PFsense not routing between lan and wan

vnoob · May 31, 2023, 1:43 PM

I have pfsense deployed on ESXi 8.0 in my homelab. Primary network for my home is 192.168.2.0/24 and the other network I am trying to setup via PFsense is 192.168.1.0/24. So pfsense networking looks like this:

On my home router I have setup a static route pointing toward 192.168.2.199 as the route to 192.168.1.0/24.

PFsense has allow all rules in the firewall as this is all internal to my home network, and I have also disabled the private network blocking rules in pfsense.

Traffic does not seem to be able to get to traverse pfsense to get from the wan to lan, or vice-versa.

From another machine located in the lan, if I try to ping the pfsense wan interface, pfsense seems like it doesn't know it has that interface from the lan side.....From a packet capture
07:35:34.793704 ARP, Request who-has 192.168.2.199 tell 192.168.1.50, length 46
I would think pfsense would be responding differently to an arp request considering the IP is on its WAN interface

Routing looks like this:

I feel like I am missing something silly and any help would be greatly appreciated.

vnoob · May 31, 2023, 1:03 PM

To add some additional information, from the pfsense ping test, I am able to ping from the lan interface to wan IPs, but I am not able to ping from the WAN interface to lan IPS

Pinging from one interface to another works fine.

viragomann · May 31, 2023, 1:43 PM

@vnoob said in PFsense not routing between lan and wan:

From another machine located in the lan, if I try to ping the pfsense wan interface, pfsense seems like it doesn't know it has that interface from the lan side.....From a packet capture
07:35:34.793704 ARP, Request who-has 192.168.2.199 tell 192.168.1.50, length 46
I would think pfsense would be responding differently to an arp request considering the IP is on its WAN interface

This rather seems to me that the LAN machine has a wrong network setting.

It should request a MAC for an IP which is outside of its subnet.

vnoob · May 31, 2023, 2:01 PM

@viragomann
Yeah, sorry, maybe that wasn't the best info to provide as that machine also has a dual nic with one in each network and I was pinging out the lan network on it.

All machines in the lan network have their gateway as being the Lan interface of pfsense, which I believe should be correct

Maybe this will provide better info for assistance.

Picking another IP in the LAN. If I ping from the lan interface to another lan IP. It works

But pinging from the WAN interface to a lan IP fails...

If I ping from the lan interface to a different IP in the wan network, there are no issues.....

Again there are allow all rules in the firewall, so I am not sure what I am missing. I have tried NAT automatic nat and disabled nat with no help.

viragomann · May 31, 2023, 3:49 PM

@vnoob said in PFsense not routing between lan and wan:

maybe that wasn't the best info to provide as that machine also has a dual nic with one in each network and I was pinging out the lan network on it.

In fact. Packets will go the shortest path and you will end up in asymmetric routing issues.

But pinging from the WAN interface to a lan IP fails...

As far as I can tell, this is not representative. Packets are sent out on the WAN for whatever reason.

You can use any other internal interface address. However, your LAN device might block this with default settings.
You can sniff the traffic on the LAN while doing this to see, what's going on.

so I am not sure what I am missing.

Me too.

Just try an outbound connection from a device behind pfSense, while you sniff the traffic on pfSense LAN and WAN to investigate this.