Routing problem between LAN and DMZ net
-
Hello
I have setup a pfsense box at a friend's office a couple of years ago as follows:
2.2.1-RELEASE (i386) on a Atom D2500 mainboard, em0 having VLANs : LAN, DMZWIFI - NanoBSD 4G USB stick;
WAN 1 - PPoE ( Public IP addres 93.11x.y.z/32)
WAN 2 - DHCP ( from a 4G router , WAN 02 Ip address 192.168.8.1/24)
MultiWAN with Gateway Groups , Tier 1 WAN 1 and Tier 2 WAN 2LAN address : 192.168.1.x/24 ( VLAN 1)
DMZWIFI address 10.0.2.x/24 ( VLAN 2)
DVR IP address 10.0.2.2
Switch L2 with management 192.168.1.12 ( used for testing).The internet is working ok on both networks , from LAN to any , from DMZWIFI to any except LAN .
The problem is that users from LAN can't access the DVR located on 10.0.2.2/24 network. IN fact I can't access any device on DMZWIFI from LAN .Primary troubleshooting makes me think that pfsense is routing 10.0.2.1/x network to its default gateway to the internet. But this only happends when requests are coming from LAN devices, if I ping from pfsense 10.0.2.2
I have started a ping from a L2 manged switch 192.168.1.12 to 10.0.2.2 and I have enabled packet capture on the LAN and WAN of pfsense :
INTERFACE LAN - packet capture
17:11:56.931082 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 0, length 72
17:11:57.931170 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 256, length 72
NO RESPONSE BACK ..INTERFACE WAN .. packet capture
17:10:39.683694 IP 93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2048, length 72
17:10:40.684302 IP 93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2304, length 72So it makes clear that the packets are routed outside the WAN …
Other considerations :
When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN ..
When I VPN from remote location I can access DMZWIFI network !!
When I ping from Pfsense the DMZWIFI it is ok ..Routing table
192.168.1.0/24 link#7 U 2334657 1500 em0_vlan1
10.0.2.0/24 link#8 U 2123003 1500 em0_vlan2Where is the problem ?
Thanks,
Adrian -
"MultiWAN with Gateway Groups , Tier 1 WAN 1 and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"
Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.
-
"MultiWAN with Gateway Groups , Tier 1 WAN 1 and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"
Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.
Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet.
BR,
Adrian
