Network Routing

MPFontana

Guys I'm with a problem and tried to do everything that I know to solve.

My firewall is configured as follows.

I have 2 links and 2 separate networks. Each link feeds one network. Then we have:

Link 1 (default) -> Network 1

Link2 -> Network 2 -> HOTSPOT

Under the network 2 I have a HOSTSPOT delivering dhcp, therefore, the network only 2 delivers the IP (internet) for equipment HOTSPOT. So I can control the bandwidth available on that network.

Here the LINK 1 is feeding the NETWORK 1 and LINK 2 is feeding NETWORK 2. So far so good, everything works, with some exceptions.

When I try to access via RDP or some other specific services from Network 1 to Network 2, I can do it normally without problems. But if I try the reverse, Network 2 to Network 1, I can't. But if I change the network 2 link that is running LINK 2 to LINK 1, the service works, OR if I put the LINK 2 as default, also works, but then the reverse happens, i have access from NETWORK 2 to NETWORK 1.

Note: The access is not done via local IP but via the IP's of links properly routed via NAT.

Sorry my english :-X

Capturar1.PNG_thumb
Capturar2.PNG_thumb
Capturar3.PNG_thumb

stephenw10

Please show us your rules from the on the ADM and HOSPEDE interfaces. That's where the policy routing is that will effect this.

Also please define exactly what isn't working. You say that you can't access services on one internal network from the other internal network?
You are trying to access them using their public IPs? So you have port fowarded them? Can we see your port forwards also?

Steve

MPFontana

@stephenw10:

Please show us your rules from the on the ADM and HOSPEDE interfaces. That's where the policy routing is that will effect this.

Also please define exactly what isn't working. You say that you can't access services on one internal network from the other internal network?
You are trying to access them using their public IPs? So you have port fowarded them? Can we see your port forwards also?

Steve

Thank's for reply.

Yes Steve, I'm trying to access some services from one network to other network via Public IP's.

Here are all you asked for.

Capturar.JPG1.JPG
Capturar.JPG2.JPG
Capturar.JPG3.JPG
Capturar.JPG1.JPG_thumb
Capturar.JPG2.JPG_thumb
Capturar.JPG3.JPG_thumb

stephenw10

So two issues here:
If you're trying to access the resource using the public IP you need to have setup something to allow that to happen. By default the traffic cannot hit the public address and then be re-routed back to the internal address. See:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Secondly if you use policy based routing to specify a gateway that overules the system routing table so all your traffic from the ADM interface goes out to the BBP gateway even if the destination is actually an internal subnet. You need to put in a rule above the policy-routing rule to allow traffic to get to the local subnets. Can you access the resources using their internal addresses?

Steve

MPFontana

@stephenw10:

So two issues here:
If you're trying to access the resource using the public IP you need to have setup something to allow that to happen. By default the traffic cannot hit the public address and then be re-routed back to the internal address. See:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Secondly if you use policy based routing to specify a gateway that overules the system routing table so all your traffic from the ADM interface goes out to the BBP gateway even if the destination is actually an internal subnet. You need to put in a rule above the policy-routing rule to allow traffic to get to the local subnets. Can you access the resources using their internal addresses?

Steve

Steve for the first issue I'll try later cause I'm quite busy right now, for the second issue I already tried to create on hospede subnet a rule that allow the trafic, like picture attached.

Capturar.JPG_thumb

stephenw10

Ok, I don't see it in your screen shot above the rule that specifies a gateway though. Did you just create it?

Steve

MPFontana

@stephenw10:

Ok, I don't see it in your screen shot above the rule that specifies a gateway though. Did you just create it?

Steve

Steve I studied and tried the options u showed me and i could't perform this to work, don't know why, can be the hostspot under the Network 2, but i don't manage this 3rd part service(dhcp) and can't do much on it.

In the gateway rule was specified STNGW.

stephenw10

Not entirely sure what you meant there, :-\

If you've added more firewall rules can we see screenshots of those?

Steve