Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN side gateway traffic problem

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gsmithe
      last edited by

      Hello all,

      I searched the forum and couldn't find this scenario already asked about.  I am replacing a watchguard branded firewall that routes all traffic with no problem.

      Pfsense 2.3.2_p1
      LAN: 192.168.1.1/24
      LAN_GW: 192.168.1.5 (routing to 10.0.5.0/24)
      I created a static route based on the above (and created the gateway). No policy based routing.

      I checked the box for "Bypass firewall rules for traffic on the same interface" option located under System > Advanced
      Checking the firewall logs shows that no traffic to / from 10.0.5.0 is blocked.

      I can ping and get successful traceroute results from my windows PC's to 10.0.5.10. I can bring up webpages on other 10.0.5.xxx servers. By all accounts, routing appears to work fine.

      We have a software package that connects using tcp 1600 on 10.0.5.10. This software times out when PFsense is in place. If I put the original firewall back in, all starts working in a few seconds.

      Software support says the logs indicate that the traffic is partially coming through, but appears to be cut off or blocked.

      Any help is appreciated.

      • GS
      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Draw your network. Please be thorough.

        If you put a gateway on Interfaces > LAN that is almost certainly wrong. it needs to be defined in System > Routing, but not set on Interfaces > LAN.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G Offline
          gsmithe
          last edited by

          Thanks for replying.

          Under Interface-> LAN, I have no gateway. 
          I have 2 attachments, the network diagram and the screenshot of my static route.

          ![2016-12-28 16_20_09-tpdpfsense.troypd.local - System_ Routing_ Static Routes.png](/public/imported_attachments/1/2016-12-28 16_20_09-tpdpfsense.troypd.local - System_ Routing_ Static Routes.png)
          ![2016-12-28 16_20_09-tpdpfsense.troypd.local - System_ Routing_ Static Routes.png_thumb](/public/imported_attachments/1/2016-12-28 16_20_09-tpdpfsense.troypd.local - System_ Routing_ Static Routes.png_thumb)
          ![2016-12-28 16_45_41-netdiag1.ndg.png](/public/imported_attachments/1/2016-12-28 16_45_41-netdiag1.ndg.png)
          ![2016-12-28 16_45_41-netdiag1.ndg.png_thumb](/public/imported_attachments/1/2016-12-28 16_45_41-netdiag1.ndg.png_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Don't put hosts on the same subnet as routers. that creates an asymmetric routing situation.

            Make a transit network interface on pfSense and put the router on that.

            Pass the traffic you need to pass from the downstream networks on the transit interface.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • G Offline
              gsmithe
              last edited by

              I appreciate your time on answering this.  The router @ 192.168.1.5 I consider to be a "black box" that I cannot configure and will receive pushback in that the old firewall worked just fine.

              I understand the asymmetric routing, though.  I will try to get the responsible party to change the internal IP of the additional router so I can put it on the firewall as a separate network.

              If they won't do that, then I guess it will be adding routes to each PC.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Or make a 192.168.2.0/24 interface and put the PCs on that.

                You can make it work but it's a crappy design and should just be fixed instead.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.