Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing problem between LAN and DMZ net

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AMizil
      last edited by

      Hello

      I have setup a pfsense box at a friend's office a couple of years ago as  follows:

      2.2.1-RELEASE (i386)  on a Atom D2500 mainboard,  em0 having VLANs  : LAN, DMZWIFI  - NanoBSD 4G USB stick;
      WAN 1 - PPoE  ( Public IP addres 93.11x.y.z/32)
      WAN 2 - DHCP ( from a 4G  router , WAN 02 Ip address 192.168.8.1/24)
      MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2

      LAN  address : 192.168.1.x/24 ( VLAN 1)
      DMZWIFI address 10.0.2.x/24 ( VLAN 2)
      DVR  IP address 10.0.2.2
      Switch L2 with management 192.168.1.12 ( used for testing).

      The internet is working ok on both networks , from LAN to any , from DMZWIFI to any except LAN .
      The problem is that users  from LAN  can't access the DVR located on 10.0.2.2/24 network. IN fact I can't access any device on DMZWIFI from LAN .

      Primary troubleshooting  makes me think that pfsense is routing  10.0.2.1/x network to its default gateway to the internet. But this only happends when requests are coming from LAN devices, if I ping from pfsense 10.0.2.2

      I have started a ping from a L2 manged switch 192.168.1.12  to 10.0.2.2  and I have enabled packet capture on the LAN and WAN  of pfsense  :

      INTERFACE LAN  - packet capture
      17:11:56.931082 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 0, length 72
      17:11:57.931170 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 256, length 72
      NO RESPONSE BACK ..

      INTERFACE WAN .. packet capture

      17:10:39.683694 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2048, length 72
      17:10:40.684302 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2304, length 72

      So it makes clear that the packets are routed outside the WAN …

      Other considerations :

      When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN ..
      When I VPN from remote location I can access DMZWIFI network !!
      When I ping from Pfsense the DMZWIFI  it is ok ..

      Routing table

      192.168.1.0/24 link#7 U 2334657 1500 em0_vlan1
      10.0.2.0/24 link#8 U 2123003 1500 em0_vlan2

      Where is the problem ?

      Thanks,
      Adrian

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
        "When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

        Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

        Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          AMizil
          last edited by

          @johnpoz:

          "MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
          "When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

          Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

          Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

          Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet.

          BR,
          Adrian

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.