Cannot connect to a 2nd pfsense firewall

ccgllc

Update: this appears to be tied to Advanced -> Firewall & NAT settings. Either "Enabled NAT Reflection for 1:1 NAT" or "Enable automoatic outbound NAT for Reflection", both of which I had switched on from a previous exploration of PURE NAT mode. Untoggling those two cleared up the situation... for about 30 seconds. That or it was just the firewall going through the "save".

rackserv ~ # telnet 216.146.251.13 15858
Trying 216.146.251.13...
^C
rackserv ~ # telnet 216.146.251.13 15858
Trying 216.146.251.13...
telnet: Unable to connect to remote host: No route to host

viragomann

I assume your public IPs are within the same subnet. So have you set the correct subnet mask for the WAN IPs, propably /29?

johnpoz

@ccgllc said in Cannot connect to a 2nd pfsense firewall:

215.8 and the other at ...13. I have current, up-to-date, pfSense firewires running on both.

What is the mask on this? The mentioned /29 would not be right because .8 would be the wire not a host.

Are these in the same network... What is the mask setting on these 2 pfsense wan interfaces?

How exactly are they connected to your isp? ISP device to a switch? 2 different ISP devices? Are the 2 wan interfaces connected to the same L2 on your side?

ccgllc

My ISP uses a full Class C for their static customers, so /24, which things are set at.

216.146.251.1 is my upstream gateway for both.

![http://puu.sh/Bj6Hw/3b4e78c927.png](image url)

![http://puu.sh/Bj6M7/89b5304164.png](image url)

Both are indendant fibre channel glass cables connecting into the ISP equipment at their facility.

JKnott

@ccgllc said in Cannot connect to a 2nd pfsense firewall:

My ISP uses a full Class C for their static customers, so /24, which things are set at.

Address classes are obsolete since the introduction of CIDR. You just have a /24.

ccgllc

@jknott said in Cannot connect to a 2nd pfsense firewall:

@ccgllc said in Cannot connect to a 2nd pfsense firewall:

My ISP uses a full Class C for their static customers, so /24, which things are set at.

Address classes are obsolete since the introduction of CIDR. You just have a /24.

OK. I'm old. I'm obsolete. I remember when Gopher was cool new tech. You still got the point.

JKnott

@ccgllc said in Cannot connect to a 2nd pfsense firewall:

OK. I'm old. I'm obsolete.

See my sig,

johnpoz

So you have a /24 and there is no local L2 network.. And run to your isp that still should be the same L2.. If you can not talk to either then that is on your ISP..

ccgllc

@johnpoz Expect that both work fine independantly, and now that I've opened up ICMP, pings work between then. TCP/IP does not.

Still, I'll ask. But not expecting much from them. Given that the pings work, they are going to point back to my firewalls.

johnpoz

Here is the thing.. So you have this at a logical level..

You have this

Your trying to talk to .13 from .8 that are in the same network.. So sniff on .13, do you see the traffic from .8? If you see it then problem in your forward, if you do not see it then problem at the ISP.