[SOLVED] Newbie setup question - Cannot ping though…


  • Hi everyone,

    Just want to say this is a wonderful piece of software!

    I'm not running the standard setup because of the overhead required for some packages so instead I'm using 2 boxes in series, both running pfsense. I prefer to run it this way actually, as a new user to pfsense, I think it might help me get used to reading logs if I am able to get a sense for the differences between the logs generated by each firewall.

    So, setup is: LAN(just 1 PC)->Firewall1->Firewall2->modem

    For security, I've configured a static route from firewall1 to firewall2. I configured this on firewall2's dhcp server configuration menu.

    I've tried various configurations but so far, I have not been able to resolve a configuration problem I'm having:

    From my PC, I cannot ping some addresses.. for instance, Downloads.cnet.com but I can ping it fine from firewall2's ping service. I ran a trace and the first firewall responds but the second does not.

    I am using Pfsense 1.2.3 RC3 on both boxes and I should also say, some addresses resolve, others do not. I mean, it works well enough that I can post here… Anyway, I'm sure I've overlooked something in the setup - any tips would be helpful.

    Let me know what aspect of the setup is causing this problem and I'll post my configuration settings for that menu


  • no offense, but this sounds like a really poor choice of network topology.  you don't have the resources to run "some packages", but you do to have two firewalls?  this kind of setup is really unusual, to put it mildly, and is almost guaranteed to cause problems other than what you are seeing.  could you possibly reconsider this?  you may get help here, but people will likely be less interested in trying to get a broken setup working for you…


  • The firewall PC's I'm using are very old and therefore neither are able to have snort running on both interfaces.  One monitors the wan and the other monitors the lan.

    I understand this isnt a normal setup but isnt relaying meant for this?

    Perhaps if you could explain how/why this kind of setup 'almost guarantees' problems for me then perhaps I can justify buying a better firewall pc. You seem quite confident about it and as a result I am very interested in what aspect of the functionality is rendered inoperable and why with this kind of setup.

    I am, at present confident that my issues stem from bad configuration so hopefully I can get some help to sort that out. However (as bove) please correct me if I'm wrong.


  • Hi,

    You should provide more information about your setup, because there are so many things we must know to help you…
    Tell us more about your IP configuration for both firewalls (Static, DHCP, gateways, proxy, routes, services etc...).

    As "danswartz" says it looks a bit complicated to run 2 firewalls only because you don't have a powerful firewall hardware, because setting up 2 firewalls make things harder to setup and to troubleshoot and you are actually experiencing this problem.
    If you were using 2 firewalls for security reasons and to make a DMZ between both, i would agree with you.
    Like: WWW <-> FW1 <-> DMZ <-> FW2 <-> LAN
    But in this setup, i would use 2 different firewall technologies/software, not both running pfSense.

    Bye.


  • No problem, anything I can do to help you guys help me here would be very much appreciated. I'm very thankful for any help I can get… Its been a fun couple weeks...

    I might as well just cut to the chase because it'll help me get this sorted quicker. The primary reason for 2 firewalls IS security but its true that my old box couldnt handle running snort to a satisfactory degree so I've set pfsense up on a second, newer box that CAN run snort.

    Anyway, what you said about having a DMZ between both firewalls sounds like what I'd envisioned conceptually when putting this together. Lets move towards that setup.

    I'm at work now though so I'll have to list off what I have configured from memory for my present setup (I'll double check & edit this when I get home if necessary)

    Ok so once again its LAN->firewall1->Fireall2->modem
    Firewall 1 is a default install with the following settings:
    IP address for LAN interface 192.168.1.1
    IP address for WAN interface is 192.168.2.22
    Default gateway is 192.168.2.1
    Set to issue DHCP leases on LAN from 192.168.1.1 to 192.168.1.255

    Firewall 2 is also a default install with the following settings:
    IP address for LAN interface is 192.168.2.1
    IP Address for WAN interface is by DHCP
    DHCP on LAN is currently enabled (i tried it disabled too but I read something about how the dhcp service doesnt do dns forwarding/relaying if its disabled) however I have a static route mapped to firewall1's wan IP/mac/hostname

    the static route was to ensure that firewall2 wouldnt issue a dhcp lease to anyone that wasnt connecting from the wan interface on firewall1. It looks like this is pointless though unless im worried about someone physically connecting to firewall2 from inside the network. I'm not at all concerned about this, so if there is no security afforded from such a static mapping, I can just disable it.

