pfSense vs me: who doesn't understand routing? I assume me.

raindog308

There is something about pfSense I'm not grokking.

I have this config:

• Protectli Vault running pfSense+ 22.01
• WAN is on WAN, dhcp'd from cable modem as 10.x
• LAN is 192.168.4.1/24 on Switch #1 (TP-Link TL-SG1024DE)
• OPT1-3 disabled
• OPT4 is 192.168.6.1/24 on Switch #2 (TP-Link TL-SG116E)
• not using any LAGG at the moment

If I'm on a PC at 192.168.4.100, I think I should be able to ping/ssh to a server at 192.168.6.20, right?

Can't ping or ssh.

I thought maybe I need to add routing but doesn't pfSense know all of its own interaces? I wouldn't think I need to go in and add a route from 4.x to 6.x and back...and I don't think I even can because trying to add a gateway conflicts with 192.168.4.1's interface IP.

What am I missing here?

bingo600

@raindog308

The routing is probably 100% ok , your firewall rules not ..
You would need to allow ping & ssh inbound on the OPT4 interface.
Source OPT4-NET , Dest LAN-NET

pfSense "default" filters incomming traffic , so the permissions have to be made on the interface , where the traffic/packets are generated.

/Bingo

viragomann

@raindog308
For proper routing, all you need is to tell the network device the gateway to use, that is the pfSense interface address.
When you use DHCP on the internal networks, this is done automatically.

Apart from firewall rules on pfSense, consider that the destination devices might block access from outside their networks by their own system firewalls. This is the default behavior of network devices and you will have to configure their firewall to permit access from other networks.

raindog308

@bingo600 If so, I'd expect that temporarily enabling "Disable all packet filtering" would eliminate the issue, but it does not.

However, checking "Bypass firewall rules for traffic on the same interface" immediately resolves the problem.

This makes no sense to me, which is probably due to my ignorance.

viragomann

@raindog308 said in pfSense vs me: who doesn't understand routing? I assume me.:

However, checking "Bypass firewall rules for traffic on the same interface" immediately resolves the problem.

This does exactly what it implies. It only affects packets going in and out on the same interface.

So if this helps, you might have a configuration fault in your network, because packets between 192.168.4.100 and 192.168.6.20 should not go in and out on the same interface at all as you have assigned these networks to different interfaces as you stated above.

stephenw10

Yeah, you don't need to add any routing, pfSense will route between all connected subnets by default.
With pf disabled you should be able to reach between the subnets. There will be no NAT, so no WAN connectivity, but you don't need that between internal subnets.

It sounds like you have some connections in places you shouldn't.

Steve