Routing through a new Netgate 6100

viragomann · Jan 9, 2025, 9:46 AM

@lowbug said in Routing through a new Netgate 6100:

The netgate default gateway wan interface goes to the customer network.

Did you state the upstream gateway in the WAN interface settings?

We can ping from the netgate to the wan customer device on 10.209.209.65

According to your graphic, this IP is outside of pfSense WAN subnet 10.209.209.0/26. (?)
So obviously some of the stated data are wrong.

Gertjan · Jan 9, 2025, 10:03 AM

@lowbug said in Routing through a new Netgate 6100:

We can ping a device on the customer network 11.2.33.120

The customer network uses IPs that exist also on the Internet ?
11.2.... is not RFC1918.

NogBadTheBad · Jan 9, 2025, 10:32 AM

@Gertjan said in Routing through a new Netgate 6100:

@lowbug said in Routing through a new Netgate 6100:

We can ping a device on the customer network 11.2.33.120

The customer network uses IPs that exist also on the Internet ?
11.2.... is not RFC1918.

Seen who owns that address space!

lowbug · Jan 9, 2025, 11:24 AM

Hi, I made the 11. address up, the customer does run a range.
Sorted it, I required a rule in the netgate firewall to allow the 192.168.2.x,192.168.253.x, 192.168.6.x in from the lan side. The netgate was only expecting its own lan subnet not the subnets in the diagram to the left of that.

yay! Thanks all :)

lowbug · Jan 30, 2025, 1:38 PM

It seems I didn't quite fix this... So we can see that when users are on VPN to our main firewall ( coming from 172.16 address (left-hand side firewall - not shown in image) they can't get through the netgate. They can ping the 192.168.100.101 but if they traceroute to a known address in the 10.209.209.0 network ( or any network beyond that) it gets to the netgate at 192.168.100.101 but is then dropped.

I have checked the wan and lan firewall rules on the netgate and it doesn't look like the firewall is blocking it. I don't know why it's doing this and not routing it forward to the 10.209.209.x lan.. Checking the firewall logs there is nothing from the 172. address at all?

Please help :(

Gertjan · Jan 30, 2025, 1:38 PM

@lowbug said in Routing through a new Netgate 6100:

it gets to the netgate at 192.168.100.101 but is then dropped

Is 192.168.100.101 the pfSense WAN ?
Does pfSense know what to do with this traffic ?

lowbug · Jan 30, 2025, 1:41 PM

@Gertjan Thanks 192.168.100.101 is the netgate lan address 10.209.209.121 is the netgate wan address

Gertjan · Jan 30, 2025, 1:47 PM

@lowbug

Humm. Ok, so pfSense should know what to do with it.
Only LAN firewall rules might stop traffic then.

lowbug · Jan 30, 2025, 2:22 PM

@Gertjan Ok I will recheck them now

lowbug · Jan 31, 2025, 9:44 AM

I have set a rule to allow anything from the network 172.16.14.0 /24 to any network but still, it doesn't work.

Gertjan · Jan 31, 2025, 10:26 AM

@lowbug

Before the rule you can see 'counters'.
Like these :

If it stays at 0/0, the rule wasn't used ... = no matching traffic.