    I will post the specific configs when I get home. In the meantime, is there someplace I can read about the kind of setup youve suggested? (WWW <-> FW1 <-> DMZ <-> FW2 <-> LAN)


  • Even if the concept of having a DMZ between 2 firewalls is well known (http://en.wikipedia.org/wiki/DMZ_(computing)#Dual_firewalls) i don't know any howto which can help in your setup. So:

    LAN (1.0) -> (1.1) FW1 (2.22) -> (2.1) FW2 (DHCP) -> Modem

    And all this setup is working, but ICMP packets from LAN don't go through FW1.

    Are you sure that FW1 rule allowing ICMP is ok ? You should try activating the logging feature of the rule and monitor the logs.


  • Hello :)

    You just summarized my book in 4 sentences… I really need to learn how to do that...

    Anyway, absolutely correct - I made a slight error in my first post in that FW1's DHCP server is issuing leases from .10 to .245 - but otherwise correct.

    Firewall rules - Hadn't touched them. I turned on logging on the LAN interface on FW1 as suggested and got the following hit when pinging downloads.cnet.com from my pc

    @49 pass in log quick on rl0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"

    Looks like it's allowed it through though..

    EDIT: I enabled logging for the LAN interface 'pass all' rule on FW2 and when pinging downloads.cnet.com from my pc I get a pass through notice on FW1 and nothing at all on FW2, not even a notice that it was blocked. When pinging www.google.ca from my pc, I get a passthrough notice on FW1 and a passthrough notice on FW2 and ofc the ping replies.

    Thanks for your help thusfar!


  • Firewall configs:    (and remember, I'm a noob here, so if anyone wants to jump in with some security tips, please do)

    FW1
    General Setup:
    Hostname: <firewall1>Domain: <landomain>DNS Server: 192.168.2.1
    Allow DNS server list to be overridden by DHCP/PPP on WAN: UNCHECKED
    Advanced setup: I've changed nothing from defaults
    WAN interface setup:
    Type: Static
    IP: 192.168.2.22 / 1            (Incidentally, what does the / # denote? Is that the port?)
    Gateway: 192.168.2.1
    Rest is blank and the 3 boxes at the bottom are checked. Block private networks, bogon networks and disable userland ftp proxy
    LAN interface setup:
    Bridged: no
    IP: 192.168.1.1 / 24
    Firewall: All defaults all menus
    Services:
    DNS Forwarder: All 3 boxes checked (Enable, register dhcp leases in forwarder, register static mappings in forwarder)
    At the first portion in the bottom where you can specify hosts, I have added:
    Host: <firewall2>Domain: <firewall2domain>IP: 192.168.2.1
    The section below where you can specify domains to be overridden is blank.
    DHCP Server page: The option is enabled with the range specified before, all the rest is default

    FW2
    General setup:
    Hostname: <firewall2>Domain: <firewall2domain>DNS Server: Blank
    Allow DNS server list to be overridden by DHCP/PPP on WAN: CHECKED
    WAN interface: DHCP
    LAN interface: Not bridged
    IP: 192.168.2.1 / 24
    DNS Forwarder: All 3 options checked & nothing specified in the lower areas
    DHCP Server: ENABLED
    Deny unknown clients: CHECKED
    IP Range: 192.168.2.10 - 192.168.2.20
    WINS: 192.168.2.1
    DNS: 192.168.2.1
    Gateway: 192.168.2.1
    Static ARP: Enabled
    At the bottom where you specify trusted users, I have FW1's WAN interface Mac ID and 192.168.2.22 for its IP and I have also specified its proper hostname

    Please let me know if I've missed anything…</firewall2domain></firewall2></firewall2domain></firewall2></landomain></firewall1>


  • For anyone interested in whats going on here:

    I set FW1 WAN to get ip by dhcp and set the range for the dhcp server on fw2 to only fw1's wan ip addy and now its fine

    At least if someone else starts asking about chaining firewalls now you can link them to this thread =p