Difficult routing question

buggz · February 17, 2024, 12:59am

Hello,

Can I configure another route of an address in use from an unused Ethernet port?

I now have a new OpenWRT router, a GLiNet MT6000.
I now have total 2.5GB Ethernet link network, and clients.

ISP router 2.5GB <><2.5GB WAN pfsense box 2.5GB LAN 192.168.2.2> <2.5GB WAN 192.168.2.3 OpenWRT 2.5GB LAN1 192.168.4.1> <> 2.5GB switch <> clients

I now can't get to the web GUI, 192.168.2.2 on the pfsense box from the clients.

I have the additional 1GB unused ports on the OpenWRT device, LAN2, LAN3, LAN4, LAN5
Can I use one of these unused 1GB ports to also route the address of 192.168.2.2 to a seperate 1GB switch?
I need this to get to the web GUI of the pfsense box.

Thanks.

lleachii · February 17, 2024, 1:08am

Can you provide a drawing?

Your written description seems to imply that you're asking the OpenWrt community how to configure the pfsence's firewall to access its web GUI.

Are you able to ping the IP?
Why do you mention routing to an unused port - if it's unused, how would that work?

Are you saying the pfsence does not have the IP 192.168.2.2?

buggz · February 17, 2024, 1:14am

I can try with a diagram.
The pfsense box I have no issues with, it has been great for a number of years and upgrades.
I just added the OpenWRT device behind it, now I can't access it from the clients.

lleachii · February 17, 2024, 1:16am

Can you ping it? (provide results from a client)
Can you traceroute it? (provide results from a client)

Also, please clarify:

buggz · February 17, 2024, 1:50am

Sorry for the confusion of my poor description skills.

ISP router, 2.5GB LAN
     |
2.5GB WAN
pfsense
2.5GB LAN - 192.168.2.2
     |
2.5GB WAN - 192.168.2.4
OpenWRT-------------------=-unsused 1GB ports, LAN2, LAN3, LAN4, LAN5
2.5GB LAN1 - 192.168.4.1
     |
2.5GB switch
     |
2.5GB clients

Let's see how this looks...

UPDATE -=-
Looks okay, is this better?

BTW, this has been working great for me.
All accept access to the 192.168.2.2 link I used to have before the addition of the OpenWRT device.

lleachii · February 17, 2024, 1:56am

Please test from a client in the 192.168.4.0/24 network to 192.168.2.2 and provide the output of the result.

This statement doesn't help, because:

It doesn't explain how the clients were connected before there was an OpenWrt
The clients would previously be in a different network and have different IP addressing

Did you alter any default configurations?

If so, please provide the output of:

cat /etc/config/network
cat /etc/config/firewall

buggz · February 17, 2024, 2:03am

Oh wow, I just turned OFF the VPN, guess what, I CAN ping 192.168.2.2 from a 192.168.4.0/24 client !
I can access the web GUI.
I'm kind of amazed, and now confused as to how this is routing.
Wow.

lleachii · February 17, 2024, 2:05am

This is why I asked what you meant by routing. Seems you have some VPN you failed to mention - and you need to study up routing, security and how VPNs help with that.

Glad you figured it out.

Yea, go figure.

buggz · February 17, 2024, 3:55pm

I find using NordVPN client instead of my other option does not impede my routing, I can access everything all the way to my ISP router.
Shrug...

UPDATE:
Hah, ONLY if using the local Nord server.
If using double VPN, it is again broken.

At least I have options, depending on what I need to do at certain times, email, update pfsense snort rules, etc...

mk24 · February 17, 2024, 4:01pm

An endpoint with a 192.168.4.0 LAN IP running a VPN client will be unaware of the 192.168.2.0 network and will route such requests into the VPN tunnel as its default route, where they will be lost. The endpoint could be configured with an additional route to 192.168.2.0/24 unencrypted through its LAN or wifi port, which would then allow reaching both LANs. That has nothing to do with OpenWrt though.

At least I think that was the question.

As far as the other request, yes you can bridge the other Ethernet ports into br-lan and use them the same as the 2.5 Gb lan. If a hardware switch path does not exist between the 2.5 and the 1 Gb switch, the packets must be handled by software which does impose a slight burden on the CPU.

lleachii · February 17, 2024, 4:32pm

I assume this means you have setup VPN on the client and router?

You do understand that if you run a VPN on your client and want to access local resources - that you need to setup bypass to access LAN and hence be routed to the local IP. If running VPN on the client - the bypass rules must also be configured on the local client. The instructions on how to setup a network bypass to reach LAN varies depending on the OS (i.e. Windows, Linux, etc.). Some Windows VPN client software offers these kind of settings within the program itself.

The point of [most] secure VPNs is to prevent traffic leakage, etc.

Basically in layman's terms - you setup a VPN to connect you to a trusted remote network (i.e. the VPN provider) - but then you desire to still have access local resources.

buggz · February 17, 2024, 4:47pm

I really appreciate all the replies.
I love this place, I am ALWAYS learning, thanks!

All VPN usage is via the clients, windoze, linux.
I feel this offers me better control?