Routing issue?
-
What am I missing?
- I can ping from a PC on the 172.16.1.x network to anywhere on the internet. GREAT works as it is supposed to.
- But my pings from a pc on the 192.168.1.x network cannot ping beyond the public ip address of the pfSense firewall. But can ping the WAN interface of the firewall and everything this side of it.
I have checked the pfsense static route pointing to the networks on other side of the router. Looks good. Can include screen shot upon request. 192.168.1.0/24 is accessible thru GW 172.16.1.2
I am pinging using ip address so that DNS is removed from the equation.
Here is a basic diagram (sort of :) ). Public IP address are fictious.
PC > Router > pfsense FW > isp gateway > internet
192.168.1.51 192.168.1.1
172.16.1.2 > 172.168.1.1
67.42.24.5 > 67.41.239.100 > 4.2.2.2I can include my pfsense config if that helps.
Also I can see (using wireshark) outbound TCP traffic hitting the inside interface of the pfSense firewall but no response from the outside world, and thus timeout. This confirms that the default route on the router is configured correctly.
The default firewall rule "any traffic on the LAN is permitted anywhere" is still active.
Any help is appreciated.
Brian
-
The default firewall rule "any traffic on the LAN is permitted anywhere" is still active.
It is my recollection that the default firewall rule on the LAN interface is "allow any traffic from the LAN net" or (to put it more precisely) "allow any traffic from an IP address on the IP subnet of the LAN interface". Traffic from 192.168.1.x is not from your LAN subnet (unless there is something you haven't told us.)
You can see the pfSense firewall log at Status -> System Logs, click on Firewall tab.
After you tweak firewall rules it is often necessary to reset firewall states (see Diagnostics -> States and click on Reset States tab). I have often forgotten that one.
-
Also you will need to check outbound NAT. If you switched over to manual, then you will need to add a rule for the different subnet. I am not sure about automatic outbound NAT and different subnets.
-
Also you will need to check outbound NAT. If you switched over to manual, then you will need to add a rule for the different subnet. I am not sure about automatic outbound NAT and different subnets.
Automatic mode can take care of internal lan's
-
RESET STATES…Fixed it.
Thank you.I had tried the rules for the 192.168.1.x networks before but to no avail... but that was because I never "reset Firewall states". Once I did that it was all working .
Thanks again.