Lan 1 to Lan 2 Connection Fail
-
ok LOOK – changed my DMZ network to 172.15.0.0/24 -- gave pfsense 172.15.0.1/24 address.. See attached. Did not change my dmz rules.. It can talk to anything it wants other than my local networks.. But my local networks can create connections to it..
That is a PUBLIC network space.. Not rfc1918.. But notice my pfsense has route to it.. And I can ping a host I brought up on 172.15.0.42/24 with gateway pointing to pfsense 172.15.0.1 address from my 192.168.1.0/24 network
That took me all of what 2 minutes to setup??
There is NO freaking NATS needed between 2 locally connected networks to pfsense.. I assure you there are NO nats between those networks!!
What traffic I allow between 192.168 lan and 172.15 dmz would be my firewall rules ONLY - there are NO port forwards required for these 2 local network to talk to each other - no matter what IP space I use on them.
-
Well- Thanks John! I learned something new today.
http://www.zytrax.com/tech/protocols/ip-classes.html#nat
A well written NAT system also acts as a 'poor mans' firewall since it has the additional advantage that Internal IP addresses are not visible from outside the organisation
Obviously this isn't something that LAN to LAN would want or need.
Also- verified here as well and turned off all NAT and was still able to move around throughout the various LANS here. Including one of the VPNs to my office network.
-
:-[
May i just one….... "what if ?"
What if of the "private" networks isn't using the pfSense as its GW ?
Let's say that the 172.15.0.42 host is using as GW an IP other than your pfSense 172.15.0.1.... It would you be able to ping it ?
:-[
-
"Let's say that the 172.15.0.42 host is using as GW an IP other than your pfSense 172.15.0.1."
When I have asked already multiple times in this thread..
Or maybe has wrong gatewaysetup /mask and thinks to talk to your first segment it needs to send traffic to some other IP(gateway).
If you show your box answering, but you don't see it on pfsense..
19:00:27.909689 IP 172.16.100.205.53942 > firelight.telnet: tcp 0
19:00:27.909804 IP firelight.telnet > 172.16.100.205.53942: tcp 0Then your box is setup wrong for its gateway or its network mask and thinks that IP address is local to its network..
But WHY would my 172.15.0.42 NOT use pfsense as its default gateway?? But yeah if that was the case, then sure you "could" nat so that my 172.5.0.42 saw the traffic as coming from its local network, and would not talk to a gateway to talk to it..
If that is the case why has the OP not stated this - I have brought up that scenario a couple times already.. Real early in the thread even when he stated pfsense was not seeing a response.
Its really simple when you need nat - you need nat when the dest would not know how to talk to the source IP, so you need to change the source IP to a IP that the dest can talk too.. Or you need to create routes so it does know..
if you had like what your saying.
192.168.1.0/24 pfsense 172.15.0.1 –- 172.15.0.42 -- 172.15.0.254 router otherIP -- other networks.
Where .254 was say the default gateway for .42 you have 2 options.. You could nat traffic coming from 192.168.1.0/24 so it LOOKs like its really from 172.15.0.1 -- so .42 thinks its just local. Not my first choice since be it you use NAT or NAPT you made it more complicated than simple route and firewall rules (if even firewall between and not just router)
OR!! Simple option –> You put a route on .42 that says hey when you want to talk 192.168.1.0/24 use 172.15.0.1 as your gateway to that network and don't send it out your "default" gateway..
This is like the pfsense routing table.. Since pfsense has routes to the networks involved, it doesn't send the traffic out its "default" gateway.. It sends the traffic out the interface connected to that network.
-
Hi John,
I’ve tried to explain what I’m trying to do, a simple port forward between internal lan segments and have given chapter and verse on the network topology and loads of debug info. All you seem to do is find fault and criticize via various side issues, without once answering any of the questions directly.
Don’t be offended, but it sounds like angry father syndrome, rather than understanding mentor. Perhaps clam down a bit and actually try to answer the questions ?…
Regards,
Chris
-
This really should be simple, and just work by default as long as there are firewall rules that allow the traffic.
