Routing in RFC1918 wan range



  • Hello

    I use Pfsense box (1.2.2 release) to connect multiple private site. Each distant site use RFC1918 IP address network.
    My LAN network respect RFC1918 also.

    I use router1 IP address as gateway on pfsense box and i define a static route for site2.
    I disable Block private networks and Block bogon network on each network interface.

    My LAN server can contact all host (SITE1 and SITE2)
    ALL host on site1 (172.17.0.0/16) can connect to Lan server (172.16.0.0/16)
    But Site2 have some touble….

    In fact, when i sniff traffic on PFsense WAN interface, i see the traffic come in and answers come out.
    The answer traffic works like if it doesnt use static route.

    I make different test:

    • If i change the WAN ip address on PFsense box for router2 IP address, the problem is the same with SITE1 (so bad idea)
    • If i define site2 IP route on router1 it work for site2 (in fact my only solution but not possible)
    • If i disable firewall option in PFsense it's work (ok but i need firewall)

    Pfsense react like if for RFC1819 answers traffic on WAN interface it doesnt use static route.

    I rapidely check with a old version of pfsense ( before 1.0)  and it seen to works fine!

    Bug ?? or any idea ?

    Thanks

    Regards

    Jerome

    router1
    SITE1 (172.17.0.0/16) <----O----           
                                                  |                  ---------
                                                  |----WAN ---|Pf sense |---- LAN -----------(172.16.0.0/0)
                                                  |                  ---------                |
    SITE2 (172.18.0.0/16) <----O----                                              ---
                                      router2                                                [  ] Lan Server
                                                                                                –-



  • What is your WAN wan addressing scheme? One way to do this is to use a separate shared subnet for the WANs:
                  router1          r1wan=10.20.30.2
    SITE1 (172.17.0.0/16) <–--O----            10.20.30.1
                                                  |                  ---------
                                                  |----WAN ---|Pf sense |---- LAN -----------(172.16.0.0/0)
                                                  |                  ---------                |
    SITE2 (172.18.0.0/16) <----O----                                              ---
                                      router2 r2wan=10.20.30.3                            [  ] Lan Server

    Then your static routes route the remote lan via the site's wan ip.



  • Yes i use the same ip address  like in your scheme
    in your sample i use 10.20.30.2 as gateway and i define 10.20.30.3 for join 172.18.0.0/16

    I think it's not a routing problem cause if i disable firewall it's work fine.



  • What are your outbound NAT settings? I'd think in your case, you would use AON and delete the default rule.



  • I dont use NAT. Only routing
    my wan network is a private network



  • That's what I meant. Just wanted to make sure you had deleted the default rule, as pfsense by default NATs the LAN range over the WAN.



  • Yes the default NAT was delete

    perhaps i need to post in firewalling section ?



  • No idea ?



  • That's all I got. It's not a configuration I have deployed. You could try checking the box 'bypass firewall rules for traffic on the same interface' under advanced.



  • this option was already enabled

    If i check Disable all packet filtering option routing is ok


Log in to reply