Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic goes where ?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 3 Posters 607 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LB 0
      last edited by

      Some traffic from LAN to SERVER does not go through as expected.

      The set up:
      a9356c29-d696-4744-b59a-d71117577221-image.png

      LAN rules:
      dd60ac5a-28cf-4dce-aaa1-3f8d8475887f-image.png

      Server rules:
      96c93f0c-f66d-45ab-a853-c4e9fa56d2e7-image.png

      From the client on the LAN i can ping both NAS and Proxmox.
      I can connect to the proxmox server on port 8006 without issues.

      But i cant connect to the NAS on port 443.
      I know that port 443 is open and answering on the NAS, since if i directly connect the PC to the NAS i get acceess.
      But it feels like the response traffic for some reason doesn't go back to the PC when connected to pfSense.

      What am i missing ?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @LB 0
        last edited by

        @LB-0
        I guess, there is a firewall on the NAS, which blocks access from outside of its subnet.

        1 Reply Last reply Reply Quote 0
        • L
          LB 0
          last edited by

          No Firewall active on the NAS.

          J 1 Reply Last reply Reply Quote 0
          • J
            Jarhead @LB 0
            last edited by

            @LB-0 I'd have to assume it has something to do with that WG gateway rule but since you can ping from the .10, that seems unlikely.
            Just to test disable that rule on the server interface and enable the rule above it.
            Does it work then?

            L 1 Reply Last reply Reply Quote 0
            • L
              LB 0 @Jarhead
              last edited by

              @Jarhead No change when enableing that rule and there should not be a need for any rule on the SERVER nic since the traffic originates from the LAN and pfsense is a stetefull FW.

              The WG (wiregard) gateway is a rule to tunnel all traffic NOT going to private network via it.
              The private_network alias contains the LAN subnet as well.

              Ive been trying to figure out how i can see what path the traffic takes through the pfSense. Cisco has a good feature called packet trace that can simulate a packet and show you all steps the FW does with it.

              V J 2 Replies Last reply Reply Quote 0
              • V
                viragomann @LB 0
                last edited by

                @LB-0
                So it's time to sniff the traffic on the pfSense interface, which faces to the NAS, while you try to access it.
                What do you see there?
                If there is nothing take a capture on LAN.

                1 Reply Last reply Reply Quote 0
                • J
                  Jarhead @LB 0
                  last edited by

                  @LB-0 said in Traffic goes where ?:

                  @Jarhead No change when enableing that rule and there should not be a need for any rule on the SERVER nic since the traffic originates from the LAN and pfsense is a stetefull FW.

                  Very true but if the return traffic was going out the WG tunnel, there would be your problem. By disabling that rule you should have gotten rid of the tunnel path and you would need the rule above it to make sure that subnet still had access to anything while testing.

                  As Viragomann said, start sniffing. I'm still betting the return traffic is hitting the WG tunnel. You can sniff on it and see if the packets are forced that way.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.