Routing issue between 2 LAN subnets



  • Hi,

    I'm hoping that someone can help me out.

    My 64.128.115.x hosts are unable to communicate with my 64.132.223.x hosts.  It appears the traffic is getting sent up to the WAN and being denied at the firewall.

    I've done this so far:

    1. Read the http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf document
                    2. Added: <shellcmd>ifconfig bge0 inet 64.128.115.242 netmask 255.255.255.0 alias</shellcmd>
                    3. Modified the rules to allow both subnets outgoing to allow
                    4. Modified the Default NAT Behavior to allow manual, and both subnets
                    5. Checked in Advanced Setup – "Bypass firewall rules for traffic on the same interface"
                    6. Checked "Disable reply-to on WAN rules"
                    7. Added two rules to the WAN that say if  64.132.223.x or 64.128.115.x then ALLOW

    Thanks for looking at this :)

    ------------
                |  GATEWAY  |
                |64.132.223.1 |
                |64.128.115.1 |
                --------------
                      |
                      |
                ---------------
                |CISCO SWITCH|
                |64.128.115.4  |
                ---------------
                      |
                      |

    PFSENSE FIREWALL
    64.132.223.4 WAN ADDRESS (BGE1)
    64.132.223.1 GATEWAY
    64.132.223.242 LAN ADDRESS (BGE0)
    64.128.115.242 LAN ADDRESS (ALIAS'D) (BGE0)

    |                      |
          |                      |
    --------------        --------------
    |    HOSTS    |      |    HOSTS    |
    | 64.132.223.x |      | 64.128.115.x |
    --------------        --------------

    Info:

    1.2.3-RELEASE
    built on Sun Dec 6 23:21:36 EST 2009

    WAN interface (bge1)
    Status up
    MAC address 00:18:71:e3:c4:f7
    IP address 64.132.223.4
    Subnet mask 255.0.0.0
    Gateway 64.132.223.1
    ISP DNS servers 64.132.223.195
    216.226.143.40

    Media 100baseTX <full-duplex>In/out packets 99700/113002 (17.35 MB/83.65 MB)
    In/out errors 0/0
    Collisions 0
    Bridge (bridge0) learning

    LAN interface (bge0)
    Status up
    MAC address 00:18:71:e3:c4:f6
    IP address 64.128.115.242
    Subnet mask 255.255.255.0
    Media 1000baseTX <full-duplex>In/out packets 112666/96377 (82.75 MB/16.91 MB)
    In/out errors 0/0
    Collisions 0
    Bridge (bridge0) learning</full-duplex></full-duplex>



  • Are your LAN subnet masks 255.255.255.0? If so, then they overlap with the WAN subnets and this will give you routing problems. If you have 2 public subnets, but not 2 static IP addresses outside these subnets then you should consider bridging LAN to WAN, or get a WAN IP address that is outside your subnet.

    The "Bypass firewall rules for traffic on the same interface" rule doesn't affect aliases, I believe, and you will have to add a rule to allow traffic from one subnet to the other on the same interface. It is strongly recommended to use vlans rather than an alias whenever possible.

    I'm wondering why you don't put the cisco switch on the LAN side and use vlans there, and an alias on the WAN, but I'm guessing it's because you want gigabit speeds from one subnet to the other and the switch is only 10/100. Note that your pfsense box will need something like 600MHz minimum in the CPU to exceed 100mbps throughput.



  • Clark,

    Yes, the net masks are set to 255.255.255.0.  I am also bridging the LAN to WAN, so that is already setup in the configuration.

    Where and what rules would I add to make it so that the subnets could talk?

    You are correct on the basis of why we were using the gigaswitches on the inside rather than the outside.
    I redrew the network diagram to include the switches, and the office network.

    • thanks!

    –----------
                |  GATEWAY    |
                |64.132.223.1 |
                |64.128.115.1 |
                --------------
                      |
                      |
                ---------------              ----------------------
                |CISCO SWITCH  |            | SMOOTHWALL                    |    --------------
                |64.128.115.4  |------------| PUBLIC 64.132.223.164|--- |192.168.1.x  |
                |                    |            | PRIVATE 192.168.1.x  |          |office net  |
                ---------------              ----------------------            ---------------
                      |
                      |

    PFSENSE FIREWALL
    64.132.223.4 WAN ADDRESS (BGE1)
    64.132.223.1 GATEWAY
    64.132.223.242 LAN ADDRESS (BGE0)
    64.128.115.242 LAN ADDRESS (ALIAS'D) (BGE0)

    |
                      |
              --------------------
              | HP PROCURVE      |
              | 64.128.115.162  |
              -------------------- 
                |                |
                |                |
    --------------        --------------
    |    HOSTS    |      |    HOSTS    |
    | 64.132.223.x |      | 64.128.115.x |
    --------------        --------------



  • @jaredcmh:

    Where and what rules would I add to make it so that the subnets could talk?

