4

I have a Draytek 3200 router and a pfsense rackmount router that I am trying to get to route to each other.

I have a subnet on each router and a subnet for the link between, as shown here:

Network Map

As it stands at the moment I can ping from the Draytek 192.168.1.0/24 subnet to 10.2.1.2/24 successfully. I can ping from 10.2.1.1 to 10.2.1.2. I can't ping from the pfsense at all to the draytek's 192.168.1.0/24 subnet.

Ultimatly I am trying to be able to ping anything on the 192.168.1.0/24 subnet from any LAN on the pfsense.

Current pfsense Interfaces

Current Interfaces

Current pfsense Gateways

Current Gateways

Current pfsense Routes

Current Routes

I've allowed everything through on the firewall, as far as I can tell.

Draytek Subnet Configuration

Draytek Subnet Configuration

Draytek Static Routes

Draytek Static Routes

I'm certain I'm missing something and it's probably obvious, but I can't for the life of me get this working.

Draytek Routing Table

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*            0.0.0.0/ 0.0.0.0          via 81.142.64.1       WAN1
S           10.1.1.0/ 255.255.255.0    via 10.2.1.2          LAN1
C           10.2.1.0/ 255.255.255.0    directly connected    LAN4
*        81.142.64.1/ 255.255.255.255  via 81.148.64.1       WAN1
C~       192.168.1.0/ 255.255.255.0    directly connected    LAN1
S~       192.168.2.0/ 255.255.255.0    via 86.143.86.52     VPN-3
S~       192.168.3.0/ 255.255.255.0    via 146.255.106.220  VPN-1
S~       192.168.4.0/ 255.255.255.0    via 146.225.121.125  VPN-5
S~       192.168.5.0/ 255.255.255.0    via 217.42.42.188    VPN-4
S~       192.168.6.0/ 255.255.255.0    via 86.22.102.129     LAN3
C       192.168.20.0/ 255.255.255.0    directly connected    DMZ 
S      217.32.42.177/ 255.255.255.255  via 217.32.42.177     WAN1
C      217.32.47.176/ 255.255.255.240  directly connected    LAN1

I wasn't sure if it's relevant but the two routers are not directly connected via a patch cable as the Draytek only has one true LAN port. The LAN 4 on the Draytek is tagged, passed to a switch which is set to untagged on the port the pfsense is connected to.

enter image description here

PFSense Firewall Log

Firewall Logs
ACT IF    Source       Destination     Prot
X   LAN2  10.2.1.2:80  10.2.1.1:3439   TCP:FA
X   LAN2  10.2.1.2:80  10.2.1.1:39437  TCP:FA
X   LAN2  10.2.1.2:80  10.2.1.1:39441  TCP:FA
X   LAN2  10.2.1.2:80  10.2.1.1:39445  TCP:FA

Core Switch VLAN Config

enter image description here

dannymcc
  • 2,677
  • 10
  • 46
  • 72
  • Does the draytek need a static route for something directly connected to it? – NickW Mar 05 '13 at 15:15
  • I'm not sure - but without the static routes it still fails. – dannymcc Mar 05 '13 at 15:16
  • hmm, got a bit confused there.. obviously that static route is fine. You need to make sure that the firewall on the Draytek is completely disabled also. – NickW Mar 05 '13 at 15:36
  • Firewall and QoS is all disabled. – dannymcc Mar 05 '13 at 15:52
  • if you telnet to the draytek and type in ip route static, what does it print? – NickW Mar 05 '13 at 15:57
  • Routing table added to question. – dannymcc Mar 05 '13 at 18:10
  • That routing table looks fine, let's see what the laptop does.. – NickW Mar 06 '13 at 09:23
  • I've added a diagram of the way the routers are connected to my question. f I connect to the network 10.2.1.0/24 I can ping the Draytek but not the PFsense. Strangely, if I am on the 192.168.1.0/24 subnet (on the draytek) I can ping the pfsense (10.2.1.2) but not the draytek (10.2.1.1). – dannymcc Mar 06 '13 at 11:48
  • Can you set the draytek LAN4 port to untagged? – NickW Mar 06 '13 at 12:01
  • It doesn't look that way - I can either enable or disable. I've just noticed some firewall log entries on the pfsense though - adding screenshots to question now. – dannymcc Mar 06 '13 at 12:13
  • I'm going to bet the issue is with VLAN tagging, is VLAN 111 also on port 44? – NickW Mar 06 '13 at 12:22
  • VLAN 111 is tagged on port 44 as thats the routers main link to the switch and carries other VLANS. – dannymcc Mar 06 '13 at 12:27
  • The TCP:FA rules are for out of state traffic, basically, someone is routing something incorrectly.. what happens if you check this on the ppfsense? Static route filtering [ ] Bypass firewall rules for traffic on the same interface – NickW Mar 06 '13 at 12:32
  • Done that, the blocks have stopped in the firewall logs but the ping not working is still the same. I'm running out of things to try! – dannymcc Mar 06 '13 at 12:55
  • 1
    I think I have spotted it! Why are you routing through LAN1 to get to the pfsense, when LAN4 is the tagged port? – NickW Mar 06 '13 at 13:03
  • Well spotted! I can't change it in the interface, it shows at LAN4 but the routing table clearly stays as LAN1. I'll contact Draytek now. – dannymcc Mar 06 '13 at 13:08
  • I've updated the firmware which corrected the problem with the static routes - but apparently it was set as LAN4 but a bug caused it to show LAN1 regardless. – dannymcc Mar 06 '13 at 14:22
  • I think you may just have to pass this to Draytek support.. – NickW Mar 06 '13 at 14:26

2 Answers2

1

Hmm, since the two subnets are masked and cannot really communicate, I would do a NAT on both routers, then ping will work. So you have to NAT the networks.

Alex Austin
  • 17
  • 4
0

What happens if you set your laptop up on the middle subnet with IP: 10.2.1.3/24 and set your gateway to the Draytek? Try to ping the Draytek (10.2.1.1) then try to ping the subnet behind the Draytek? If you have the same problem from the laptop you can focus on the draytek. Like wise you could try pinging the laptop from the pfsense and the pfsense subnet.

I know that's not an answer but logical step to determine if the draytek is playing up/misconfigured or the pfsense is the issue.

I seem to remember a similar issue with 2 Drayteks. I think I ended doing a workaround by setting up an IPSec VPN tunnel between the 2 which adds the static routes to each device based on the IPSec config page entries.

SysAdman
  • 55
  • 1
  • 2
  • 7
  • I'll try this first thing in the morning when I'm back in front of the routers. The problem with IPSec is that we wanted to connect multiple VPN tunnels to the pfsense and route to the draytek to prevent the draytek from having to use it's resources decrypting tunnels. I think multiple tunnels routed over one final IPSec tunnel would be lower performance than what we have now. – dannymcc Mar 05 '13 at 18:11
  • If I connect to the network 10.2.1.0/24 I can ping the Draytek but not the PFsense. – dannymcc Mar 06 '13 at 11:33
  • Strangely, if I am on the 192.168.1.0/24 subnet (on the draytek) I can ping the pfsense (10.2.1.2) but not the draytek (10.2.1.1). – dannymcc Mar 06 '13 at 11:35
  • I've added a diagram of how the two routers are connected. – dannymcc Mar 06 '13 at 11:45
  • On the Draytek, have you checked "System Maintenance>Management" to ensure that "Disable Ping from the Internet" is not checked? – SysAdman Mar 07 '13 at 09:14
  • Yes, checked that. Still no joy :( – dannymcc Mar 12 '13 at 16:58