PfSense not routing traffic



  • Hello, for some reason I can't pass traffic between my LAN and WAN interfaces in either direction, no matter what I try. I have pfSense 1.0.1 embedded on a Soekris net4501. My config is attached. I have a computer with an IP of 192.168.1.2 attached to my LAN interface of 192.168.1.1. My WAN interface is a wireless card with an IP of 192.168.0.50 associated with a WEP protected network. My default gateway is another wireless router with an internal IP of 192.168.0.1 and a public external IP. I have placed a route in the default gateway router to route all 192.168.1.x traffic to 192.168.0.50. I have disabled "Block private networks" on my WAN interface, permitted all IP traffic from LAN to WAN as well as WAN to LAN, enabled "Advanced outbound NAT", and deleted all NAT rules.

    From the pfSense web interface I can ping the computer on my LAN interface and the default gateway on my WAN interface. From the computer on my LAN interface I can ping as far as my WAN interface at 192.168.0.50, but I can't ping the default gateway at 192.168.0.1. From the default gateway I can ping as far as my LAN interface at 192.168.1.1, but I can't ping the computer at 192.168.1.2. I've been beating on this for the last day but haven't figured out what the problem is. Does anyone have any suggestions?

    Thanks,
    -Bryan

    • <pfsense><version>2.3</version>
        <lastchange><theme>pfsense</theme>

    • <system><optimization>aggressive</optimization>
        <hostname>xxxx</hostname>
        <domain>xxxx</domain>
        <username>xxxx</username>
        <password>xxxx</password>
        <timezone>America/Los_Angeles</timezone>
        <time-update-interval><timeservers>pool.ntp.org</timeservers>

    • <webgui><protocol>https</protocol>
        <port><certificate><private-key></private-key></certificate></port></webgui>
        <disablenatreflection>yes</disablenatreflection>
        <dnsserver>192.168.0.1</dnsserver>
        <dnsallowoverride>-
        <maximumstates></maximumstates></dnsallowoverride></time-update-interval></system>

    • <interfaces>- <lan><if>sis0</if>
        <ipaddr>192.168.1.1</ipaddr>
        <subnet>24</subnet>
        <media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>

    • <wan><if>wi0</if>
        <mtu><media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype>
        <spoofmac>- <wireless><standard>11b</standard>
        <mode>bss</mode>
        <protmode>off</protmode>
        <ssid>xxxx</ssid>
        <channel>0</channel>
        <authmode><txpower>99</txpower>
        <distance>- <wpa><macaddr_acl><auth_algs>1</auth_algs>
        <wpa_mode>1</wpa_mode>
        <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
        <wpa_pairwise>CCMP TKIP</wpa_pairwise>
        <wpa_group_rekey>60</wpa_group_rekey>
        <wpa_gmk_rekey>3600</wpa_gmk_rekey>
        <passphrase><ext_wpa_sw></ext_wpa_sw></passphrase></macaddr_acl></wpa>

    • <wep><enable>- <key><value>0xxxxx</value></key></enable></wep></distance></authmode></wireless>
        <disableftpproxy><ipaddr>192.168.0.50</ipaddr>
        <subnet>24</subnet>
        <gateway>192.168.0.1</gateway></disableftpproxy></spoofmac></mediaopt></media></mtu></wan></interfaces>
        <staticroutes><pppoe><pptp><bigpond>- <dyndns><type>dyndns</type>
        <username><password></password></username></dyndns>

    • <dhcpd>- <lan><enable>- <range><from>192.168.1.10</from>
        <to>192.168.1.245</to></range></enable></lan></dhcpd>

    • <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
        <ovpn>- <dnsmasq><enable></enable></dnsmasq>

    • <snmpd><syslocation><syscontact><rocommunity>xxxx</rocommunity></syscontact></syslocation></snmpd>

    • <diag><ipv6nat></ipv6nat></diag>
        <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound><enable></enable></advancedoutbound></ipsecpassthru></nat>

    • <filter>- <rule><type>pass</type>
        <descr>Default LAN -> any</descr>
        <interface>lan</interface>

    • <source>
        <network>lan</network>

    • <destination><any></any></destination></rule>

    • <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>

    • <ipsec><preferredoldsa></preferredoldsa></ipsec>
        <aliases><proxyarp><wol><installedpackages>- <revision><description>/firewall_rules_edit.php made unknown change</description>
        <time>1162942292</time></revision></installedpackages></wol></proxyarp></aliases></syslog></bridge></ovpn></bigpond></pptp></pppoe></staticroutes></lastchange></pfsense>



  • Tracerouting from both directions might help to find out where it goes wrong. Also make sure all your clients behind LAN use the pfSense LAN IP as gateway.



