Routing problem between LAN and DMZ net



  • Hello

    I have setup a pfsense box at a friend's office a couple of years ago as  follows:

    2.2.1-RELEASE (i386)  on a Atom D2500 mainboard,  em0 having VLANs  : LAN, DMZWIFI  - NanoBSD 4G USB stick;
    WAN 1 - PPoE  ( Public IP addres 93.11x.y.z/32)
    WAN 2 - DHCP ( from a 4G  router , WAN 02 Ip address 192.168.8.1/24)
    MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2

    LAN  address : 192.168.1.x/24 ( VLAN 1)
    DMZWIFI address 10.0.2.x/24 ( VLAN 2)
    DVR  IP address 10.0.2.2
    Switch L2 with management 192.168.1.12 ( used for testing).

    The internet is working ok on both networks , from LAN to any , from DMZWIFI to any except LAN .
    The problem is that users  from LAN  can't access the DVR located on 10.0.2.2/24 network. IN fact I can't access any device on DMZWIFI from LAN .

    Primary troubleshooting  makes me think that pfsense is routing  10.0.2.1/x network to its default gateway to the internet. But this only happends when requests are coming from LAN devices, if I ping from pfsense 10.0.2.2

    I have started a ping from a L2 manged switch 192.168.1.12  to 10.0.2.2  and I have enabled packet capture on the LAN and WAN  of pfsense  :

    INTERFACE LAN  - packet capture
    17:11:56.931082 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 0, length 72
    17:11:57.931170 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 256, length 72
    NO RESPONSE BACK ..

    INTERFACE WAN .. packet capture

    17:10:39.683694 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2048, length 72
    17:10:40.684302 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2304, length 72

    So it makes clear that the packets are routed outside the WAN …

    Other considerations :

    When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN ..
    When I VPN from remote location I can access DMZWIFI network !!
    When I ping from Pfsense the DMZWIFI  it is ok ..

    Routing table

    192.168.1.0/24 link#7 U 2334657 1500 em0_vlan1
    10.0.2.0/24 link#8 U 2123003 1500 em0_vlan2

    Where is the problem ?

    Thanks,
    Adrian


  • LAYER 8 Global Moderator

    "MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
    "When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

    Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

    Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.



  • @johnpoz:

    "MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
    "When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

    Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

    Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

    Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet.

    BR,
    Adrian


Log in to reply