Can we start again and get exactly what is where:
a) Each interface name and its IP address on pfSense
b) What rules are on each interface
c) What the clients have for their default gateway (hopefully the respective pfSense interface IP address)
d) Details of any other router/gateway device in the network -
Dude I have gone over this and over this - what part about NOT needing nat do you not understand??
You have not answered anything that has been asked..
For starters does 172.x network use pfsense as its default gateway or point to something else?
If your going to insist on NAT, your going to have to create it manually because pfsense does not NAT between LAN segments automatically.
Do your pfsense LAN interfaces have gateways on them - see my example where there is NO gateway listed on LAN interfaces.
Where are you rules - Post them! And the networking setup from your devices. Where is your pfsense routing table?
As I showed you it takes literately only a couple of minutes to route traffic on pfsense between lan segment - there is NO need to NAT.
As stated with your tcpdump if your saying your seeing pfsense send the packets, and seeing your box answer those packets but not being seen on pfsense.. Then you have something wrong with your client configuration. Be it it thinks that source IP is local, be it has another route to that network - ie a different default gateway? Or something between pfsense and this client not allowing the traffic (firewall?)
Without some details NOBODY can help you.
-
Hi,
Thanks for the replies and hope you won’t mind if I answer both in the same post..
Phil:
This really should be simple, and just work by default as long as there are firewall rules that allow the traffic.
Can we start again and get exactly what is where:a) Each interface name and its IP address on pfSense
There are 3 hardware interfaces.
wan: 10.0.x.x External, internet Default gateway -> upstream
homenet; 172.16.x.x Home, internal No gateway defined
labnet: 192.9.x.x Lab, internal. No gateway definedb) What rules are on each interface
wan: None, other than one to block bogon networks
homenet: One, to allow home net to anything
labnet: One, as per homenet.There’s also the admin anti lockout rule on labnet, on a non standard https port. Admin account name is different as well, but doubt if that should affect anything.
This is all working fine for outgoing access via either interface to the web, but if I try to telnet a homenet node to the labnet node, I get “no route to host” which is expected since there’s no rule or port forward defined to allow it.
c) What the clients have for their default gateway (hopefully the respective pfSense interface IP addresses)
Correct for both
d) Details of any other router/gateway device in the network
1 upstream from wan interface, none on homenet or labnet
As I understand it, pfsense blocks everything by default, so you need rules even for outgoing access. For that reason, it seems logical that if I want to access a host on labnet from a homenet host, I need a port forward or some sort of rule to allow it. Port forward on another pfsense box works fine incoming from the wan to a lan port, but it doesn’t seem to work from one internal port, to another on this box, so perhaps all ports are not created equal / have the same capabilities ?.
Ok, so I define a port forward rule for telnet as follows:
Src Src Dest Dest Nat Nat
Addr Ports Addr Ports Addr Ports172.16.x.x * housenet net 23 192.9.x.x 23
Sorry no screen shot, but haven’t got round to that yet..
Interface is housenet, protocol = tcp/udp, nat reflection = default and nat creates associated rule. Except for the interfaces, this is the same setup as that for the other pfsense box on the webserver, which works fine.
Using this rule, the telnet request is seen on homenet with wireshark, can be seen outgoing on the pfsense local console and the server on labnet replies, but the reply is lost on it’s way back into pfsense labnet interface. All the tcpdump trace info is in a previous post above, fyi.
Do you need anything else ?.
John,
Dude: … what part about NOT needing nat do you not understand ??
Well, all of it, unless you can tell me how it can be done without a port forward / nat, or rules of some sort :-). (Note the smiley :-)
All the debug info is in the previous posts, other than the rules, but if there’s anything I’ve missed this time, please let me know…
Regards,
Chris
-
Hi,
A bit more info:
Have also tried various variations on the above rule and also various switches in system -> advanced -> firewall-NAT, but none of it seems to work.
Is there any way to force wysiwig from post editor -> preview -> post. Formatting lost :-)…
Regards,
Chris
-
This is all working fine for outgoing access via either interface to the web, but if I try to telnet a homenet node to the labnet node, I get “no route to host” which is expected since there’s no rule or port forward defined to allow it.
