Routing between LAN fails, traceroute shows traffic goes to WAN ONLY
-
Hello World,
I have been using pfSense for a while and even get MultiWAN load balancing working, which is great.
However, I am hitting a brick wall at the moment and I have spent days Googling for solutions and without success. (Which seems to be a common issue)
I have 2 WAN interfaces and load balancing is fine. The problem I have are routing between 2 LANs.
Let's call it STAFFLAN & LAN. Both of them work fine with internet traffic. However, I would like to allow STAFFLAN access LAN network (but not the other way around)
The weird problem I am facing is no matter what I did (tried outbound NAT seems to the the common solution, but other tried various suggestion) is when I do a traceroute, it ALWAYS go thru the WAN to the internet.
I can traceroute and ping OK from the pfSense, so routing seems alright.
Using a machine on STAFFLAN, I can ping and traceroute to pfSense LAN IP, so far so good. But it just doesn't go beyond (i.e. can traceroute/ping another machine on LAN)
Same holds true when I do it the otherway around.
I guess because somehow the traffic goes to WAN->Internet, there isn't any firewall blocking messages in log file.
And yes, my WAN interfaces IPs are 192.168.x.x and they points to their own DSL modem as GW.
I have checked the Diagnostics/Routes and it looks correct too.
Any ideas? (Sorry, this seems to be a common problem, I have found lots of people asking similar things, but hardly any concrete answers...)
Thanks
-
@dkyyz A static route would be the simplest way. You don't want the STAFFLAN -> LAN traffic hitting the WAN.
You would need two routes - one from STAFFLAN to LAN and one from LAN to STAFFLAN (for traffic to flow back). But then you can use a firewall rule to block LAN traffic initiating a link to STAFFLAN.
-
Blocking traffic is the least of my concern at the moment. I just can't figure out why when I do a traceroute from a machine on STAFFLAN to an IP on LAN it goes directly to WAN then internet!
-
@dkyyz probably because there isn't a route in the route table (in pfSense) to direct the traffic towards LAN. In the absence of such a route, it will default to the gateway of last resort (0.0.0.0/0).... AKA the internet.
-
I am not sure if that's true... When I issue a netstat -rn I can see the route for STAFFLAN and LAN. Furthermore, I tried to SSH into pfSense and manually add a route, it said the route already existed.
route add -net 192.168.XX.0/24 192.168.XX.YY
add net 192.168.XX.0: gateway 192.168.XX.YY fib 0: route already in table -
@dkyyz does the interface STAFFLAN has any rules with a Gateway or Gateway Group?
-
@dkyyz do you have a firewall rule set to permit the incoming traffic?
-
OK, long story short... Lesson learn. Firewall rules are like routing rules (not sure if my wording is correct)
The reason I am saying that is because when the first rule it hits is to all dest and points to my gw. The second rule is to allow into another network. Once I flip that around, traffic for the other network now route correctly (instead of going to the Internet)
Even when I do a
netstat -rnand it shows correctly, that's why I was stuck for a long time trying to figure out what's wrong... -
@dkyyz said in Routing between LAN fails, traceroute shows traffic goes to WAN ONLY:
Firewall rules are like routing rules (not sure if my wording is correct)
If you policy route with them sure..
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
