Routing problem between LAN and DMZ net

AMizil

Hello

I have setup a pfsense box at a friend's office a couple of years ago as  follows:

2.2.1-RELEASE (i386)  on a Atom D2500 mainboard,  em0 having VLANs  : LAN, DMZWIFI  - NanoBSD 4G USB stick;
WAN 1 - PPoE  ( Public IP addres 93.11x.y.z/32)
WAN 2 - DHCP ( from a 4G  router , WAN 02 Ip address 192.168.8.1/24)
MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2

LAN  address : 192.168.1.x/24 ( VLAN 1)
DMZWIFI address 10.0.2.x/24 ( VLAN 2)
DVR  IP address 10.0.2.2
Switch L2 with management 192.168.1.12 ( used for testing).

The internet is working ok on both networks , from LAN to any , from DMZWIFI to any except LAN .
The problem is that users  from LAN  can't access the DVR located on 10.0.2.2/24 network. IN fact I can't access any device on DMZWIFI from LAN .

Primary troubleshooting  makes me think that pfsense is routing  10.0.2.1/x network to its default gateway to the internet. But this only happends when requests are coming from LAN devices, if I ping from pfsense 10.0.2.2

I have started a ping from a L2 manged switch 192.168.1.12  to 10.0.2.2  and I have enabled packet capture on the LAN and WAN  of pfsense  :

INTERFACE LAN  - packet capture
17:11:56.931082 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 0, length 72
17:11:57.931170 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 256, length 72
NO RESPONSE BACK ..

INTERFACE WAN .. packet capture

17:10:39.683694 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2048, length 72
17:10:40.684302 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2304, length 72

So it makes clear that the packets are routed outside the WAN …

Other considerations :

When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN ..
When I VPN from remote location I can access DMZWIFI network !!
When I ping from Pfsense the DMZWIFI  it is ok ..

Routing table

192.168.1.0/24 link#7 U 2334657 1500 em0_vlan1
10.0.2.0/24 link#8 U 2123003 1500 em0_vlan2

Where is the problem ?

Thanks,
Adrian

johnpoz

"MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

AMizil

@johnpoz:

"MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet.

BR,
Adrian