Noob with routing problem
I'm a noob to networking, so please be nice to me… I am having the following scenario here (simplified):
PC1-------------------------------------LAN WAN------------------------------------------intranet (W2K Server & WinXP Clients)
IP 192.168.1.10 192.168.1.1 172.16.134.25 DHCP 172.16.128.1
MSK 255.255.255.0 255.255.255.0 255.255.224.0 GW 172.16.128.4
GW 192.168.1.1 DNS 172.16.128.7
The pfSense box gets the WAN IP address via DHCP from a W2K-Server, PC1 gets the IP address from the pfSense box (DHCP enabled). The "Allow DNS server list to be overridden by DHCP" (services/general setup) is checked and "Enable DNS forwarder" (services/dns forwarder) is also checked. Firewall rules are temporarily disabled in order to exclude any problems from that (system/advanced/"disable the firewalls filter altogether") but will be added when problem(s) is/are fixed. From PC1 side everything seems to be fine, I can go to intetnet, ftp, ping... BUT from intranet I can do almost nothing. For example if I do "ping PC1" I even see the correct IP (192.168.1.10) but the command fails with timeout (100% packet loss). If i do a "tracert PC1" I will see the W2k gateway as first hop (172.16.128.4) but the next hop is a timeout again.
I know, I make a dumb mistake, but I still don't find it. Thanks!
By disabling firewalls alltogether you shutdown NAT too. This means the whole setup is acting different now. It's switching to routing. The W2K-Server and all other clients at the pfSense WAN side are missing a route to the subnet behind the pfSense through the gateway <wan ip="" of="" pfsense="">. What do you want to do with that setup? Maybe I can give you some advice how to set this up correctly.</wan>
what I want to do is to seperate some Linux workstations from the company intranet. Only some dedicated workstations from the intranet should have acces to them. I have disabled the firewall rules only in order not to have additional problems from false rules. I already tried a rule "allow everything" and the behaviour is the same as described above. For me it seems to be a promlem in routing. In my opinion the problem is the following: If a PC (e.g. 172.16.134.18) from the intranet wants a connection to a PC behind the firewall (e.g. 192.168.1.10 on LAN) it asks the W2k server (gateway @172.16.128.4) how to route. This is exactly what i see if I do a "tracert 192.168.1.0" (or equivalent "tracert PC1") -> the first hop is the W2k gateway. The W2k server has no route to the PC1, because intranet network is 172.16.128.0/19. So in my (limited) scope the W2k server should ask the pfSense box for a route to PC1 and this is not done. So I think I have to change something within the W2k server that it also asks the pfsense box for a route, right?
Sorry for my limited technical knowledge, I am working on it…
EDIT: I tried to set the pfSense box as the standard gateway on an WinXP-PC within the intranet and everything is fine now. So I do think I have to change something on the W2k server. Sorry for the inconvenience...
This is one possible solution to the problem. Other solution would be to add a route at the w2k server box and still use it as default gateway (which saves you one hop for clients in the intranet going to WAN and which also will make clients in intranet unaware of a failure of the pfSense when going to the internet). However if this works best for you or is the easiest way to configure it go along with it. Alternatively you could add routes at the single clients that need to talk to the servers behind the pfSense. A third not yet mentioned solution would be a 3 interface pfSense at the intranets WAN with the servers behind a 3rd interface. This way the pfSense would be the default gateway for every client/server and it has all the routes would route without touching anything at client or server side. I would prefer the 3 interface attempt with the pfSense sitting at the real WAN but like I said, what ever works best for you.