Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Why cant i reach the other network while i have added the routes and firewall rules to allow traffic? (Pfsense/USG200)

    General pfSense Questions
    2
    3
    108
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • CodeNinja
      CodeNinja last edited by CodeNinja

      See my Stackexchange post for all details as askimet sees my config and diagram(s) as spam: https://networkengineering.stackexchange.com/questions/67889/why-cant-i-reach-the-other-network-while-i-have-added-the-routes-and-firewall-ru

      I have 2 networks, the current one and the new one. The current one is not configured by me and one big mess and contains heavily out dated hardware (especially servers). I want to be able to access the complete current network from the new one so i can migrate server for server and device for device.

      Some network details:

      • Current network:
        • IP: 192.168.1.1
        • IP range: 192.168.104.0/24
        • Router/firewall: Zyxel USG200
        • Contain all currently connected devices
        • Gives DHCP address to Pfsense (192.168.104.4/24)
      • New network:
        • IP: 10.128.10.1
        • IP range: 10.128.10.0/24.
        • Router/firewall: Pfsense
        • Currently it contains only 1 device, my desktop but this network will replace the current one in future
        • All devices will be "moved" from the old to the new network by time (one for one)
        • Connected with old network by port with alias "WAN 2"

      I added a route in each firewall to the other network.

      • Zyxel: 10.128.10.0/24 via 192.168.104.4
      • Pfsense: 192.168.104.0/24 via "WAN2"

      I also added a firewall rule to each firewall to allow all traffic from all sources to all destinations (for testing)

      When i ping 192.168.104.1 with pfsense diagnostics, i got a response. I cannot find a way to do a ping from the Zyxel to Pfsense but as the route bellow is in the routing table i assume the (at least) routing configuration must be okay.

      7d3d8eaa-a9ea-48fc-b68a-863764fa98ff-image.png

      When i try to ping 192.168.104.1 (or any other device in the 104.x network) from my desktop in the 10.128.10.x network, i got a "request timed out" response. I also cannot SSH or browse to any IP in the 104.x network. When i connect my desktop to the 104.x network and try to ping 10.128.10.1 or try to visit that IP in my browser (Pfsense web interface) i also got "request timed out"

      A print screen of my firewall rule on Pfsense (on the desktop interface): enter image description here
      fe943c99-4f1e-4d29-92fd-9def2b188d80-image.png
      And one from my firewall rule in the Zyxel: enter image description here
      3acf3d78-56ab-44f1-bf33-1ae9befb5ad7-image.png

      Probably i miss some configuration/settings but i have no idea what. Would be great when someone can help me out with this as i'm already struggling almost 2 days with this. When extra details are required, let me know and i will update my question.

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        Do you have outbound NAT in auto mode? Is pfSense NATing from WAN2?

        If it is you should be able to reach devices in the pfSense WAN subnet (192.168.104.0/24).

        If it is not you will have an asymmetric route as hosts in the WAN subnet try to reply via 192.168.104.1.
        https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

        Steve

        CodeNinja 1 Reply Last reply Reply Quote 0
        • CodeNinja
          CodeNinja @stephenw10 last edited by CodeNinja

          @stephenw10 First of all, thanks for your answer.

          I tried with Outbound NAT in automatic mode and in manual mode with the rules:
          WAN1 10.128.10.0/24 * * * WAN1 address * this is not a rule to the WAN 2 where the 192.168.104.0 network exists.
          Should i make a NAT rule to WAN2 ?
          Something like:
          WAN2 192.168.104.0/24 * * * WAN2 address * ?

          I also tried to enable the Bypass firewall rules for traffic on the same interface setting. Unfortunately i still not able to reach the 192.168.104.0 network from the 10.128.10.0 or visa versa.

          I thought adding a static route on each firewall and add the correct firewall rule (to allow traffic from the other network on the concerning interface) should do the trick? but how i understand from you i miss something (NAT?) ?

          Note that i can ping the Zyxel USG200 interface and devices of the 192.168.104.0 network from the Pfsense diagnostics ping tool but not from my computer.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense Plus
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy