Networking community, I have hit a snag and was hoping for advice or suggestions:
I am having trouble getting Router 2 to transmit traffic between the Firewall WAN port (internet) and Router 1 and vice versa and am not sure what to do.
The Firewall (pfSense) is configured on the LAN side with 3 x VLAN's. (VLAN11, VLAN12, VLAN13). I have configured Switch1 with the appropriate Trunk/Access ports to allow for all devices to communicate with each other and the WAN (Internet access).
- The VLAN addressing scheme from pfSense is: 192.168.11.X (VLAN11), 12.X (VLAN12), etc, etc.
- Router 1: is configured as a DHCP server for all devices attached to G0/1
- NAT is enabled and configured
- OSPF is configured and enabled (For learning purposes)
The following are various configurations I have attempted, I feel I am very close, but am missing one small thing:
Config 1:
Router 2: with manual G0/1 configuration
Router 2: G0/1: ip = 192.168.13.30 255.255.255.0
- Router 2 has all of the information in its routing table from Router 1
- Router 1 has all of the information in its routing table from Router 2
- Router 2 CAN ping everything behind Router 1 (off G0/1)
- Router 2 CAN ping server 1 & 2 (which reside on VLAN13)
- Router 2 cannot ping the WAN address on pfSense
- Router 1 cannot ping the servers which reside on VLAN 13 or pfSense WAN address
Configuration excerpt from Config_1
ROUTER 2: Configuration excerpt:
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address 192.168.200.5 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.13.15 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 10
network 192.168.13.0 0.0.0.255 area 0
network 192.168.200.4 0.0.0.3 area 0
default-information originate
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
ROUTER 1: Configuration excerpt:
interface GigabitEthernet0/0
ip address 192.168.200.6 255.255.255.252
ip address 192.168.200.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 10
network 192.168.200.4 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
Config 2:
I have also recently tried the following to no avail:
On Router 2, G0/1: "ip address dhcp" (Allowing pfSense to dynamically assign IP)
– Router 2 has all of the information in its routing table from Router 1
– Router 1 has all of the information in its routing table from Router 2
– Router 2 CAN ping server 1 & 2 (which reside on VLAN13)
– Router 2 CAN ping the WAN address on pfSense
– Router 2 CAN ping everything behind Router 1 (off G0/1)
– Router 1 cannot ping the servers which reside on VLAN 13
– Router 1 cannot ping the WAN address on pfSense
– pfSense cannot ping Router2 eth0/0 ip address
Currently trying: going back and configuring the port on the switch that Router2, G0/1 is attached to, to 'Trunk' mode. Then I am going to manually reconfigure the G0/1 port again on the router..
Thank you again for any assistance or advice. Please let me know if I can provide any further details to aid.
Update: After removing NAT and OSPF 'default-information originate'
Router2 Configuration
interface Loopback0
ip address 192.168.31.254 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address 192.168.200.5 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.13.15 255.255.255.0
ip address dhcp
duplex auto
speed auto
!
router ospf 10
network 192.168.13.0 0.0.0.255 area 0
network 192.168.200.4 0.0.0.3 area 0
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
Router1: Configuration
interface Loopback0
ip address 192.168.225.254 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.200.6 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 10
network 192.168.200.4 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
Updated
Router2
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address 192.168.200.5 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
!
router ospf 10
network 150.10.93.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.200.4 0.0.0.3 area 0
default-information originate
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip default-network 192.168.13.0
ip route 192.168.13.0 255.255.255.0 152.14.93.152 110
Firewall packet capture info
Ping sent from Router1 and Router2 to firewall WAN:
18:15:26.000811 IP 192.168.200.6 > 150.10.93.152: ICMP echo request, id 117, seq 0, length 80
18:15:27.998919 IP 192.168.200.6 > 150.10.93.152: ICMP echo request, id 117, seq 1, length 80
18:15:29.998894 IP 192.168.200.6 > 150.10.93.152: ICMP echo request, id 117, seq 2, length 80
18:15:31.998897 IP 192.168.200.6 > 150.10.93.152: ICMP echo request, id 117, seq 3, length 80
18:15:33.998902 IP 192.168.200.6 > 150.10.93.152: ICMP echo request, id 117, seq 4, length 80
18:15:37.506098 IP 192.168.13.115 > 150.10.93.152: ICMP echo request, id 143, seq 0, length 80
18:15:37.506118 IP 150.10.93.152 > 192.168.13.115: ICMP echo reply, id 143, seq 0, length 80
18:15:37.506597 IP 192.168.13.115 > 150.10.93.152: ICMP echo request, id 143, seq 1, length 80
18:15:37.506602 IP 150.10.93.152 > 192.168.13.115: ICMP echo reply, id 143, seq 1, length 80
18:15:37.506971 IP 192.168.13.115 > 150.10.93.152: ICMP echo request, id 143, seq 2, length 80
18:15:37.506976 IP 150.10.93.152 > 192.168.13.115: ICMP echo reply, id 143, seq 2, length 80
Router 2
- Router2 eth0/1 now receives an statically assigned address from the firewall
-
Default Route configured to VLAN13 Address (192.168.13.1)
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed autorouter ospf 10
network 150.10.93.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
network 192.168.200.4 0.0.0.3 area 0
default-information originate
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.13.1 110
pfSense configuration
- VLAN 13 has DHCP disabled
- Server1, Server2, and Router2 are mapped via their MAC address to a statically assigned IP address: (E.g. Router2: 192.168.13.115)
- NAT is configured for Router2: with If (upstream) | Protocol (TCP) | Scr. address: * (any) | Src. Ports: * | Dest. address * | Dest. ports (other) | NAT IP 192.168.13.115 | NAT Port (Http)
Best Answer
Since Router 1 is on an outside interface of Router 2, it will not be able to originate traffic to the inside of Router 2. You have configured inside source NAT on Router 2, and this is one-way. Addresses are translated from the inside to the outside. When traffic is originated from the inside, NAT creates a table entry in order for responding traffic to be translated, but it has no table entry for traffic originated from the outside.
Running NAT on links where you are running a routing protocol is a very bad idea.
Edit based on your updated information:
If you need or want the firewall to know about the routes on the other side of Router 2, you will need to somehow get the routes into the firewall's routing table, otherwise any traffic for the unknown networks will be sent toward the default route for the firewall, and that should be the WAN.
A router, including the routing process of your firewall, needs to have a route in its routing table for any network to which it is expected to forward traffic. A default route can be used to encompass all networks, and any more specific routes in the routing table are used. Since your firewall's routing table has no routes to the networks on the other side of Router 2, it will use its default route.
You can configure your firewall to participate in OSPF with your two routers, and that will place those routes in the firewall's routing table. It will also let you originate the default route into OSPF from the firewall, and then you should remove that from the other routers.
The other, less desirable, solution is to manually configure static routes in your firewall for the networks to which it has no direct connection. This doesn't scale, and when you add, remove, or change those networks, you will need to manually change the static routes in the firewall.