LAN <> OPT1 no access with allow *
-
Dear all,
I have a strange problem on a pfSense (virtual) 2.2.6. We have LAN (Server), OPT1 (going to a router with a leased line to another location) and WAN uplink. If a user is connected via ipsec, he can reach the systems behind OPT1, if I come from LAN, I can't. All rules on LAN and OPT1 allow anything. If I disable pf, I can access the systems behind OPT1 from LAN. Traceroute stops at the system in OPT1 and FROM OPT1, I can access a server in LAN (layout attached).
Any ideas?
Cheers,
Snoopy
-
What's in the firewall logs?
-
hi!
I just see
The rule that triggered this action is:
@9(1000000103) block drop in log inet all label "Default deny rule IPv4"
But it looks like this is not rule blocking the traffic. If I check the log I can't find anything regarding source / destination IP.
-
Well, something is blocking it. Post your LAN rules.
-
hi,
attached
-
Nothing there blocking. Any floating rules?
-
no, no floating rules.
-
From 10.0.100.0/24 can you:
Ping
10.0.80.254 ?
10.0.80.253 ?
10.0.50.1 ?
-
yes, all of them.
I also can ping from 10.0.100.10 e.g. 10.0.50.2 if I start a ping FROM 10.0.50.2 TO 10.0.100.10.
-
I don't understand that last sentence.
Not sure. Seems like it should be working. If traffic's being blocked by the firewall it should be in the logs.
-
hi!
I ping from 10.0.100.10 to 10.0.50.2 and I get a timeout. If I now start to ping from 10.0.50.2 to 10.0.100.10, I got a reply from 10.0.100.10 and I can ping from 10.0.100.10 to 10.0.50.2.
-
Think we are missing part of the story here.. 10.0.80/24 seems like a large transit network to me.. Is there devices on this network? Clearly your router to your other location is downstream router from pfsense.
What are the routes on pfsense to get to this other network? What are the routes in the other routers? What is the transit network used over you lease line? There is no other routers in location B? It has no internet connections just this point to point to your main location?
You say unless you ping from location B to your lan box first you get a timeout from lan to location B.. But if you ping first from location B to your lan box, you can then ping??
So traceroute from lan to your location B where does it die? Sniff along the path, where are the packets being dropped or blocked?
-
hi,
sorry for my late reply:
10.0.50.0/24 has a route for 10.0.100.0/24 and 10.0.5.0/24 via 10.0.50.1 and puts this to 10.0.80.253. 10.0.80.253 has a route for 10.0.100.0/24 and 10.0.5.0/24 to 10.0.80.253 (pfsense).
But: If I disable pf (pfctl -d), I can reach everything, so it's not a routing issue. If I do a traceroute from 10.0.100.x to 10.0.50.x it stops one before 10.0.50.x
Cheers
-
Post a screen dump of the static routes on your PFS (System/Routing and choose the Routes tab). A screen grab of your firewall rules for OPT1 might also be helpful.
-
"But: If I disable pf (pfctl -d), I can reach everything"
You also say you can reach if you ping from the other side first.. So again missing part of the story here.. Prob have some sort of asymmetrical routing issue maybe?
Again /24 is a freaking HUGE transit.. So you have no hosts on this network?? Or are you trying reach this other network from a host on your transit?
Post up a simple traceroutes, your route table and your firewall rules or we are just going to be guessing without knowing the full picture.
