Firewall/NAT issues on routed network

jmaynard

I'm not sure if this is a firewall or a NAT issue, so here goes here...

I need help with a pfSense firewall issue. Scenario: I have two LANs, a Token Ring and an Ethernet. The Ethernet is my main LAN, at 192.168.120.0/24. The Token Ring is 192.168.121.0/24. I have a Cisco 2612 running IOS 12.2 routing between them; it's at 192.168.120.9 and 192.168.121.1. The Ethernet is gatewayed to the Internet with a Netgate 2100 running pfSense+ at 192.168.120.1; it also has a static route set up for 192.168.121.0/24 with next hop 192.168.120.9. The Netgate also acts as my local DNS server. Everything on the Ethernet has its default gateway set to 192.168.120.1.

I have a device (an IBM 3174-63R cluster controller) on the Token Ring at 192.168.121.2. It has a default gateway set to 192.168.121.1. It can communicate with everything on the local Ethernet just fine. It cannot communicate with the outside world at all. The Cisco can ping the pfSense box's external interface IP address just fine; the 3174 cannot. The pfSense box can ping the 3174. The 3174 can do name resolution just fine.

Packet captures on the pfSense box show ping packets from the 3174 to an external IP address getting to the pfSense box, but no replies being sent back. This tells me that the problem is in the pfSense configuration. It's set to do automatic outbound NAT rules, and it does show that there's a rule to handle both the Ethernet and Token Ring address ranges. I don't know what else to check. I've missed setting something up, but what?

stephenw10

You would not need NAT to ping the 2100 WAN address from the 3174. It should still be able to reply there as long as all the default route are correct, which it sounds like they are.

It sounds more like a firewall rule problem. I assume you do not see anything blocked in the firewall log on the 2100?

If packet arrive on the 2100 LAN but go no-where first check the firewall rules. Then look for IPSec config or captive portal if they are configured.

Steve

jmaynard

@stephenw10 That was it. I was depending on the default rules that allow LAN subnets to anything on the WAN to allow traffic. What I didn't realize was that the automatic outbound NAT rules only set up firewall pass rules for the subnets on the LAN interface, not everything that gets NAT outbound. Added an explicit PASS rule for the T/R LAN and it works. Thanks!

JKnott

@jmaynard said in Firewall/NAT issues on routed network:

I have two LANs, a Token Ring and an Ethernet.

WOW!!! I haven't seen token ring since the first time I was at IBM, in the late 90s. By the second time I was there, they'd switched to Ethernet. I'm surprised you can still find TR gear these days.

If you can reach the Ethernet network, but not beyond, then you likely have a routing issue. I assume the default route on the TR network is the Cisco router, which then passes the packets to the Ethernet network, but the problem is the return route for packets coming in from the Internet. Use Packet Capture or Wireshark to see where the packets are or are not going. I suspect you'll see the packets heading out to the Internet, but return packets coming in, but not reaching the TR network.

stephenw10

Ha indeed, that caused me to double-take! Hat tip to you sir.

jmaynard

@JKnott You can still find it on eBay. My MAU and a few other things are all from when my roommate's place of employment switched from TR to Ethernet in the early 2000s.

You're not the only one who was surprised to see TR in current use. I have two 3174 controllers, and Token Ring interfaces for them are cheap and plentiful, while Ethernet interfaces are expensive and rare. I also do SNA directly over the ring (in addition to the 3174s, I also have four P/3x0 personal mainframes installed in RS/6000 boxes, and the 3174 can speak SNA over Token Ring).

Yes, the TR default route is the Cisco. I had originally thought it was the Cisco, too, but someone on another forum suggested a packet capture. Doing that on the Netgate showed the packets arriving but no replies being sent, and that's what got me looking at firewall rules.

JKnott

@jmaynard said in Firewall/NAT issues on routed network:

I also do SNA directly over the ring

That really takes me back. One of the products I supported the first time I was at IBM was a 3270 & 5250 terminal emulator called "Personal Communications". I used to test connections over both IP and SNA. BTW, back in those days, I had 5 IPv4 and 5 SNA addresses, 1 of each for my own computer and 4 for testing. The IPv4 addresses were public, none of that NAT stuff there, and I had memorized all 10 addresses. My IP address was 9.29.146.147.

Back then I was an OS/2 product specialist, though I also supported apps on Windows. I was the top OS/2 support guy in IBM Canada. I was also on the team that developed standard desktop systems for IBM Canada employees. We were also encouraged to learn about Linux on company time.

jmaynard

@JKnott I was a real OS/2 bigot, back in the day...and now I find myself dealing with it as I run a Multiprise 3000, the service element of which runs OS/2 Warp. Having to dredge up old, old memory.

JKnott

@jmaynard

I have Warp 4 running in a virtual machine on Linux, on my ThinkPad.

Phizix

@jmaynard

Back in the day I was the MIS for a lawfirm in Dallas. When we moved facilities I did all the wiring for an Arcnet token ring. Boy that does take me back.

Phizix