Actually, it is expected to have a route and thus deliver your packet/s. pfSense (and every router I have ever seen) will route between local subnets by default.
homenet: One, to allow home net to anything
That rule should allow home to labnet, as well as homenet to google, homenet to facebook, homenet to anything.
There REALLY is no need to use NAT for this. There MUST be some other tricky thing that you have accidentally set up that is causing this not to work, or the target system in labnet does not respond to telnet from another subnet or…
Look in the Firewall log and make sure packets are not being blocked there. Then do some packet capture on homenet to verify the telnet initiation packet/s arrive, then on labnet to verify they leave labnet, then look for the response packet from labnet client on labnet and then homenet. Wherever the packet/s stop being seen is where to look next. -
Phil,
Thanks for the reply. The install is plain vanilla from the iso, with no special tweaks. I’ve been using pfsense for years now, with ipcop, freesco and packet filtering in the past, along with doing electronics / sw eng for work for decades, so hopefully not a complete newbie to this. Strange thing is that I’m pretty sure this worked on 2.03, but may have been ipcop, as it’s some time since I had this requirement set up.
If you read the op, you can see that I have been packet monitoring at 3 points: homenet via wireshark, pfsense and labnet via tcpdump. There’s a packet trace that proves that the reply from the remote server is being dropped at the pfsense labnet interface, on the way back in, as it is seen on tcpdump labnet, but not on tcpdump pfsense console.
While you and John both seem to think that packets between local interfaces are routed by default, in fact they appear not to be. As I said, pfsense blocks everything by default and you need outgoing rules just to access the wan from local.
Regards,
Chris
-
Dude post a screen shot of your rules for gosh sake, and your routing table.
I am going to say this ONE LAST time – there is NO NEED to NAT between local segments.. PERIOD! I have shown you this - it is FACT, you do NOT have to NAT between local networks segments no matter what address space your using.
as to this
"the remote server is being dropped at the pfsense labnet interface,"No dropped is the WRONG word.. Not seen is the right word from what you have shown.. Even if you had a block rule there the tcpdump would still show the packets if they hit the interface.
So if your saying the packets are not being seen there then you have another issue.. Validate that the packets that leave your client actually have the correct MAC for one. And what is between??
Had a very strange thing with a cisco switch awhile back where packets were not being forwarded in a vlan unless there was a SVI on the vlan..
https://tools.cisco.com/bugsearch/bug/CSCth74527
IF your not seeing the return packets as pfsense - then this issue has NOTHING to do with pfense!
-
John,
4 images to post, but call me clueless, how do you inline images on this board ?. There's the button, but paste file contents doesn't seem to do anything. Intuitive, or what ?. Help file != useful either.
Just to add, I know that the hardware is ok because I can telnet or ftp into the lab server from the pfsense console, as well from any other machine on labnet. Also tried a direct connection from the housenet machine (ip changed) to the server and that works fine. There can be some funnies with telnet between some machines, but not here. I use ftp from pfsense all the time to send the backup dump files to the server. All the lab machines and pfsense are on the same 3Com 29xx series switch.
The cisco link is behind a login, but I played with a pix515 some time ago and thought the user interface (windows client) unintuitive and primitive compared to pfsense, or even ipcop. Ymmv, of course :-)…
Regards,
Chris
-
click the preview button on the bottom so you get the full editor
if your wanting to link to a img else where - then use the tags and put in the url to your image.
-
John,
Thanks - Didn't have the wysiwyg editor selected, but still clueless. Click on add image, which then asks for the location, which I fill in for the first as:
i:\ImageFile\Screenshots\HouseRules.png
Which insertes a box into the reply, but preview sees nowt. Anyway, 4 images included as attachments…
Sometimes just easier to ask etc :-).
Regards,
Chris
-
…2 replies as the image > 300K total -
-
And how would pfsense forums have access to i:\ImageFile\Screenshots\HouseRules.png ?? If you want to do inline with img tags then you need to have some url that pfsense and for that matter the viewer of the fourms could access ie http://images.something.tld/image.png for example.
And what is that rule doing above your tenet rule? with the advanced tag on it?
Dude – for testing lets call it.. make your housenet rule like your labnet rule. Where source is the network and dest IP and port are any any. Where are your autobound nats - are they automatic or manual. And what are you doing in the advanced section -- that a tag on the rule. Remove all port forwards! And what our your outbound nats - post them.
