PFSense failes to route some traffic between two subnets



  • We have a pfsense working like an firewall towards Internet, and internal gateway. The problem is that is seems to fail to route some traffic to our second subnet.

    The pfsense is the internal gateway for all our machines and servers. We can reach the machines on the second subnet from our primary net. But, when for example we try to copy a file from our domain controller, wich lies on our "primary" netto the subnet, it failes. For it to succeed we have to bypass the pfsense gateway with a static route to the vlanswitch that connects our other subnet/office.

    We have a static route on our pfsence pointing to the vlan.

    Any idea why it manages some traffic but not some other?



  • http://forum.pfsense.org/index.php/topic,7001.0.html
    Can you provide a diagram?
    And describe how the "copying a file over the pfSense" "doesnt work"?

    What hardware are you using? (NIC's)
    Also you're talking about vlans. how did you configure that?

    (Basically give as much information as possible).



  • I have searched the forum before posting.  ;)

    And describe how the "copying a file over the pfSense" "doesnt work"?

    When using xcopy from \servername\catalog\file to c:\localcatalog\ it the copy "hangs.

    Where \servername lies on a different subnet. When adding a route to the gateway to the other subnet on the server the xcopy works.

    Can you provide a diagram?

    I´ll try.
                                        Wan                              Office2 (subnet 10.2.1.0
                                            |                                          |
                                      PFsense                                    WAN
                                            |                                          |
                                          Lan (10.1.1.11)                        VLangateway internalip 10.1.1.254
                                            |                                        |
                                      –-----------------------------------
                                      Machines/servers has
                                  gateway 10.1.1.11

    So, some of the servers now has a manual static route added to get the traffic that comes from the 10.2.1.0 subnet back to the subnet again.

    What hardware are you using? (NIC's)
    Just some common NIC´s. Pfsense reports them as 100baseTX <full-duplex>Most things work! As I said. The static route to the 10.2.1.0 network on the pfsense lets us get to the computers through rdp and so on. But, filecopy will not.  ???</full-duplex>



  • Have you tried enabling: "Bypass firewall rules for traffic on the same interface" under advanced ?

    Also do you see anything in the logs about pakets being too big?
    It might be related to the fact that your other subnet is a VLAN. (MTU issue)



  • I have not tried to disable the firewall rules thing. Did not notice that checkbox. =) It will not make the security less? I´ve noticed that the pfsense blocks tons of stuff trying to enter from the wan interface.



  • The checkbox "Bypass firewall rules for traffic on the same interface" seems to have fixed the problem!

    Thanks for all the help! But, the question still remains though how come the pfsense lost only some traffic? Since, we had the default rule of letting all traffic pass to and from the lan interface.



  • @lordarcane:

    It will not make the security less? I´ve noticed that the pfsense blocks tons of stuff trying to enter from the wan interface.

    This only bypasses the firewall-rules for traffic entering on one interface and immediately leaving via the same.
    Even if you bypass the firewall like this an user cannot do more than he could do before
    (like manually adding a route to the other gateway).

    The WAN is something else.
    This option would only apply if the traffic would enter on the WAN and immediately leave again out the WAN.
    –> not affecting your LAN.

    @lordarcane:

    Thanks for all the help! But, the question still remains though how come the pfsense lost only some traffic? Since, we had the default rule of letting all traffic pass to and from the lan interface.

    I'm not sure.
    Could you show a screenshot of your rules?



  • This option would only apply if the traffic would enter on the WAN and immediately leave again out the WAN.

    Okey, and since the rules dont allow anything in from the WAN, nothing can enter either. Understand.

    The LAN only have one rule. Its a * on everything and allow. =)

    The subnet is not conneced psysical on any of the pfsence interfaces. The VLAN switch has a physical connection on the LAN side to one of our internal switches.


Log in to reply