Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense vs me: who doesn't understand routing? I assume me.

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 808 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      raindog308
      last edited by

      There is something about pfSense I'm not grokking.

      I have this config:

      • Protectli Vault running pfSense+ 22.01
      • WAN is on WAN, dhcp'd from cable modem as 10.x
      • LAN is 192.168.4.1/24 on Switch #1 (TP-Link TL-SG1024DE)
      • OPT1-3 disabled
      • OPT4 is 192.168.6.1/24 on Switch #2 (TP-Link TL-SG116E)
      • not using any LAGG at the moment

      If I'm on a PC at 192.168.4.100, I think I should be able to ping/ssh to a server at 192.168.6.20, right?

      Can't ping or ssh.

      I thought maybe I need to add routing but doesn't pfSense know all of its own interaces? I wouldn't think I need to go in and add a route from 4.x to 6.x and back...and I don't think I even can because trying to add a gateway conflicts with 192.168.4.1's interface IP.

      What am I missing here?

      bingo600B V 2 Replies Last reply Reply Quote 0
      • bingo600B Offline
        bingo600 @raindog308
        last edited by bingo600

        @raindog308

        The routing is probably 100% ok , your firewall rules not ..
        You would need to allow ping & ssh inbound on the OPT4 interface.
        Source OPT4-NET , Dest LAN-NET

        pfSense "default" filters incomming traffic , so the permissions have to be made on the interface , where the traffic/packets are generated.

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        R 1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann @raindog308
          last edited by

          @raindog308
          For proper routing, all you need is to tell the network device the gateway to use, that is the pfSense interface address.
          When you use DHCP on the internal networks, this is done automatically.

          Apart from firewall rules on pfSense, consider that the destination devices might block access from outside their networks by their own system firewalls. This is the default behavior of network devices and you will have to configure their firewall to permit access from other networks.

          1 Reply Last reply Reply Quote 0
          • R Offline
            raindog308 @bingo600
            last edited by raindog308

            @bingo600 If so, I'd expect that temporarily enabling "Disable all packet filtering" would eliminate the issue, but it does not.

            However, checking "Bypass firewall rules for traffic on the same interface" immediately resolves the problem.

            This makes no sense to me, which is probably due to my ignorance.

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @raindog308
              last edited by

              @raindog308 said in pfSense vs me: who doesn't understand routing? I assume me.:

              However, checking "Bypass firewall rules for traffic on the same interface" immediately resolves the problem.

              This does exactly what it implies. It only affects packets going in and out on the same interface.

              So if this helps, you might have a configuration fault in your network, because packets between 192.168.4.100 and 192.168.6.20 should not go in and out on the same interface at all as you have assigned these networks to different interfaces as you stated above.

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Yeah, you don't need to add any routing, pfSense will route between all connected subnets by default.
                With pf disabled you should be able to reach between the subnets. There will be no NAT, so no WAN connectivity, but you don't need that between internal subnets.

                It sounds like you have some connections in places you shouldn't.

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.