Traffic from LAN + OPT1 to WAN



  • Hello I have a Netgate 4860 box, (2.3-RELEASE) we have been using it for our public Internet access, without much issue. So I have LAN interface addressed as 172.16.0.1/16, all traffic passes fine to WAN.

    I need to setup a DR failover for our corporate firewall (Fortigate), and I would like to connect it to the PFSense box to use as a failover in the event our main ISP fiber goes down.

    I setup OPT1 with an address of 192.168.1.1/24, and I created a rule to allow any/any, I set the source as OPT1 net.

    I also set the NAT to Hybrid outbound, (and tried adding a specific NAT for OPT1, nothing worked so I removed them.)

    Using a laptop to test I set my interface static to 192.168.1.4/24, and connected it to the OPT1 interface. I am not able to ping the OPT1 interface 192.168.1.1, nor can I ping my test laptop 192.168.1.4 from the Pfsense box. I can ping out to the internet (8.8.8.8) from OPT1 net (192.168.1.1) from the pfsense box, but I can't ping anything from my test laptop.

    What setting did I miss to allow traffic to pass from the OPT1 network to the internet? I have been changing various settings, and no matter what I can't ping from the test device to the OPT1 interface. I can see on the dashboard that OPT1 comes up once I plug the device in, so the interface senses the device. Just wont pass traffic.

    I will try to use another test laptop, and try a few more different patch cables, but I am really pulling my hair out. All I find online are people using AP's and other devices, and it should just work from what I can tell, with the correct rule. I can provide screen shots of anything to help.

    Thanks!


  • Netgate

    @shastacourts said in Traffic from LAN + OPT1 to WAN:

    I setup OPT1 with an address of 192.168.1.1/24, and I created a rule to allow any/any, I set the source as OPT1 net.
    I also set the NAT to Hybrid outbound, (and tried adding a specific NAT for OPT1, nothing worked so I removed them.)
    Using a laptop to test I set my interface static to 192.168.0.4/24, and connected it to the OPT1 interface. I am not able to ping the OPT1 interface 192.168.1.1, nor can I ping my test laptop 192.168.1.4 from the Pfsense box.

    What address did you set the test device to? 192.168.0.4 or 192.168.1.4?

    If that is just a typo, you will probably want to post screen shots of your OPT1 config and the OPT1 rules. Hybrid or Auto NAT should work the same way in this case, unless you broke something adding manual NAT rules in hybrid mode.



  • Yes that was a fat finger moment, corrected.

    Here are screen captures:

    OPT1 Config

    OPT1 rule

    Rule

    Last



  • Note: The gateway value in the last capture has been set back to default. I have tried the WAN gateway as well with no luck. No matter what I do I am never able to ping the OPT1 interface 192.168.1.1.


  • Netgate

    Your rule is TCP-only. Ping is ICMP. Change it to protocol any, like the default pass rule on LAN.

    And unless you have a specific policy routing reason to do so, don't set a gateway on that rule.


  • Rebel Alliance Global Moderator

    @shastacourts said in Traffic from LAN + OPT1 to WAN:

    (2.3-RELEASE)

    Why would you not update that? I have a 4860... Is there some OLD version of this hardware that can not run current 2.4?

    I just do not understand wanting to run the best firewall/routing distro there is - and then not keep it current. They add features in every release, they fix the security issues, etc. etc. Its your gawd damn firewall for gosh sake - if your going to keep anything up to date... That would be the thing you should keep updated ;)


  • Netgate

    Yeah. nobody should be running that. it has a problem with UDP IPsec that locks up interfaces. 2.4.3-p1. Just do it.



  • @derelict

    You rock! I knew it was something super dumb! lol


  • Rebel Alliance Global Moderator

    The lack of basic concepts just blows my mind. We all live in the current world of freaking itil and change control. Not back in the day when we could all cowboy up and update the router or server os on a whim.. Oh I really do miss the cowboy days... Shit I would love to work in a company that allows me to just break fix shit when there is a ticket and not have to put in hours of paperwork..

    I am dealing with a problem ticket from back in may for gosh sake - talking about beating a dead freaking horse ;) There will never be an answer.. Since no one grabbed the routing info during the issue - and the client should not have sent data over that route.. Get over it already ;)

    But when you need freaking change control to bounce an interface - so yeah I get it.. Is my point! But you running 2.3 and not even .5 on hardware that clearly supports current and you are having a problem?? Yeah you need to update that shit!

    That netgate/pfsense will even talk to you if you open a ticket shows you how supportive they are - you call Cisco and they just tell you to freaking update and get back to us.. Oh and by the way your ticket is moving to the next country as they follow the sun for their support, etc.

    Well now I am ranting... 1 too many beers while working from home I guess.. hehehehehe



  • @johnpoz

    John, I would LOVE to update it, but for some reason when I went through that we were not able to update it. The dashboard does not offer the update, apparently some bug.

    If anyone knows a link to a "how to" update the firmware, I will see if I can get the needed OT approved to do the update. I have tried, but due to needing to bring the network down, and it serving the public I got voted down - as it still works.

    I would love to update it as it has worked great, but I can't have it down for any length of time without pissing off the bench.

    Thanks for the help!


  • Rebel Alliance Global Moderator

    Put in a change and just install fresh if your not seeing the update option in the gui.. I have update a couple older boxes from 2.3.x to 2.4.. Lucky for me they are not any sort of SLA boxes and don't fall to change control - its just local it shit that is "best effort" so I just pull the trigger on a weekend when I happen to be on ;) I still have 1 box in NY want to get to 2.4.3p1 before 2.4.4 drops ;)

    Do you have support on the boxes? You should if in any sort of production/sla sort of setup.. Sure they can help you out on the update..



  • @johnpoz

    No our support sub expired, a few days BEFORE we hit that glitch, its been a while, and we only had support for the first year.

    I seem to recall I need to do the update from CLI, and I am GREEN on this box, my day job is running our ASA array, and Fortigates. I rarely if ever touch this thing, it just works. I will keep searching and try to make the update a priority.



  • Can I use the 2.3 XML config file if I upgrade to 2.4?