Routing through a new Netgate 6100

viragomann

@lowbug said in Routing through a new Netgate 6100:

The netgate default gateway wan interface goes to the customer network.

Did you state the upstream gateway in the WAN interface settings?

We can ping from the netgate to the wan customer device on 10.209.209.65

According to your graphic, this IP is outside of pfSense WAN subnet 10.209.209.0/26. (?)
So obviously some of the stated data are wrong.

Gertjan

@lowbug said in Routing through a new Netgate 6100:

We can ping a device on the customer network 11.2.33.120

The customer network uses IPs that exist also on the Internet ?
11.2.... is not RFC1918.

NogBadTheBad

@Gertjan said in Routing through a new Netgate 6100:

@lowbug said in Routing through a new Netgate 6100:

We can ping a device on the customer network 11.2.33.120

The customer network uses IPs that exist also on the Internet ?
11.2.... is not RFC1918.

Seen who owns that address space!

lowbug

Hi, I made the 11. address up, the customer does run a range.
Sorted it, I required a rule in the netgate firewall to allow the 192.168.2.x,192.168.253.x, 192.168.6.x in from the lan side. The netgate was only expecting its own lan subnet not the subnets in the diagram to the left of that.

yay! Thanks all :)

lowbug

It seems I didn't quite fix this... So we can see that when users are on VPN to our main firewall ( coming from 172.16 address (left-hand side firewall - not shown in image) they can't get through the netgate. They can ping the 192.168.100.101 but if they traceroute to a known address in the 10.209.209.0 network ( or any network beyond that) it gets to the netgate at 192.168.100.101 but is then dropped.

I have checked the wan and lan firewall rules on the netgate and it doesn't look like the firewall is blocking it. I don't know why it's doing this and not routing it forward to the 10.209.209.x lan.. Checking the firewall logs there is nothing from the 172. address at all?

Please help :(

Gertjan

@lowbug said in Routing through a new Netgate 6100:

it gets to the netgate at 192.168.100.101 but is then dropped

Is 192.168.100.101 the pfSense WAN ?
Does pfSense know what to do with this traffic ?

lowbug

@Gertjan Thanks 192.168.100.101 is the netgate lan address 10.209.209.121 is the netgate wan address

Gertjan

@lowbug

Humm. Ok, so pfSense should know what to do with it.
Only LAN firewall rules might stop traffic then.

lowbug

@Gertjan Ok I will recheck them now

lowbug

I have set a rule to allow anything from the network 172.16.14.0 /24 to any network but still, it doesn't work.

Gertjan

@lowbug

Before the rule you can see 'counters'.
Like these :

If it stays at 0/0, the rule wasn't used ... = no matching traffic.