Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense & nested router with NAT off, ping pfsense > laptop works, ping laptop > pfsense does not, echo request is received but not replied to

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 28 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      FlyingBean
      last edited by FlyingBean

      I have a Netgate 4200 with 25.07.1 and I want to drop another router (OpenWrt) behind with it's existing network setup without having to change much for now. I also want to get data usage statistics for all the machines inside there from my Netgate 4200, so I figured an easy way to do that would be to disable NAT and just let my Netgate4200 see all the host IPs. On the pfsense box I set up a gateway and set the firewall rules to allow everything. On the test OpenWrt network I turned off it's NAT and adjusted the firewall rules.

      Here is my network setup

      pfsense
└── port2
    └── unmanaged_switch
       └── OpenWrt
            └── laptop2

      Here two of the tests I ran that show the main problem:

      | ping source > dest, response      | pfsense port1wan tcpdump | pfSense port2 tcpdump | openWRT tcpdump | laptop2 tcpdump |
|-----------------------------------+--------------------------+-----------------------+-----------------+-----------------|
| ping laptop2 > pfsense,           |                          | saw req               | saw req         | saw req         |
| ping pfsense > laptop2, got reply |                          | saw req & reply       | saw req & reply | saw req & reply |

      pfSense can ICMP echo request laptop2 and get a reply
      laptop2 can ICMP echo request pfSense, but pfSense never sends a reply

      All addresses are in private network ranges.

      Any ideas?

      edit: I should probably mention that if I ping from the openwrt or any other machine hanging off of port2 to pfsense I get a reply. So pfsense is replying to pings.

      edit2.5: if I ping laptop2 > 8.8.8.8, pfsens port2 receives it, but it never goes through port1WAN.

      edit3: yes and as Bob.Dig said, I set up a static route as well.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @FlyingBean
        last edited by Bob.Dig

        @FlyingBean said in pfsense & nested router with NAT off, ping pfsense > laptop works, ping laptop > pfsense does not, echo request is received but not replied to:

        On the pfsense box I set up a gateway

        And route.

        1 Reply Last reply Reply Quote 0
        • F Offline
          FlyingBean
          last edited by FlyingBean

          Ok so it is a pf rule, on the web interface Firewall/Rules I have disabled all block/reject rules for all interfaces and all interfaces except the wan have a blanket ipv4 all protocol pass. Not sure where this problem is coming from

          Status/System Logs/FirewallD/ynamic View
          clicking on the logged item gives this:
          @4 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103

          I verified that line is in my pf ruleset with pfctl -sr

          F 1 Reply Last reply Reply Quote 0
          • F Offline
            FlyingBean @FlyingBean
            last edited by FlyingBean

            Ok got it, on the allow ipv4 rule it was set to allow from port2 networks. My nested router isn't a port2 network so it would never be passed on and thus hit the default deny.

            Switched that to any source network as a test and it worked.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.