Routing in RFC1918 wan range
-
Hello
I use Pfsense box (1.2.2 release) to connect multiple private site. Each distant site use RFC1918 IP address network.
My LAN network respect RFC1918 also.I use router1 IP address as gateway on pfsense box and i define a static route for site2.
I disable Block private networks and Block bogon network on each network interface.My LAN server can contact all host (SITE1 and SITE2)
ALL host on site1 (172.17.0.0/16) can connect to Lan server (172.16.0.0/16)
But Site2 have some touble….In fact, when i sniff traffic on PFsense WAN interface, i see the traffic come in and answers come out.
The answer traffic works like if it doesnt use static route.I make different test:
- If i change the WAN ip address on PFsense box for router2 IP address, the problem is the same with SITE1 (so bad idea)
- If i define site2 IP route on router1 it work for site2 (in fact my only solution but not possible)
- If i disable firewall option in PFsense it's work (ok but i need firewall)
Pfsense react like if for RFC1819 answers traffic on WAN interface it doesnt use static route.
I rapidely check with a old version of pfsense ( before 1.0) and it seen to works fine!
Bug ?? or any idea ?
Thanks
Regards
Jerome
router1
SITE1 (172.17.0.0/16) <----O----
| ---------
|----WAN ---|Pf sense |---- LAN -----------(172.16.0.0/0)
| --------- |
SITE2 (172.18.0.0/16) <----O---- ---
router2 [ ] Lan Server
–- -
What is your WAN wan addressing scheme? One way to do this is to use a separate shared subnet for the WANs:
router1 r1wan=10.20.30.2
SITE1 (172.17.0.0/16) <–--O---- 10.20.30.1
| ---------
|----WAN ---|Pf sense |---- LAN -----------(172.16.0.0/0)
| --------- |
SITE2 (172.18.0.0/16) <----O---- ---
router2 r2wan=10.20.30.3 [ ] Lan ServerThen your static routes route the remote lan via the site's wan ip.
-
Yes i use the same ip address like in your scheme
in your sample i use 10.20.30.2 as gateway and i define 10.20.30.3 for join 172.18.0.0/16I think it's not a routing problem cause if i disable firewall it's work fine.
-
What are your outbound NAT settings? I'd think in your case, you would use AON and delete the default rule.
-
I dont use NAT. Only routing
my wan network is a private network -
That's what I meant. Just wanted to make sure you had deleted the default rule, as pfsense by default NATs the LAN range over the WAN.
-
Yes the default NAT was delete
perhaps i need to post in firewalling section ?
-
No idea ?
-
That's all I got. It's not a configuration I have deployed. You could try checking the box 'bypass firewall rules for traffic on the same interface' under advanced.
-
this option was already enabled
If i check Disable all packet filtering option routing is ok