn networking outside of the basics.

scottalanmiller

@WrCombs said in Project 1 : PFSense Routing:

Assuming the switch is a dumb switch and is not programmed, I have no idea. How would you ?

I think you must be confusing a switch with a router, because the switching being "dumb" (aka unmanaged) or managed has nothing to do with the equation. A switch is a switch, the behaviour is not affected by whether or not it is managed or monitored. A switch, by definition, doesn't route or know where services are located.

There are two approaches here, have a router do the work of telling where data should go, or set routes on the devices.

WrCombs

@scottalanmiller said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

Assuming the switch is a dumb switch and is not programmed, I have no idea. How would you ?

I think you must be confusing a switch with a router, because the switching being "dumb" (aka unmanaged) or managed has nothing to do with the equation. A switch is a switch, the behaviour is not affected by whether or not it is managed or monitored. A switch, by definition, doesn't route or know where services are located.

There are two approaches here, have a router do the work of telling where data should go, or set routes on the devices.

Thanks for clarifying.

scottalanmiller

@WrCombs said in Project 1 : PFSense Routing:

and is not programmed

This would be a "what do these words mean to you" situation. There is no concept of "programming a switch". Nor is there any behaviour in a switch that I can reasonable equate with programming. So I'm unclear what it is that you are picturing. But my guess would be that you aren't thinking of switching clearly as a layer two communications device, but instead feeling like it is a magic box that connects things together so that programming it feels like a reasonable possibility.

But a switch is nothing more than a multi-port bridge. It only knows what MAC addresses exist on each port, nothing more, nothing less. It doesn't even know what an IP address is. There's no human or automation interaction to this job. A switch builds it's list by listening on its ports and it sends traffic by MAC address on layer 2. Switches are non-routable devices and don't have concepts like a default router or routes, because they are layer 2.

scottalanmiller

@WrCombs said in Project 1 : PFSense Routing:

The whole reason behind doing this is to understand it, and the more I do it the more and more I get confused, for what ever reason I can't learn networking outside of the basics.

Have you learned the ISO OSI model yet? I can't imagine trying to figure out networking without knowing it.

scottalanmiller

Something worth noting... what you are doing here, learning routing tables, is something that nearly 100% of IT pros will never do in a lifetime (at least, outside of a lab.) This isn't something that people do in the real world. When you do do this, it's a networking specialist who only does this that is brought in. Of course, learning it is great. But the thing you are attempting to learn is at a level that is pretty much above any real world networking done by a non-dedicated networking specialist. But the stuff that you need to learn is far more basic, like "what is a switch" which is something you should have down solidly before you even introduce the concept of routing.

So I think you are attempting to learn relatively hard concepts, without having built a firm foundation in the basics.

WrCombs

@scottalanmiller said in Project 1 : PFSense Routing:

@WrCombs said in Project 1 : PFSense Routing:

The whole reason behind doing this is to understand it, and the more I do it the more and more I get confused, for what ever reason I can't learn networking outside of the basics.

Have you learned the ISO OSI model yet? I can't imagine trying to figure out networking without knowing it.

I've watched the video on it a dozen times, still don't understand it:
here's what I recall ;

Layer 1 - Physical layer: Cabling, Devices
Layer 2 - Data link ; Switches/Hubs
Layer 3- network ; Routing
Layer4 - transport ; how its getting to and from (TCP, UDP)
Layer5 - session ; (dont know abou this one) encryption?
Layer 6- Presentation: decryption of layer 5(maybe)
Layer 7 - Application; final product what you see on the screen .

Is what I gathered from watching the video all those times.

WrCombs

@scottalanmiller said in Project 1 : PFSense Routing:

Something worth noting... what you are doing here, learning routing tables, is something that nearly 100% of IT pros will never do in a lifetime (at least, outside of a lab.) This isn't something that people do in the real world. When you do do this, it's a networking specialist who only does this that is brought in. Of course, learning it is great. But the thing you are attempting to learn is at a level that is pretty much above any real world networking done by a non-dedicated networking specialist. But the stuff that you need to learn is far more basic, like "what is a switch" which is something you should have down solidly before you even introduce the concept of routing.

So I think you are attempting to learn relatively hard concepts, without having built a firm foundation in the basics.

Yeah, you're probably right honestly.

jmoore

@WrCombs Programming in my opinion is your code that is capable of making decisions or using logic based on some type of input. If it can't do this then I consider it just scripting. How important this info is in the real world, well who knows lol. Again that is just my definition and others may be different.