Help me settle the routing problem

sopont

are you move rule permit LAN sybnet to 10.122.17.x on the top or above rule loadbalancing and policy routing?.

if you still can't access to 10.122.17.x please step by step…
1. remove existing rule for acccess to 10.122.17.x
2. add new rule on LAN interface easy protcol (telnet = 23, SSH = 22) and move to top

if you still can't access try to add rule on OPT2 interface for LAN subnet can access to 10.122.17.x, i think you something wrong.

if you not completed please post your summary network diagram (if can)...

hoba

Don't set a gateway at interfaces>opt2 unless this is an additional WAN type interface. Add a static route instead. Does it work now?

mrlonely78

guys;

I've done as advised.

I can see the logs in my pfsense.

Apr 7 09:37:04 pf: 2. 981875 rule 625.qlandef.112/0(match): pass in on rl0: (tos 0x0, ttl 128, id 63102, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.200 > 10.122.17.55: ICMP echo request, id 512, seq 2816, length 40

Unfortunately, the ping from LAN to 10.122.17.55 still failed.

C:\Documents and Settings\Kryz>ping 10.122.17.55

Pinging 10.122.17.55 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

I've added this;

1. Remove gateway 10.200.11.17 from OPT2 interface.
2. Added static routing 10.122.17.0/24 gw 10.200.11.17 in pfsense.
3. Added LAN rule that ICMP from LAN subnet to network 10.122.17.0/24 is allowed.
4. Added OPT2 rule that ICMP from LAN subnet to network 10.122.17.0/24 is allowed.

Please advise.

Thanks.

hoba

@mrlonely78:

2. Added static routing 10.122.17.0/24 gw 10.200.11.17 in pfsense.

You don't need any routes for local subnets on your pfSense interfaces. Drop the route. You only need firewallrules.

mrlonely78

Hoba,

If i remove my statis routing, the pfsense can't even ping to 10.122.17.x network forget about LAN then.

I think the static routing must be there, otherwise, the pfsense doesn't know where it should forward the packet to.

Please take note that i didnt set any gateway to my OPT2 interface.

Please advise.

Thanks.

hoba

Never mind, I was wrong here and had a different setup in mind.

SB HidDeN

needs some steps to understand the situation:

1. remove any gateways on any interface except WAN
2. create alias "OPT2WAY" and include 10.122.17.x subnet 10.200.11.x subnet
3. create rule at top on LAN interface for ICMP (Lan subnet)-> (OPT2WAY) alias
4. add rule at top on OPT2 interface for ICMP (OPT2WAY)->(Lan subnet)

then ping from any Lan station:

1. pfsense Lan interface IP(192.168.1.1)
2. pfsense OPT2 interface IP(10.200.11.18)
3. gateway's IP from your side(10.200.11.17)
4. other IP of gateway, that looks to 10.122.17.x subnet(i don't know this one)
5. then your station (10.122.17.55)

must be an answer only 1 to 4 steps
then add static route (10.122.17.0/24 gw 10.200.11.17)
repeat last 5 numbered steps.
must be all right!
if no answer on step 5 - you have no routing on 10.200.11.17 that redirects packets for your LAN subnet

I'm waiting for results…

mrlonely78

guys;

I've done this;

1. Add rule on LAN to allow LAN subnet to ICMP to OPT2 subnet
2. Add rule on OPT2 to allow OPT2 subnet to ICMP to LAN subnet
3. All rule created above put at the top of each interface rule

This is what i get when i Ping from my PC (192.168.1.200).

1. Ping to 10.200.11.20 or 10.200.11.21 - reply success
2. Ping to 192.168.1.1 - reply success
3. Ping to 10.200.11.17 (gateway to 10.122.17.x subnet) - no reply

10.200.11.17 is a Cisco router that connected to a leased line modem that go to 10.122.17.x private network.

Attached the pfsense firewall log.

pf: 2. 216031 rule 627.qlandef.143/0(match): pass in on rl0: (tos 0x0, ttl 128, id 60068, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.200 > 10.200.11.17: ICMP echo request, id 512, seq 4608, length 40

Log shown that the ICMP packet is allowed by pfsense. However, i still failed to ping to 10.200.11.17 - no reply.

Please advise.

Hope it helps.

Cheers.

hoba

The cisco router is missing routes.

mrlonely78

guys;

Help me configure my Cisco then.

This is the current config;

---

interface FastEthernet0
ip address 10.200.11.17 255.255.255.240
speed auto
half-duplex
!
interface Serial0
ip address 10.200.254.214 255.255.255.252
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.200.254.213
ip route 10.122.0.0 255.255.0.0 10.200.254.213
ip route 172.28.0.0 255.255.0.0 10.200.254.213
no ip http server

---

from there, if you look, all is directed to 10.200.254.213 as a default gateway which i understand that the router should handle the 10.122 traffics.

but, if my pfsense OPT2 interface, it should not directed to 10.200.254.213, otherwise, confirm no packet can be send back to pfsense.

So, which gateway should i use in my Cisco router for my pfsense packet?

Please advise.

Thanks.

SB HidDeN

i think you need 1 more route:

ip route 192.168.0.0 255.255.0.0 10.200.11.18

mrlonely78

Guys;

I've done that;

Now;

1. Can ping from pfsense 10.200.11.17 and 10.122.17.55

2. Can ping from my pc (192.168.1.200) to 10.200.11.17

3. But failed to ping from my pc (192.168.1.200) to 10.122.17.55

Added Cisco router config ip route 192.168.0.0 255.255.0.0 10.200.11.18

Please advise.

Thanks.

SB HidDeN

0.0.0.0 & 10.122.17.x - external to your network?