I am working on a lab simulating a rather standard environment I'd imagine but am having issues getting out to the internet. I had this working with static routes for 10.250.0.0/13 going through 192.168.250.254 - the static route was created on the firewall. I have all the firewalling disabled for now so that I am not having issues with ACLs. I attached a diagram so maybe someone can help. I have Quagga installed and working (though OSFP/routing are not my forte).
I've attached a diagram to see if anyone can help me out. Again, there are "allow all" rules on all firewall and routing interfaces to eliminate that. From Test VM2 (10.251.251.15) I can ping everything on the network in every subnet/VLAN as listed in the ESG route table. However, I cannot ping 18.104.22.168 and I can't figure out why!
Thanks for looking all!
Edit: I should also add, when I do a traceroute from 10.251.251.15, I get the following:
TestTraceRoute:~$ traceroute 22.214.171.124
traceroute to 126.96.36.199 (188.8.131.52), 30 hops max, 60 byte packets
1 10.252.252.1 (10.251.251.1) 0.237 ms 0.142 ms 1002.258 ms
2 10.250.250.1 (10.250.250.1) 0.166 ms 0.191 ms 0.185 ms
3 192.168.250.1 (192.168.250.1) 0.616 ms 0.618 ms 0.598 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
It seems to route correctly until the pfSense and it routes towards your ISP. First thing to mind is; have you applied source NAT coming from that network to your ISP?
smitmartijn forgive me, but I never had to do that with static routes in place. Can you explain in more detail? Thank you!
I'm assuming you have a ISP that doesn't know about your internal IP ranges? (regular internet, not a MPLS connection or anything?). If yes, then if you do not source NAT your internal IP ranges on the pfSense appliance, the first hop of your ISP will see the IP 10.251.251.15 as the source, not recognize it and drop the traffic (hence, the traceroute that stops).
Has nothing to do with dynamic or static routing, it's your ISP dropping the traffic because it's not source NATed to the outside WAN IP address of the pfSense. (mind you, that is an assumption, as you haven't mentioned if you're doing source NAT already or not. 🙂 ).
I have a residential FIOS connection yep - I guess what is weird, or I am not understanding, is that prior to the OSPF configuration I was able to get to the internet without an issue. Unfortunately I don't remember what the gateway of the ESG was, but I believe it'd have to have been 192.168.250.1 since it's in that network (ESG is 192.168.250.254). Confirmed from a screenshot of my static routes that it's always been 192.168.250.254, yet egress internet traffic always worked.
That said, how would I configure a Source NAT and where? Apologies again, I don't deal with much edge/egress traffic. Mostly layer 2.
Just for grins I am going to disable OSPF on the uplink side of the ESG/pfSense just for a sanity check and go back to static routes. Maybe its something weird in how pfSense is routing.
Ok - confirmed - something is "different" with static routes vs. OSPF.
Test VM with 10.251.251.15 private Ip address can’t go to Internet as it is not routable, so as pointed previous post, it needs to be converted to a real public Ip whether on Edge or Pfsense, is there any source NAT configuration on any of these two VMs? Static pr dynamic routing could be important about announcement of NAT’ed Real Ip to the outside as routers need to know how to route to this Ip
Thanks guys - so I dug through pfSense configuration and see that when I create static routes it creates automatic outbound NAT rules (any any) for the static routes added. So, it's possible that those NAT rules do not exist when using OSPF. That said, I am not sure OSPF is of value here then, because if I can create dynamic routes but need to manually add outbound NATs then..well... point defeated!
Thanks for the help I will follow up as to whether adding outbound NATs fixes the issue(s)
Please can you check if outbound NAT mode is set to "automatic outbound NAT rule generation" in your PFsense router ?
This should make sure NAT rules are created automatically to allow your subnets advertised via OSPF to go to the Internet.