Configuration advice

podilarius

Could you paste your routing table from pfsense?

Mike_swe

default 87.96.188.1 UGS 0 408828554 1500 bce1
127.0.0.1 link#5 UH 0 1745058 16384 lo0
192.168.10.0/24 link#7 U 0 4131193 1500 bce0_vlan40
192.168.10.254 link#7 UHS 0 0 16384 lo0
192.168.11.0/24 link#8 U 0 370222006 1500 bce0_vlan30
192.168.11.254 link#8 UHS 0 0 16384 lo0
192.168.100.0/22 192.168.10.2 UGS 0 6 1500 bce0_vlan40

For the moment i have removed the ipsec connections towards my remote offices just for test purpose so now i only have my 2 vlans and my static route towards my mpls

podilarius

What I find interesting is that you have this:
192.168.10.254  link#7  UHS  0  0  16384  lo0

I wonder if that is a function of VLAN, but it seems quite odd.

When you traceroute from 11.0/24 computer to 100.0/22, what does the route look like?

Mike_swe

Sorry for the delay.

When i traceroute from 192.168.11.5 towards 192.168.100.23 it looks like this:

traceroute to 192.168.100.23 (192.168.100.23), 30 hops max, 60 byte packets
1  192.168.10.2 (192.168.10.2)  8.746 ms  8.737 ms  8.731 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

podilarius

Do you have the routing on 11.5 pointing directly to 10.2? If so, please remove that route and try again.

Mike_swe

No, i do not have that route.

I only have a default route of that machine which points to 192.168.11.1 which is the default gateway of that vlan.

podilarius

What are the rules on that VLAN interface?

Mike_swe

On the 192.168.11.0 Vlan ive got

Proto any From 192.168.11.0/24 Destination 192.168.100.0/22 Gateway 192.168.10.2
Proto any From * Destination * Gateway *

podilarius

yeah, you want to remove that first rule. There is no need for policy routing.

Mike_swe

Hello again.

Ive removed the policy routing line and now the tracert looks different but i cant find the jump towards 192.168.10.2

root@srv10:~# traceroute 192.168.100.23
traceroute to 192.168.100.23 (192.168.100.23), 30 hops max, 60 byte packets
1  pfsense.domain.local (192.168.11.1)  0.135 ms  0.123 ms  0.157 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

podilarius

The jump to 192.168.10.2 should be in the routing/gateway submenu. (System -> Routing).
There should be a gateway set on VLAN that contains 192.168.10.2 (bce_vlan40 by the look of it). Then a route setup using that gateway.
Looking back over the thread, I see mention of a route in place, but it looks like it may have been part of the rule and not a actual route statement.

Hope that helps.

Mike_swe

I feel like an idiot now.  :-[

We had a power interuption today and i had to bring down the firewall for a few minutes. After the reboot everything works completly as expected.  :)  I have been working with servers and computers for to many years to remember and i know that a reboot is always a good way to eliminate errors. In this case i never thought of it.  :-[

Thanks for the help and support podilarius.

/Mike