Routing in RFC1918 wan range

hawker

Hello

I use Pfsense box (1.2.2 release) to connect multiple private site. Each distant site use RFC1918 IP address network.
My LAN network respect RFC1918 also.

I use router1 IP address as gateway on pfsense box and i define a static route for site2.
I disable Block private networks and Block bogon network on each network interface.

My LAN server can contact all host (SITE1 and SITE2)
ALL host on site1 (172.17.0.0/16) can connect to Lan server (172.16.0.0/16)
But Site2 have some touble….

In fact, when i sniff traffic on PFsense WAN interface, i see the traffic come in and answers come out.
The answer traffic works like if it doesnt use static route.

I make different test:

• If i change the WAN ip address on PFsense box for router2 IP address, the problem is the same with SITE1 (so bad idea)
• If i define site2 IP route on router1 it work for site2 (in fact my only solution but not possible)
• If i disable firewall option in PFsense it's work (ok but i need firewall)

Pfsense react like if for RFC1819 answers traffic on WAN interface it doesnt use static route.

I rapidely check with a old version of pfsense ( before 1.0)  and it seen to works fine!

Bug ?? or any idea ?

Thanks

Regards

Jerome

router1
SITE1 (172.17.0.0/16) <----O----           
                                              |                  ---------
                                              |----WAN ---|Pf sense |---- LAN -----------(172.16.0.0/0)
                                              |                  ---------                |
SITE2 (172.18.0.0/16) <----O----                                              ---
                                  router2                                                [  ] Lan Server
                                                                                            –-

dotdash

What is your WAN wan addressing scheme? One way to do this is to use a separate shared subnet for the WANs:
              router1          r1wan=10.20.30.2
SITE1 (172.17.0.0/16) <–--O----            10.20.30.1
                                              |                  ---------
                                              |----WAN ---|Pf sense |---- LAN -----------(172.16.0.0/0)
                                              |                  ---------                |
SITE2 (172.18.0.0/16) <----O----                                              ---
                                  router2 r2wan=10.20.30.3                            [  ] Lan Server

Then your static routes route the remote lan via the site's wan ip.

hawker

Yes i use the same ip address  like in your scheme
in your sample i use 10.20.30.2 as gateway and i define 10.20.30.3 for join 172.18.0.0/16

I think it's not a routing problem cause if i disable firewall it's work fine.

dotdash

What are your outbound NAT settings? I'd think in your case, you would use AON and delete the default rule.

hawker

I dont use NAT. Only routing
my wan network is a private network

dotdash

That's what I meant. Just wanted to make sure you had deleted the default rule, as pfsense by default NATs the LAN range over the WAN.

hawker

Yes the default NAT was delete

perhaps i need to post in firewalling section ?

hawker

No idea ?

dotdash

That's all I got. It's not a configuration I have deployed. You could try checking the box 'bypass firewall rules for traffic on the same interface' under advanced.

hawker

this option was already enabled

If i check Disable all packet filtering option routing is ok