Basic (hopefully) Routing Question



  • Hello Everyone,

    I'm trying to move from Smoothwall Corporate edition to pfSense. Unfortunately I'm running into a problem with some subnets that are connected by routers to the LAN network served by the pfSense LAN interface.

    Machines directly connected to the LAN network (workstations, routers, etc.) are able to talk to the OPT1 (DMZ for us) and out through the WAN areas. Subnets served by routers connected to the LAN network cannot talk to either OPT1 (DMZ) or WAN areas.

    I thought I had set up rules that allowed the traffic but apparently I hadn't. Is there something obvious I need to check.

    Thanks!
    ![Network Drawing.jpg](/public/imported_attachments/1/Network Drawing.jpg)
    ![Network Drawing.jpg_thumb](/public/imported_attachments/1/Network Drawing.jpg_thumb)



  • Is it safe to assume that the 3 internal routers have wan ip's in the 10.3.x.x range and their gateways are set for the pfSense box?

    in other words, more specifics on the ip's in use would be helpful.

    w



  • I assume your routers behind the pfSense dont do any NAT.
    Did you create static routes for the subnets behind the routers pointing to their respective IP on the 10.3 subnet?



  • @GruensFroeschli:

    I assume your routers behind the pfSense dont do any NAT.
    Did you create static routes for the subnets behind the routers pointing to their respective IP on the 10.3 subnet?

    Yes and I'm able to ping machines in those subnets from the pfSense diagnostics.



  • @dubya:

    Is it safe to assume that the 3 internal routers have wan ip's in the 10.3.x.x range and their gateways are set for the pfSense box?

    in other words, more specifics on the ip's in use would be helpful.

    w

    The 3 internal routers have LAN IP's in the 10.3.X.X range and do have the pfSense box as their gateway.



  • I've never used a router with no nat  :-\ so I guess that makes me useless.

    So just looking at one subnet, 10.10.x.x: lets say the routers lan is 10.10.0.1 and its wan is 10.3.0.101.

    You have a static route for 10.10.x.x pointing to 10.3.0.101 and can ping a pc (say 10.10.1.50) from pfsense so you know that basic routing is working.

    So then you would still need some firewall rules:

    question though, Do you need both of these for 10.10 pings to go out and back from the dmz? or is the second one only needed to ping from the DMZ?

    Lan Rule:  proto icmp from 10.10.0.0/16 to 192.168.1.0/24
    and
    DMZ Rule:  proto icmp from 192.168.1.0/24 to 10.10.0.0/16

    sadly I spent a fair amount of time using ping for testing while my rules were set for tcp  :-[


Log in to reply