Routing through a new Netgate 6100
-
Hi, Please help,
We are replacing an existing firewall with several new netgate 6100. This is the first of many, once we crack this config we can replace the rest.
Netgate 6100
Although a different previous vendor we have copied the routing. In my head this should work. But its super odd, we cant get from the PC top left to get to the customer network as we could before.
The netgate default gateway wan interface goes to the customer network. We also have defined another gateway to the left hand firewall ip 192.168.100.1 so we can create static to using this gateway back to the 192.168.2.0, 192.168.253, 192.168.6.0 networks
The netgate is the same IP’s as the previous vendor firewall which was removed. So the routes in the left hand side firewall to the netgate are still valid and should work.
If we ping from the PC on the 192.168.2.x range we can ping the netgate on 192.168.100.101
We can ping from the netgate to 192.168.100.1
We can ping from the netgate to the wan customer device on 10.209.209.65
We can ping a device on the customer network 11.2.33.120
-
@lowbug said in Routing through a new Netgate 6100:
The netgate default gateway wan interface goes to the customer network.
Did you state the upstream gateway in the WAN interface settings?
We can ping from the netgate to the wan customer device on 10.209.209.65
According to your graphic, this IP is outside of pfSense WAN subnet 10.209.209.0/26. (?)
So obviously some of the stated data are wrong. -
@lowbug said in Routing through a new Netgate 6100:
We can ping a device on the customer network 11.2.33.120
The customer network uses IPs that exist also on the Internet ?
11.2.... is not RFC1918. -
@Gertjan said in Routing through a new Netgate 6100:
@lowbug said in Routing through a new Netgate 6100:
We can ping a device on the customer network 11.2.33.120
The customer network uses IPs that exist also on the Internet ?
11.2.... is not RFC1918.Seen who owns that address space!
-
Hi, I made the 11. address up, the customer does run a range.
Sorted it, I required a rule in the netgate firewall to allow the 192.168.2.x,192.168.253.x, 192.168.6.x in from the lan side. The netgate was only expecting its own lan subnet not the subnets in the diagram to the left of that.yay! Thanks all :)
-
It seems I didn't quite fix this... So we can see that when users are on VPN to our main firewall ( coming from 172.16 address (left-hand side firewall - not shown in image) they can't get through the netgate. They can ping the 192.168.100.101 but if they traceroute to a known address in the 10.209.209.0 network ( or any network beyond that) it gets to the netgate at 192.168.100.101 but is then dropped.
I have checked the wan and lan firewall rules on the netgate and it doesn't look like the firewall is blocking it. I don't know why it's doing this and not routing it forward to the 10.209.209.x lan.. Checking the firewall logs there is nothing from the 172. address at all?
Please help :(
-
@lowbug said in Routing through a new Netgate 6100:
it gets to the netgate at 192.168.100.101 but is then dropped
Is 192.168.100.101 the pfSense WAN ?
Does pfSense know what to do with this traffic ? -
@Gertjan Thanks 192.168.100.101 is the netgate lan address 10.209.209.121 is the netgate wan address
-
Humm. Ok, so pfSense should know what to do with it.
Only LAN firewall rules might stop traffic then. -
@Gertjan Ok I will recheck them now
-
I have set a rule to allow anything from the network 172.16.14.0 /24 to any network but still, it doesn't work.
-
Before the rule you can see 'counters'.
Like these :
If it stays at 0/0, the rule wasn't used ... = no matching traffic.