    To access LAN > alias, I believe you will just need firewall a rule like this on your LAN interface in the GUI:

    • LAN subnet * 64.128.115.1/24 * *

    The reverse rule, for alias subnet to LAN will have to be done in a shell, as the alias won't show up in your interfaces in the GUI. You'll have to check PF syntax for that, but it would be something similar to "pass in quick on vr0 from 64.128.115.1/24 to 64.132.223.1/24". Don't copy-paste that, I'm just pulling it out of my butt, and my butt doesn't do much work with pf in the shell.

    Once you figure out the syntax for adding that rule, you'll have to add it to your config file with the <shellcmd>tags (much like your ifconfig alias line) to get it to survive reboots.

    I think that should do it. Try and post back.</shellcmd>



  • @jaredcmh:

    I'm not having much luck on the following, I'm not sure how to technically pass this into the PF through the shellcmd.

    pass in quick on bge0 from 64.128.115.1/24 to 64.132.223.1/24

    First make a pass rule in the GUI to allow traffic from the LAN subnet to the alias subnet.

    Confirm that working, then go to http://pfsense/status.php. In there you will find the actual firewall rules. Copy the rule in question, paste it into Diagnostics>Command, reversing the source and destination subnets.

    Now you should have full access in both directions. If that works, doewnload your config file. Take the rule you just pasted into Diagnostics>Command, and paste it in with <shellcmd>tags right before the closing tag, something like this:

    <system>…
    ...
    <shellcmd>ifconfig bge 64.128.115.1 netmask 255.255.255.0 alias</shellcmd>
    <shellcmd>pass in quick on bge0 from 64.128.115.1/24 to 64.132.223.1/24</shellcmd></system>

    Be sure to check my syntax above. You will already know how to make an alias properly. Use the previous paragraph to confirm the proper structure of the pass rule.</shellcmd>



  • Unforunately that didn't work…

    I'm up for any other ideas :)

    Thanks,
    Jared



  • Which part didn't work? Let's break this down into a stepped summary.

    1a. Create an alias on the LAN interface in CLI
    1b. Put the shellcmd in the config file for persistency across reboots
    2. Create a rule in GUI to pass traffic from LAN to alias
    3a. Create a rule in CLI to pass traffic from alias to LAN
    3b. Put the shellcmd in the config file for persistency across reboots

    Steps 1b and 3b can be done together, but I've separated them out by function to help narrow down the problem here. Please test the functionality that should be provided by each step and explicitly state whether you have success or not, or if you're not sure. Then we can narrow down the problem and outline a solution.



  • Which part didn't work? Let's break this down into a stepped summary.

    Done. Okay 1a. Create an alias on the LAN interface in CLI
    Done. Okay 1b. Put the shellcmd in the config file for persistency across reboots
    Done. Okay 2. Create a rule in GUI to pass traffic from LAN to alias
    Done, but does not appear in pfctl -sr 3a. Create a rule in CLI to pass traffic from alias to LAN
    Done, but did not appear in pfctl -sr 3b. Put the shellcmd in the config file for persistency across reboots

    Also, I did the NAT stuff as described in the document too.

    • Jared

    Steps 1b and 3b can be done together, but I've separated them out by function to help narrow down the problem here. Please test the functionality that should be provided by each step and explicitly state whether you have success or not, or if you're not sure. Then we can narrow down the problem and outline a solution.



  • Ok. I've had a look at your status.php and I agree that the CLI firewall rules aren't sticking.

    After some thought, I believe you can create the needed rules in the GUI by simply reversing the destination and source networks. The interface will be the same. So try this:

    3. Create a rule in GUI on bge0 (LAN) to pass traffice from alias subnet (LAN2) to LAN subnet.

    Apply the change and see what that does.


Log in to reply