Routing between two internal networks

inzanez

Hello

I'm a bit at a loss. I tried to do something I usually do with by using "iptables on linux", but as others will need to do administrative work on the system too I needed a Web-UI. So I setup PFsense.
For my simple test I got two networks:

• 192.168.2.0/24
• 10.41.41.0/24

There's an already installed gateway in 10.41.41.0/24 with the ip address of 10.41.41.1 which allows internet access. My pfsense got two links now:

• WAN is set to 10.41.41.244
• LAN is set to 192.168.2.1

I disabled NAT and Firewall so that the box should only do routing,…
I set the default gateway on WAN to 10.41.41.1 so that internet traffic is forwarded to that GW
I set the route on LAN to dynamic,...

My problem: I can't ping any host in 10.41.41.0/24 from my host in 192.168.2.0/24 except the PFsense itself. So ping to "10.41.41.244" from "192.168.2.34" does work, but ping to "10.41.41.240" does not. I already used tcpdump to check WAN and LAN interface, both interfaces show the ICMP requests from the host "192.168.2.34". But they don't seem to get forwarded. What do I miss here? I'm sure it's simple,...but I can't see it...:-)

Kind regards
Rafael

doktornotor

Remove the bogus dynamic GW on LAN. The GW there should be none.

inzanez

Done that. But I already had that "configuration" before it's still not routing…

doktornotor

It's routing just fine as long as the 10.41.41.1 GW on WAN knows how to reach 192.168.2.0/24 to send packets back. IOW, you need to configure this on the other end.

inzanez

I currently try to access 10.41.41.240 (which should not go to 10.41.41.1 as far as I believe?),…I had in mind that 10.41.41.244 acts as router between 192.168.2.0 and 10.41.41.0...

doktornotor

Sigh. You need to tell the WAN GW that 192.168.2.0 is reachable via 10.41.41.244. You are configuring completely wrong box. You do NOT need any static routes on the box you are messing with.

inzanez

Ok, let's leave WAN out of this for a second!

Just imagine I got 192.168.2.0/24 and 10.41.41.0/24.
PFsense got 192.168.2.1 as "LAN" and 10.41.41.244 as "WAN". Firewall disabled, no NAT.

Now would want to access 10.41.41.240 from 192.168.2.34…
10.41.41.240 got GW 10.41.41.244 for 192.168.2.0...

doktornotor

I cannot leave WAN out! That's what's broken. Packets go out and reply never gets back. There is NO special configuration needed for the routing-only box you are trying to set up. You configure it like normal, no manual routes, no extra gateways, nothing like that.

For the last time before I leave this thread: 10.41.41.1 - which is the "already installed gateway … which allows internet access" - must know that traffic to 192.168.2.0/24 goes via the interface to which your routing-only pfS box with  WAN IP 10.41.41.244 is attached (i.e., some LAN-like interface) – and NOT via the default GW (which would be the "already installed gateway's" WAN.)

inzanez

Hi

first of all: thanks for pushing me in the right direction. The route on the client side (10.41.41.244) was on the wrong interface…my mistake!