pfSense firewall connection Issue on one link
-
Ok you're policy routing everything to the Mikrotik in one direction but in the reverse direction does traffic in ERPLAN have a route back?
Can we see your outbound NAT rules and routing table from pfSense?Steve
-
-
Ok, I meant the routing table from Diag > Routes not just static routes.
Also you are not able to ping from MBLINK to ERPLAN so we need to see the firewall rules on MBLINK.
Are those automatic outbound rules only on the TATAWAN and AVISHAKARWAN interfaces?
Steve
-
screenshot of firewall rules on mblink is already uploaded in prev. post -
Which subnet is the ERLAN interface there?
You seem to be using 171.171.1.0/24 between pfSense and Mikrotik. That subnet is owned by Bank of America.
You probably have either a missing route or firewall rule on the Mikrotik. Or a local restriction on the PC-1 PC2 devices preventing them respond to ping from outside their own subnet.
Run a ping from PC-3 to PC-1. Check the state table in pfSense to see if it's opening states on both interfaces.
Steve
-
Erplan network is 10.10.0.0/16
& pfsense- mikrotik link is connected through wireless tower on private lan 171.171.1.0/24 network.
Above network work perfect when I use miktotik router instead of Pfsense but we need to replace gatway mikrotik router to pfsense for better security -
So run the ping and check the states.
If you don't see the states you can run packet captures to see if traffic actually arriving at all.
Steve
-
i did tracert from client behind miktorik, packet reaches to firewall i.e. upto ip 171.171.1.5 which is set on pfsense MBLink interface. As everything is live so could not take more downtime. As per my thinking pfsense might be working as WAN interface on MBLINK so incoming traffic is blocking if that is the case then how can unblock all traffic on MBLINK
-
You already have an 'allow all' firewall rule on that interface, it is not blocking there.
If traffic arrives there but never leaves the ERPLAN interface (did you run pcaps to confirm that?) then either there is no route for it or something else is grabbing that traffic. Typically that would be IPSec but can also be captive portal. You have either of those configured?
Steve
-
i didn't run pcaps & not even configured captive portal
-
And no IPSec?
Run the pcaps and see how far the traffic is getting.
Steve
-
Issue solved main cause was in mikrotik router placed at other side on mblink where src-masq nat entry was giving issue after disabling that entry now everything works fine