But lets forget any rules you have on pfsense for now.
If your saying when you tcpdump on lapnet pfsense interface, you see the telnet packet go out to your 192.9.x.x address you don't see a response then pfsense has nothing to do with the issue.
Pfsense sends out packets to 192.9.x.x:23 from 172.16.x.x:random, and you don't see packets come back.. Then 172.16 did not answer, or sent it to the wrong place or something between 172.16 and pfsense interface is not forwarding along the packet.
tcpdump will show you all packets before they hit any nat rule or firewall rule. So if the packets are not there - there is NOTHING that pfsense could do.
btw not sure what your doing with the advanced options - but that rule makes the rule below it about telnet pointless and would never be used unless something in the advanced options would rule out telnet?
Also telnet is TCP, not UDP so having both tcp and udp is again pointless.
-
192.9.0.0/16 is allocated to Sun Microsystems and is not private address space.
Just fyi.
-
^ yeah we know, been brought up already.. Another ? he never answered after he stated he had answered everything, etc. ;)
"have given chapter and verse on the network topology and loads of debug info"
His wan is clearly private.. So at a loss to why you would be using public IP space behind a NAT.. Unless there was some other path to get to these boxes? Maybe he thinks its OK to just pull IP space out of the AIR and use it - maybe he works for Sun?
-
John,
This is getting hard work :-)
There might have been a time when I would have thought it very cool and a privilege to work for Sun, since they made some of the earliest and most competent unix systems around, Full gui when most pc's were still running dos. I’m in the uk, am probably too old now and do hardware and embedded systems development, not unix. Besides, they never asked me :-), they no longer make workstations anyway and they are owned by oracle now, which is a disaster.
If you actually read through the earlier posts, you would see that I said that the 192.9 lab network is historical. My very first unix box was a sun 3 system found in a junkyard. All the sun docs of the time used the 192.9 block, so that’s what I used. I have a load of respect for early unix development and like historical context, so never changed the 192 block for the lab, nor deleted old host names. Anyway, this is all nitpicking since pfsense really shouldn’t care what address block you use for any of the interfaces and there is no “correct” way to do it, other than the way you want it. The rules are what matters.
As for tcpdump traces, I have copied the traces twice to previous posts here, the second time with a description of what’s going on. Perhaps you did't understand it, so will try again in verbose mode. Note that tcpdump is tracing output from the pfsense labnet interface and the server replies. Server host name is firelight.
$ tcpdump -q host 172.16.100.205
tcpdump: verbose output suppressed,
listening on bge019:00:27.909689 IP 172.16.100.205.53942 > firelight.telnet: tcp 0
The above line shows the initial telnet request from the housenet node
19:00:27.909804 IP firelight.telnet > 172.16.100.205.53942: tcp 0
This is the first server repl
19:00:30.914297 IP 172.16.100.205.53942 > firelight.telnet: tcp 0
This is the first retry from the housenet host
19:00:30.914362 IP firelight.telnet > 172.16.100.205.53942: tcp 0
19:00:31.290075 IP firelight.telnet > 172.16.100.205.53942: tcp 0This time, we get two replies for redundancy, telnet is assuming the packet was dropped, or therwise corrupted on return to the client.
19:00:36.922216 IP 172.16.100.205.53942 > firelight.telnet: tcp 0
The third retry from housenet
19:00:36.922286 IP firelight.telnet > 172.16.100.205.53942: tcp 0
19:00:38.060093 IP firelight.telnet > 172.16.100.205.53942: tcp 0
19:00:42.930063 IP firelight.telnet > 172.16.100.205.57243: tcp 0Here we have three replies at once, again for redundancy. Telnet thinks this must be a very sh***y line.
So, the server is doing it’s best responding to the telnet request, but no one is at home on pfsense labnet receive and the replies are being dropped. This is confirmed by tcpdump on the pfsense console, which shows the outgoing request to the server, but not the reply.
You asked for the rules etc, so what's the solution, if there is one ?. The setup is about the most basic you could imagine, yet it doesn’t work as expected…
Regards,
Chris