Cannot ping opt1 interface or router connected to opt1 (wan2) interface from lan
-
ok thanks a lot, I'll post the result if i succeed!
-
Yes, I'm interested to see where the problem is as well :)
-
You could try with my setup.
-
you mean the localnet entry?
-
No. What ip address i you trying from?
-
i'm trying to ping from internal server 192.168.100.10/24 to pfsense op1 (wan2) interface 10.0.0.10 or router behind it 10.0.0.9 but do not ping. Those rules you mention, was there to let both internal server not being restricted by the last rule "blockall". Do you mean that those rules are blocking pings?
-
Yes if you first 192.168.100.10 rules has the gateway * or 10.0.0.9 it should work imo.
-
!!SOLVED!! Perry found the problem! ;) The rules under LAN that i put to let 192.168.100.10 go out without being filtered by the last rule, had the gateway not to default one but specified to use opt1 default gateway, so when pinging from lan from that ip, it didn't look at the defaut routing tables causing the problem! Thanks a lot Perry. I suppose that the other rule to let the same internal host go out via opt1 using opt1 default gw is ok. Because i so not want to filter that host when going out from opt1.
-
;)
Rules:
Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.If you have a private subnet on your WAN: uncheck the "Block private networks" checkbox on your WAN-config page.
http://forum.pfsense.org/index.php/topic,7001.0.html
-
Ok, But putting a rule on top with default gw * using an alias with all local net, as hoba suggested, didn't work. Why? Now i'm trying to connect from internet to lan servers using opt2(wan2) interface and i've some problem. I've an openssh server on a host, and i can connect from internet using wan, but it fails using opt1. i can see in the log that the connections arrive at pfsense, that is portforwarded correctly and that the rule on opt1 with logging turned on, is activated but the connectio faild. Probably the connection fails to come back!
-
This are the relevant part of my config:
I'm tryng to connecto via ssh to the firewall itself (not an internal host as stated in the previous post) using opt1 from internet. Via wan it already works. Maybe it is not possible since pfsense use the default gateway of wan as its gateway? ::)
-
Actually you need reply-to kind of rules for that!
Not, sure if they are generated on pfSense.Can you please go to Disagnostics->Edit file; load /tmp/rules.debug; ebven post here or check if there is any reply-to keyword in that ruleset?
Ermal
-
The problem was that I specified the default gateway of opt1 interface in the rules, and not just the default option in the gateway tab. I mean that the gateway option was set like: 10.0.0.9 (default gateway used in the interface config) and not "default". I supposed that in configuring rules on opt1 interface one should specify the same gateway used in the opt1 interface config and not just default! But i was wrong! Why?
But now I've got another customer with the same problem and I've corrected the rules config and they are ok (same gateway problem), but here i cannot ping the opt1 int anyway! What could it be?
-
Thanks to all of you who lead me to solve my problems. To summ it up, here was the problems and solutions used:
1. I was unable to ping from lan subnet to opt1 interface or router attached to this int
Here the problem was that i was using loadbalancing for lan, and because pfsense look first at fw rules before using default routing tables, when trying to ping from that subnet to opt1 interface, the loadbalancing rule was used and the ping failed for bad routes engaged. The solution was to create an alias with all pfsense local attached networks, and create a lan rule at the top like:
pass- any - from lan subnet - to ALIAS - default route. See tha attached images,2. I was unable to reach opt1 interface and lan hosts behind it from internet.
Here the problem was that in the opt1 firewall rules, i was using as gateway, not the "default" option but the opt1 default gateway configured on the interface tab (like 10.0.0.9). I don't know why this happen, because to me it was logic to use the default gateway of opt1, as gateway for the rules created on opt1 section, because i supposed that connections coming on that interface should go backup from that gateway! Anyway here someone maybe can explain to me the reason.
Sorry for my bad english…..
-
Regarding your point 2:
Incoming connections will create a state that will, once it is created, take care of the reverse direction as well. This way it is possible to have portforwards on both wans in a multiwan setup to the same host at lan and the traffic will return through the interface it originally came in.
-
Thanks a lot hoba ;D ! Just last question for you master, do you know if t is possible with pfsense to do failover ad policy routing with vpns?
-
This is currently not supported.