No routing between internal networks with multi-wan?



  • I also posted this on reddit at /r/pfsense but thought I might get more help here.

    I'm running pfSense 2.3.4.
    My setup looks like this:
    -5 NICs (2 WAN + 3 LAN)
    -Each WAN interface is connected directly to a modem from my ISP and they get IP addresses via DHCP
    -The LAN interfaces are three separate networks (10.0.0.0/24, 10.0.10.0/24 and 10.0.20.0/24)
    -I've created a gateway group and placed both of the WAN interfaces into it
    -In the firewall rules for each of the 3 internal networks, I've got a permit all rule allowing all traffic to anywhere and have specified the gateway group as the gateway on that rule.

    This seems to work as intended for multi-wan. All 3 internal networks can access the Internet and the traffic seems to be load balancing across the two ISP connections.

    The issue is that the internal networks can't communicate with one another.

    A host on network 1 can't ping a host on network 2 and vice versa.

    I think I've identified that this is somehow related to the gateway group. If I change the firewall rules on the internal networks and update the gateway to 'default' versus the gateway group that I created then the internal networks can communicate.

    To try to work around this, I created a new firewall rule for each internal network. It's a permit statement with a destination of 10.0.0.8/8 (which would match all 3 of my internal networks) and I've left the gateway on this rule as 'default' and ensured that this is the first rule in the ruleset for each of the internal networks.

    My understanding is that rules are matched in the order they appear in the ruleset so any traffic from any internal network destined for another internal network should match that rule and I'd think that would make it hit the 'default' gateway vs the gateway group. That doesn't seem to be working though as the internal networks still can't communicate.

    Interestingly, each internal network can reach the LAN IP of other internal networks (i.e. a host on 10.0.0.0/24 can ping 10.0.10.1). Presumably this is because the traffic is never exiting any other interface in pfSense, but I'm not entirely sure on that.
    Any suggestions on how I can address this?



  • Sounds very similar to my issue.

    https://forum.pfsense.org/index.php?topic=134810


  • LAYER 8 Netgate

    Bypassing policy routing is a known requirement in that case. It is not a bug nor a problem.

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    It sounds like that you have done should suffice. If it still does not work you are probably going to actually post what you have done so we can see where you went wrong.

    Keep in mind that rule changes do not affect existing states. Make your changes and clear states to be sure.


Log in to reply