Routing between subnets broken



  • I am at a loss.  I have WAN, LAN and OPT1 (Wireless) interfaces.  OPT1 is connected to an Apple Airport Extreme wireless device.  I have two subnets (nothing is bridged).  LAN is on 192.168.0.0/24  and OPT1 is on 192.168.1.0/24.  I allow all traffic from LAN to any.  I allow all traffic from 192.168.1.78 to 192.168.0.72.

    I can ping 192.168.0.72 from 192.168.1.78.  I can not do the reverse.

    192.168.0.72 tmp $ traceroute 192.168.1.78
    traceroute: bind: Can't assign requested address

    192.168.0.72 tmp $ ping 192.168.1.78
    PING 192.168.1.78 (192.168.1.78): 56 data bytes
    ping: sendto: Host is down
    ping: sendto: Host is down

    On the pfsense FW, in Diagnostic: Ping I can ping 192.168.1.78 from the LAN interface.  What is up?



  • Let me rephrase above.  Can pfsense route normal tcp/udp traffic between non bridged local subnets?  If yes, how?



  • Yes this works.

    Can you please provide a diagram how your airport is connected with the pfSense.
    Are you aware that the airports always perform NAT and this is not deactivatable? (at least i never saw an airport where i could deactivate the NATing).

    Did you create firewallrules on the OPT interface that allow traffic?



  • The IP of my airport is on the same subnet than the subnet of the wireless network, so I do not see why it would NAT in this case.  I am not using its WAN port - only the LAN port.

    My OPT firewall rule says: Allow All proto from OPT1 net on all source ports to all destinations on all ports.
    My LAN firewall rule says: Allow All proto from LAN net on all source ports to all destinations on all ports.



  • The airport is a router.
    If it's LAN and WAN IP are in the same subnet it will be confused and cannot route.

    The idea of not connecting the WAN and only connect the switch on the LAN side to the pfSense should work.
    From the screenshot of the airport i'm not sure you've configured it right.
    Can you deactivate on the airport anything that's related to DHCP?



  • DHCP service is disabled on the Airport - it only fetches an IP from the DHCP server on pfsense OPT1 interface for itself.

    One thing that I have noted, I have a wireless card in my Mac Pro as well as ethernet.  If I have both on, I can ping both ways.  Traceroute shows that from a machine with only wireless, the route is to the pfsense GW, then to the LAN subnet - as expected.  However tracerouting from the Mac Pro with both the LAN and Wireless enabled, shows the packets go out on the Wireless interface directly and is not routed by the FW.  Turning off the wireless card in the Mac Pro causes no packets to reach the Wireless client, and a traceroute from the wireless client to the MAc Pro (LAN) times out after the initial hit on the GW.  So with the airport active on my LAN machine this is the traceroute from the wireless client to the LAN machine:

    waldo@waldonbm ~ $ traceroute 192.168.0.72
    traceroute to 192.168.0.72 (192.168.0.72), 64 hops max, 40 byte packets
    1  192.168.1.10 (192.168.1.10)  2.381 ms  0.783 ms  1.492 ms
    2  waldopcm (192.168.0.72)  2.335 ms  1.846 ms  1.362 ms

    With the wireless card turned off, this is the same traceroute:

    waldo@waldonbm ~ $ traceroute 192.168.0.72
    traceroute to 192.168.0.72 (192.168.0.72), 64 hops max, 40 byte packets
    1  192.168.1.10 (192.168.1.10)  2.381 ms  0.783 ms  1.492 ms
    2  * * *

    The settings I showed you for the airport is all there is related to its routing functions.  It is set up as a bridge so it bridges the traffic on the 192.168.1.0/24 subnet to the wireless clients.  There are no additional settings…



  • I just read your question. I think your problem is the same as my problem at http://forum.pfsense.org/index.php/topic,15910.0.html. And I'm still in searching for the solution.

    It's about talks between two LANs, but one LAN (your case is wareless) its gateway is not OPT1 interface. I guess we may need some NAT settings, but I don't know how.

    If you have solved your problem, please tell us your solution. Thanks.


Log in to reply