Strange routing issue between multiple LAN networks…



  • I've been using PFSENSE for a serveral years and I'm either having a blonde moment or I've lost the plot completely…

    I'm PFSENSE 1.2.2 with 4 interfaces (1 WAN and 3 LAN NICS).

    One internal interface is for my LAN, the second is going to be a DMZ and the third will be for the captive portal.

    Right now all I want to do it test that I can get devices on all three networks talking to each other...

    Very basic setup:

    LAN network (192.168.123.0/24) I have an ANY/ANY rule
    DMZ network (192.168.1.0/24) I have an ANY/ANY rule
    WLAN network (192.168.122..0/24) I have an ANY/ANY rule

    The problem is that I can ping all three firewall interfaces from the LAN network but I cannot ping any devices on the DMZ or WLAN networks.

    If I ping from PFSENSE, it can ping the devices on all three networks without any problems.

    I get the feeling that I've got routing problems as I can see the traffic being allowed in the packet filter log.

    I fired up a PFSENSE 1.2 VM with 3 nics (1 WAN and 2 LAN) and two virtual XP machines and set them up on the two internal interfaces and my just adding the same ANY/ANY rules I have on the physical box, I get immediate routing with no issues in either direction.

    I've been looking at this on and off for several days now and I can't find the solution...



  • I've discovered a few interesting things.

    If I nat the LAN to say my dmz interface then all of a sudden I can send traffic to that network. Disabling aon and rebooting makes no difference…

    I've given my VM that I upgraded to 1.2.2 to match the physical machine the same hardware as well. I tested routing between all the networks and everything was fine, then as a test restored the confit from the pysical machine and after ensuring that all interfaces have been assigned to the correct networks, I discover that the VM is having the same problems as the physical.

    This to me looks like some package issue or a bug that only appears under certain circumstances....

    I'm going to clean up the VM and seeif I can unbreak this...



  • can you post routing tables from your hosts in all zones, from pfsense and IPs of pfSense's interfaces?



  • I know this post is pretty old now, but it sounds like the computers in your various LAN's do not have the correct IP configured for their gateway.  Each computers needs the interface IP's it's connect to as it's gateway.  Listing anything else for the gateway would yield the results you're stating.  It works with NAT because the ping get's NAT'd to the interface IP first, then sent out so the reply only needs to come to the interface IP, not route through it to the other LAN segment.

    Using NAT like this can actually be useful for reaching devices on other LAN subnets when you can't specify a gateway.  Some wireless AP's for example permit you to specify an IP, but no gateway.  Setting up a NAT temporarily lets you manage them from another LAN subnet.

    -Rich


Log in to reply