Subnet issue, can't reach hosts outside of subnet

beatles1235 · Oct 29, 2015, 12:32 AM

Hello, i'm trying to get a better understanding of routers, and subnetting so I decided to try and set up my own little network

I have my cable router with the IP address of 192.168.1.1

I have a couple of hosts under this, one being my computer (192.168.1.26)

I have also have a server of 192.168.1.3 running Hyper-v with three hosts

Ubuntu (192.168.1.23)
PFsense (WAN of 192.168.1.24) and (LAN of 192.168.100.6)
Windows server (192.168.100.4)

So here's my problem, I can ping from my PFsense router in either the 192.168.100.0/29 network and the 192.168.1.0/24 network

If I try to ping sitting at my computer or any other host that resides on my 192.168.1.0/24 network, I cannot reach my 192.168.100.0/29

I've tried setting up a static route on my cable router:

Destination=192.168.100.0
Subnet=255.255.255.248
Gateway=192.168.1.1

I've also set a static route on the PFsense router:
Network= 192.168.1.0/24
gateway= WAN_DHCP - 192.168.1.1
Interface=WAN

Like I said, I'm fairly new to this side of networking, so I'd really appreciate it if I could get some ideas of what I should be looking at changing. Thank you!

Derelict · Oct 29, 2015, 12:26 AM

What is a /32 network? /32 is one host only.

Even if you get all that sorted out, here's one example of one problem

Your computer is configured like this:

Address 192.168.1.26
Netmask: 255.255.255.0 (/24) (Guess)
Default gateway: 192.168.1.1 (Guess)

When your computer tries to reach 192.168.100.4 it will see the traffic isn't on the local subnet and send it to the default gateway. Even if you put a route for 192.168.100.0/29 in the cable router, it will have to hairpin the traffic back out the same interface it arrived on. This can result in ICMP redirects and other noisy, unsound crap.

The proper solution to this problem is to put a route for 192.168.100.0/29 with a destination of 192.168.1.24 into your computer's routing table.

You will quickly find that maintaining routes in hosts such as this will be extremely cumbersome.

A better way is to design your network so each host only has one choice of router on its subnet, and that router is its default gateway. Static routes in routers are still a pain, but are much easier to maintain.

beatles1235 · Oct 29, 2015, 12:37 AM

I guess I meant /24

I get the usefulness of the static routes, but how do I implement them correctly?

Right now I have the static routes in as I mentioned above, but I keep getting a destination host unreachable from 192.168.1.1 if i try to ping the pfsense router at 192.168.100.3

beatles1235 · Oct 29, 2015, 3:11 AM

So I went into the settings of the pfsense router and disabled the firewall, which also disabled NAT, this now allows me to ping my router (192.168.100.3) from my workstation (192.168.1.26)

My question is why did I have to disable the firewall? I tried passing all traffic through the firewall, and disabling all the rules on NAT, but it didn't fix my issue.

The only way I was able to route traffic between the two subnets was to just disable the firewall. Is there anyway to keep the firewall up and still be able to route through both subnets?

muswellhillbilly · Oct 29, 2015, 11:09 AM

If I read your description correctly, you're trying to ping a LAN address (192.168.100.x) from a WAN address (192.168.1.x) across the firewall. This won't work, since your firewall will only NAT traffic from LAN to WAN out of the box. To ping an address from WAN to LAN, you'd have to set up a port forward rule on the WAN side of the firewall to send ICMP packets to a LAN address. The effect of this is that the address you would be pinging would have to be an alias address you set up on the WAN, which would then forward the icmp packets to the LAN address.

I'm not entirely clear why you have your network set up this way. Ideally, you should put your trusted hosts on the LAN side of the firewall and just the untrusted ones on the WAN side. Looks like you're trying to use the pfsense more as a bridge than a firewall, given the description. If I'm wrong on this, then the next thing you should do is post a diagram (picture, not text) of your network setup with the LAN/WAN and associated addresses labelled so it's possible to get a clearer picture of what you have and what you're trying to do.

beatles1235 · Oct 29, 2015, 11:42 PM

Below is a diagram, hopefully this helps. I'm trying to learn more about subnetting. I know this isn't an ideal network setup, but im looking to get a hang of the fundamentals. Why is it that I had to disable the firewall on my PFsense router just to be able to reach my virtual server (192.168.100.4) on my computer (192.168.1.26)

Derelict · Oct 30, 2015, 12:40 AM

Did you pass traffic in pfSense WAN via firewall rules and or port forwards?

You have to remember that as far as the default configuration is concerned, to pfSense 192.168.1.0/24 is the internet. Connections aren't just passed in from the internet to LAN.

Gertjan · Oct 30, 2015, 8:07 AM

Hi,

Hook up your computer up behind pfSense.
You'll be having a router after router setup, which needs some special thoughts if you consider using 'incoming trafic', but you could administer pfSense just fine, and you will have a normalized setup.

Derelict · Oct 30, 2015, 5:43 PM

im looking to get a hang of the fundamentals.

Then configure your network in a fundamentally-sound way. Not one that requires hairpinning traffic in and out of 192.168.1.1 to get from 192.168.1.26 to 192.168.100.3.

You also have to disable NAT in pfSense. or you won't be able to directly address 192.168.100.0/24 at all.