Why are rules useless in this firewall?

hacktek00

Just to provide some insight into this i've pretty much solved my problem in a rather unconventional way.

I supernetted my network (10.0.0.0/22) which gave me 4 usable subnets on the same big network (10.0.0.1-10.0.3.254). I then assigned subnets to each router:

Router 1: 10.0.2.0/22
Router 2: 10.0.3.0/22

Then i configured each pfsense NIC like so:

LAN: 10.0.1.0/24
WAN: 10.0.2.0/24
WAN2: 10.0.3.0/24

That way i pretty much tricked pfsense into thinking there were 3 separate subnets when in reality they're spanned across the same network (which pretty much means clients would be able to talk to each other even though they could be in 4 different subnets). Rules started to work after i did this. It's a waste of addressing space but that's not an issue in my environment.

Also, i suppressed arp's since LAN and WAN are actually on the same router so i'd get like a million messages about that on the log.

Thanks Cry Havok for giving me a slight push in the right direction.

Cry Havok

Umm, no, they are 3 separate subnets as you've specified them.  Can I suggest you learn how subnets work - the old class based addressing is long, long, gone.

hacktek00

That's what i was trying to say but i phrased it wrong. They are 3 different subnets but to pfsense they can't see each other (/24) even though in reality they can (/22), he's supposed to do the routing between them even though routing is not really needed.

Cry Havok

If you split a single ethernet segment into multiple segments then the device doing that splitting needs either to be a bridge or a router.  If you don't configure it as a bridge then it must be a router - routing is required.

I'd suggest you don't know as much about IP as you think you do.

hacktek00

I don't think that's right.

If you have 2 clients using a supernetted class they see each other regardless of a router. They can be on different subnets and be using only a switch to communicate and you will be able to jump from one to the other without a next hop because that happens on layer 2, it's a simple comparison of source and destination IP with their respective masks.

Cry Havok

You're welcome to think what you want.  Reality trumps your theory in this case ;)

Can I suggest that you, and anybody who's reading this thinks that you're right, takes the time to read up on how IP routing actually works.  There's a wide range of good articles out there, and some even better books.

hacktek00

You have provided no real insight except telling me to read something i already know, which i advise you to read instead.

Simple example: host with 172.25.16.51 wants to communicate with 172.25.24.101, both having a 255.255.0.0 mask. With this mask there's a single subnet with a host range from 172.25.0.1 to 172.25.255.254.

Internet Protocol would do an AND operation of both network id's.

In binary:

Source ip -> 1010 1100 0001 1001 0100 0000 0011 0011
Mask ->      1111 1111 1111 1111 0000 0000 0000 0000
Network id-> 1010 1100 0001 1001
Host id ->                                  0100 0000 0011 0011

Dest ip ->    1010 1100 0001 1001 0001 1000 0110 0101
Mask ->      1111 1111 1111 1111 0000 0000 0000 0000
Network id-> 1010 1100 0001 1001
Host id->                                  0001 1000 0110 0101

Oh surprise, they're the same. IP determines the host is on the same subnet and sends the packet. If they are different then the host arp's for the gateway's address and sends the datagrams his way for it to route.

The concept doesn't change for what i'm doing. It's not a theory if it's based on something that's documented i'm seeing working right now.

GruensFroeschli

What you're not understanding:
Either you supernet and use a brige. (This is what you desribe with the above post)
OR
You use multiple subnets and route. (This is what Cry Havok said in his first answer).

You cant route and supernet at the same time.

Cry Havok

Your most recent post, as edited at the time of my reply, is correct.  However you posted that (emphasis mine):

@hacktek00:

Then i configured each pfsense NIC like so:

LAN: 10.0.1.0/24
WAN: 10.0.2.0/24
WAN2: 10.0.3.0/24

That way i pretty much tricked pfsense into thinking there were 3 separate subnets when in reality they're spanned across the same network.

They're 3 separate networks - the subnet masks make that quite clear.  They are part of the same /22 (10.0.0.0/22), (and the same /8 - 10.0.0.0/8, and the same /1 - 0.0.0.0/1) but that doesn't make them the same network.  If you're still thinking of class allocations (eg class A, class B etc) then stop - that's long outdated and everything works from the subnet mask.

jigpe

Same thing here but thanks ill follow your tips
jigp
Davao City