Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No routing between internal networks with multi-wan?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 3 Posters 454 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vrtigo1
      last edited by

      I also posted this on reddit at /r/pfsense but thought I might get more help here.

      I'm running pfSense 2.3.4.
      My setup looks like this:
      -5 NICs (2 WAN + 3 LAN)
      -Each WAN interface is connected directly to a modem from my ISP and they get IP addresses via DHCP
      -The LAN interfaces are three separate networks (10.0.0.0/24, 10.0.10.0/24 and 10.0.20.0/24)
      -I've created a gateway group and placed both of the WAN interfaces into it
      -In the firewall rules for each of the 3 internal networks, I've got a permit all rule allowing all traffic to anywhere and have specified the gateway group as the gateway on that rule.

      This seems to work as intended for multi-wan. All 3 internal networks can access the Internet and the traffic seems to be load balancing across the two ISP connections.

      The issue is that the internal networks can't communicate with one another.

      A host on network 1 can't ping a host on network 2 and vice versa.

      I think I've identified that this is somehow related to the gateway group. If I change the firewall rules on the internal networks and update the gateway to 'default' versus the gateway group that I created then the internal networks can communicate.

      To try to work around this, I created a new firewall rule for each internal network. It's a permit statement with a destination of 10.0.0.8/8 (which would match all 3 of my internal networks) and I've left the gateway on this rule as 'default' and ensured that this is the first rule in the ruleset for each of the internal networks.

      My understanding is that rules are matched in the order they appear in the ruleset so any traffic from any internal network destined for another internal network should match that rule and I'd think that would make it hit the 'default' gateway vs the gateway group. That doesn't seem to be working though as the internal networks still can't communicate.

      Interestingly, each internal network can reach the LAN IP of other internal networks (i.e. a host on 10.0.0.0/24 can ping 10.0.10.1). Presumably this is because the traffic is never exiting any other interface in pfSense, but I'm not entirely sure on that.
      Any suggestions on how I can address this?

      1 Reply Last reply Reply Quote 0
      • S
        starshooter10
        last edited by

        Sounds very similar to my issue.

        https://forum.pfsense.org/index.php?topic=134810

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Bypassing policy routing is a known requirement in that case. It is not a bug nor a problem.

          https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

          It sounds like that you have done should suffice. If it still does not work you are probably going to actually post what you have done so we can see where you went wrong.

          Keep in mind that rule changes do not affect existing states. Make your changes and clear states to be sure.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.