Routing issue

youcangetholdofjules · February 25, 2025, 4:00pm

Hello,

I have a routing problem where my CRS328 is connected to a PFSense box as the firewall. there is one VLAN that I need to extend up to the PFSense box as there’s a bridged connection on the PFSense box that links this to another machine where some of my important functionality lies. I cannot change this. I am struggling to get the CRS to distribute IP addresses to the downstream devices. The port immediately facing the PFSense gets an IP via DHCP, but this is on a different VLAN to the VLAN that the devices downstream of the CRS are on - because I need to use the physical port of the uplink as the interface. (not the bridge).

they are all on the same VLAN(710) here is the relevant config:

/routing rule
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=222.20.20.1/24 table=VLAN710

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=V8-VL710-IOT-UPLINK_WAN pref-src=“” routing-table=VLAN710 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=222.20.20.0/24 gateway=222.20.20.1 pref-src=“” routing-table=VLAN710 scope=30 suppress-hw-offload=no target-scope=10

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes out-interface-list=WAN
add action=fasttrack-connection chain=output connection-state=established,related hw-offload=yes out-interface-list=WAN
add action=accept chain=forward connection-state=established,related out-interface=V8-VL710-IOT-UPLINK_WAN src-address=222.20.20.0/24add action=accept chain=forward connection-state=established,related out-interface-list=WAN
add action=accept chain=output connection-state=established,related out-interface-list=WAN
add action=accept chain=forward connection-state=new dst-port=53 out-interface-list=WAN protocol=tcp
add action=accept chain=forward connection-state=new dst-port=53 out-interface-list=WAN protocol=udp
add action=accept chain=output connection-state=established,related,new dst-port=5246 protocol=udp
add action=accept chain=output connection-state=established,related,new dst-port=5247 protocol=udp
add action=drop chain=forward dst-address=220.10.50.0/24 src-address=220.10.1.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=V8-S1-VL710-IOT new-routing-mark=VLAN710 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=V8-VL710-IOT-UPLINK_WAN src-address=222.20.20.0/24

Apologies if that looks a little messed up, as previously I had the DHCP on the CRS, routing to uplink interface in a different subnet, point to point connection to the PFSense box - worked fine. this time way more difficult, I just want one subnet, and everything to go via 222.20.20.253 which is the uplink interface’s IP. And nothing is working… except if I create a second bridge which I dont want to do.

panisk0 · February 26, 2025, 9:17am

routing = IP - no addresses on map & config
crs = switch - why routing there?
pfsense = default gw?

try to draw it again in: https://app.diagrams.net/

anav · February 26, 2025, 1:57pm

I dont really care to discuss your solution, as its not relevant until we understand the requirements more fully.

In concept the PFSense should host all the subnets/vlans. Are you saying that is not the case and the CRS328 is acting like a router??