pfSense firewall connection Issue on one link
-
I have purchase pfSense 6 port firewall from one of pfsense partner from India.
They configured the firewall as per our requirement. pfsense ether 1 & ether 2 is connected to two diff. ISP for internet which is load balanced. pfsense ether5 is connected mikrotik router ether5
Mikrotik router is connected to three diff. LAN network Issue is PC-1, PC-2 able to ping PC-3, PC-4 & PC-5 but from PC3-PC-5 not able ping PC-1 & PC-2.
Pls. guide how to configure above scenario -
Could be a missing firewall rule. Could be NAT in one direction.
How is Etherswitch-1 connected? You mention only two WANs and one LAN connection but it looks like two LANs.
Steve
-
As I mentioned two WAN which are not in diagram so mentioned in words.
Sorry to mention about LAN(Ethernetswtich-1) connected to pfSense. One more thing to add is pfSense & mikrotik connectivity is through wireless.
One thing I want mention is that instead of pfSense if added mikrotik router it works perfect which is we already using but for more protection we want to install pfsense but then other networks which is behind mikrotik is not able to connect to ethernetswtich-1 network -
Ok, well like I said the most likely cause is a missing firewall rule on the interface connected to the Mikrotik.
Show us screenshots of the rules there.
Steve
-
erplan is ethernetswitch-1 & mblink port of pfsense which is connected to mikrotik router -
Ok you're policy routing everything to the Mikrotik in one direction but in the reverse direction does traffic in ERPLAN have a route back?
Can we see your outbound NAT rules and routing table from pfSense?Steve
-
-
Ok, I meant the routing table from Diag > Routes not just static routes.
Also you are not able to ping from MBLINK to ERPLAN so we need to see the firewall rules on MBLINK.
Are those automatic outbound rules only on the TATAWAN and AVISHAKARWAN interfaces?
Steve
-
screenshot of firewall rules on mblink is already uploaded in prev. post -
Which subnet is the ERLAN interface there?
You seem to be using 171.171.1.0/24 between pfSense and Mikrotik. That subnet is owned by Bank of America.
You probably have either a missing route or firewall rule on the Mikrotik. Or a local restriction on the PC-1 PC2 devices preventing them respond to ping from outside their own subnet.
Run a ping from PC-3 to PC-1. Check the state table in pfSense to see if it's opening states on both interfaces.
Steve
-
Erplan network is 10.10.0.0/16
& pfsense- mikrotik link is connected through wireless tower on private lan 171.171.1.0/24 network.
Above network work perfect when I use miktotik router instead of Pfsense but we need to replace gatway mikrotik router to pfsense for better security -
So run the ping and check the states.
If you don't see the states you can run packet captures to see if traffic actually arriving at all.
Steve
-
i did tracert from client behind miktorik, packet reaches to firewall i.e. upto ip 171.171.1.5 which is set on pfsense MBLink interface. As everything is live so could not take more downtime. As per my thinking pfsense might be working as WAN interface on MBLINK so incoming traffic is blocking if that is the case then how can unblock all traffic on MBLINK
-
You already have an 'allow all' firewall rule on that interface, it is not blocking there.
If traffic arrives there but never leaves the ERPLAN interface (did you run pcaps to confirm that?) then either there is no route for it or something else is grabbing that traffic. Typically that would be IPSec but can also be captive portal. You have either of those configured?
Steve
-
i didn't run pcaps & not even configured captive portal
-
And no IPSec?
Run the pcaps and see how far the traffic is getting.
Steve
-
Issue solved main cause was in mikrotik router placed at other side on mblink where src-masq nat entry was giving issue after disabling that entry now everything works fine
