Tracert to another lan goes to wan
-
given
lan1-192.168.10.0/24 dhcp
lan2-192.168.20.0/24 dhcp
WAN-192.168.2.1SVR1-192.168.10.250 static on lan1 with gw=lan1_interface address
firewall rules
lan1 = permit ipv4 ports-any lan1_net to lan2_net
lan2 = permit ipv4 ports-any lan2_net to lan1_netproblem
=cant ping svr1 from lan2_netfindings from lan2_net
=can ping any lan1_net hosts except svr1
=tracert to svr1 from lan2_net shows 1sthop=lan2_address 2ndhop is the WAN interface and goes to internet and timeout eternity
-
Do you have any rules setting a specific gateway? Only reason it would route you out the wan if trying to go to a different lan address is you have set a gateway in the rule vs letting pfsense use its routing table.
-
but why the rest of the host in lan1 is pingable from lan2….only svr1 is not
note svr1 is centos with static ip and gw is same as the rest pointing to the lan1 interface
-
default gw is *
-
"=tracert to svr1 from lan2_net shows 1sthop=lan2_address 2ndhop is the WAN interface and goes to internet and timeout eternity"
This makes zero sense, if your saying you ping 192.168.10.10 and it works, but you ping 192.168.10.11 and it goes to wan.. Unless you have rules to do that.
What does your traceroute look like when ping 192.168.10.10 (or some IP that works) and one that does not?
To be honest your pfsense wan IP should never be listed in a traceroute either to another lan or the internet.. So you got something odd in your config.
So for example
traceroute to 192.168.3.10 (192.168.3.10), 30 hops max, 60 byte packets
1 192.168.9.253 1.688 ms 1.983 ms 1.946 ms
2 192.168.3.10 2.705 ms 3.477 ms 3.458 ms
user@ubuntu:~$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.9.253 1.214 ms 1.419 ms 1.355 ms
2 96.120.snipped 12.749 ms 13.570 ms 21.963 ms
3 162.151.90.117 19.353 ms 21.869 ms 21.883 ms
4 68.86.188.93 23.632 ms 23.641 ms 23.608 msI traceroute from a box on 192.168.9.0/24 to a IP on a different segment off pfsense. It hits its gateway in the 192.168.9 network .253 (pfsense) then it hits the client.
When I ping out to internet it hits pfsense interface.. 192.168.9.253 and then the next hop is the isp gateway on the internet that pfsense is connected too.. At no time should pfsense wan IP show up in your traceroute either to other lan networks or to the internet. The only time your pfsense wan IP would be listed in a trace is if you were tracing from the internet to a network behind pfsense..
-
Thats why iam writing here..
.other than svr1 tracert are just 2 lines and hit the target straight away…
For tracert on the svr1 the second line points to the wan...
-
What is the routing table in pfsense - post it. Did you mess with nat rules?