  • Here's a traceroute from the computer on the LAN interface to the pfSense router's default gateway:

    traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 40 byte packets
    1  none (192.168.1.1)  1.312 ms  1.307 ms  1.223 ms
    2  none (192.168.1.1)  1.548 ms !H  1.831 ms !H  1.634 ms !H

    Here's a telnet from that same system to the web interface of the default gateway. This is another reason why I think it's a routing issue in the pfSense box:

    root@laptop:~# telnet 192.168.0.1 80
    Trying 192.168.0.1…
    telnet: Unable to connect to remote host: No route to host

    Here are the relevant states from the pfSense box for that connection attempt:

    tcp  192.168.1.2:50639 -> 192.168.0.1:80  SYN_SENT:CLOSED
    tcp 192.168.0.1:80 <- 192.168.1.2:50639 CLOSED:SYN_SENT

    Here are the routes from the pfSense box:

    default 192.168.0.1 UGS 0 98 1500 wi0
    127.0.0.1 127.0.0.1 UH 0 0 16384 lo0
    192.168.0 link#1 UC 0 0 1500 wi0
    192.168.0.1 00:0f:66:47:66:2b UHLW 2 32 1500 wi0 1170
    192.168.1 link#2 UC 0 0 1500 sis0
    192.168.1.2 00:00:86:46:66:c4 UHLW 1 2982 1500 sis0 984

    Here's a traceroute from a system on the WAN interface to the computer on the LAN interface:
    bob:~ bob$ traceroute -n 192.168.1.2
    traceroute to 192.168.1.2 (192.168.1.2), 64 hops max, 40 byte packets
    1  192.168.0.50  6.358 ms  7.898 ms  7.317 ms
    2  * * *
    3  * * *^C

    It's almost as if pfSense is ignoring the routes for the directly attached networks. It will route packets from one side to the other, but only to its interface, not any other hosts.



  • Check Interfaces -> WAN -> and ensure that the "Block private networks" option is disabled.



  • Yup, I mentioned that I checked that earlier. Thanks though.



  • Your config.xml is hard to read, please add it as attachment next time or use the "code" option to display it correctly.

    Does it work if you disable advanced outbound NAT again? (going from LAN-client at pfSense to the webgui of the gateway at WAN)
    Also make sure the webgui of the gatewayrouter allows administration from subnets other than his own LAN.
    Also check your clients routing. Your telnet displays a "no route to host".



  • Sorry!  PEBKC error at my end :-)



  • Sorry, I tried attaching it as a file but it said I could only upload various picture formats and I didn't know about the code option. Do you want me to repost it now or just do it next time?

    I disabled advanced outbound NAT but that didn't help. Same story, but now in the state table the pfSense WAN IP is shown in the middle of the line as the traffic is NATed to it.

    I did a tcpdump and saw that the no route error from the telnet is because the WAN IP of pfSense is sending an ICMP unreachable to the LAN host. For some reason pfSense really does not want to route between subnets.

    I checked that the webgui of the gateway router allows traffic from all local subnets and also tried connecting to a webserver on pfSense's WAN subnet but no luck.



  • Well, I'm running out of ideas…  :-\



  • Should I post this to the mailing list to see if anyone there has ideas? The website says not to crosspost so I don't want any bad mojo…



  • Please don't do. A lot of people are active at the mailinglist and the forum as well and this always means reading things twice. Be sure that at least all the devs have read your problem here.

    Btw, one last thing to try:

    • Reset to factory defaults
    • only configure the wireless WAN interface (make sure to disable block private subnets), keep all the rest at default values
    • test from a client behind the your pfSense's LAN to go to an IP at WAN (as it does NAT in default config no routing is needed)

    If this doesn't work something must be seriously broken.



  • I'll try that when I get home tonight.

    I noticed on the serial console I'm getting an error on startup:
    "route: writing to routing socket: No such process"
    Maybe that has something to do with why it's not routing? Although the routing tables look ok, so maybe not.



  • Bad news, resetting to factory defaults did not work, neither did re-flashing the CF card with a fresh image. I installed the latest version of m0n0wall and everything worked perfectly, both with and without NAT. I really like all the extra features in pfSense, so if you have any other suggestions I would appreciate them. If not I may have to settle for m0n0wall.



  • any updates on this one?

    I am seeing the same issue on a Soekris net4801 platform
    using fresh installs of two different releases:

    http://system42.net/pfsense/downloads/pfSense-1.0.1-Embedded.img.gz

    and

    http://www.pfsense.com/old/pfSense-1.0-RC1a-Embedded.img.gz

    After copying one of these images to a new CF card using physdiskwrite
    and booting the image on a net4801, from the main menu I select option 1
    to assign interfaces, assign sis0 to be the LAN interface, assign sis1 to be the WAN
    interface, and then get this:

    The interfaces will be assigned as follows:

    LAN  -> sis0
    WAN  -> sis1

    Do you want to proceed [y|n]?y

    One moment while we reload the settings…killall: warning: kill -TERM 638: No s
    uch process
    done!
    route: writing to routing socket: No such process



  • nope, sorry. but i'm glad to hear i'm not crazy, and this is happening to other people. m0n0wall, which pfsense is based on, worked perfectly for me. maybe we should open a bug report?



  • It is not a bug.  Do not open a ticket.  Work with someone to get your misconfiguration fixed.



  • Scott, unfortunately no one has been able to help us. Even with a fresh install and only changing the config to set the wireless card as the WAN interface we're still hosed. I have no idea why, as everything looks ok, minus the route socket error on the console. Have you seen that error in the past and do you know why it might occur?
    Thanks,
    Bryan



  • It means you do not have a default route.



  • Very strange. I get the message even though I have a default route, as shown earlier in the email string:

    default    192.168.0.1    UGS    0    98    1500    wi0



  • hi,

    i'have also a problem with the routing, my WAN interface have 212.21.69.97 and the default gateway ip is 192.168.23.8.
    i'can ping the default gw very well but i dont get traffic over the gateway only if i set up a static route, for example to dns-server.
    the i'can ping the dns-server but nothing more around the world.

    i'work 5 years with freebsd and pf an hfsc … and i'dont understand it. the routing table look ok but the pfsense dont do it. ???

    maybe someone have the same problem and know a workaround.

    nice day for all ...
    merl


Locked