Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense not routing traffic

    Scheduled Pinned Locked Moved Routing and Multi WAN
    20 Posts 6 Posters 14.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bryanz
      last edited by

      Hello, for some reason I can't pass traffic between my LAN and WAN interfaces in either direction, no matter what I try. I have pfSense 1.0.1 embedded on a Soekris net4501. My config is attached. I have a computer with an IP of 192.168.1.2 attached to my LAN interface of 192.168.1.1. My WAN interface is a wireless card with an IP of 192.168.0.50 associated with a WEP protected network. My default gateway is another wireless router with an internal IP of 192.168.0.1 and a public external IP. I have placed a route in the default gateway router to route all 192.168.1.x traffic to 192.168.0.50. I have disabled "Block private networks" on my WAN interface, permitted all IP traffic from LAN to WAN as well as WAN to LAN, enabled "Advanced outbound NAT", and deleted all NAT rules.

      From the pfSense web interface I can ping the computer on my LAN interface and the default gateway on my WAN interface. From the computer on my LAN interface I can ping as far as my WAN interface at 192.168.0.50, but I can't ping the default gateway at 192.168.0.1. From the default gateway I can ping as far as my LAN interface at 192.168.1.1, but I can't ping the computer at 192.168.1.2. I've been beating on this for the last day but haven't figured out what the problem is. Does anyone have any suggestions?

      Thanks,
      -Bryan

      • <pfsense><version>2.3</version>
          <lastchange><theme>pfsense</theme>

      • <system><optimization>aggressive</optimization>
          <hostname>xxxx</hostname>
          <domain>xxxx</domain>
          <username>xxxx</username>
          <password>xxxx</password>
          <timezone>America/Los_Angeles</timezone>
          <time-update-interval><timeservers>pool.ntp.org</timeservers>

      • <webgui><protocol>https</protocol>
          <port><certificate><private-key></private-key></certificate></port></webgui>
          <disablenatreflection>yes</disablenatreflection>
          <dnsserver>192.168.0.1</dnsserver>
          <dnsallowoverride>-
          <maximumstates></maximumstates></dnsallowoverride></time-update-interval></system>

      • <interfaces>- <lan><if>sis0</if>
          <ipaddr>192.168.1.1</ipaddr>
          <subnet>24</subnet>
          <media><mediaopt><bandwidth>100</bandwidth>
          <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>

      • <wan><if>wi0</if>
          <mtu><media><mediaopt><bandwidth>100</bandwidth>
          <bandwidthtype>Mb</bandwidthtype>
          <spoofmac>- <wireless><standard>11b</standard>
          <mode>bss</mode>
          <protmode>off</protmode>
          <ssid>xxxx</ssid>
          <channel>0</channel>
          <authmode><txpower>99</txpower>
          <distance>- <wpa><macaddr_acl><auth_algs>1</auth_algs>
          <wpa_mode>1</wpa_mode>
          <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
          <wpa_pairwise>CCMP TKIP</wpa_pairwise>
          <wpa_group_rekey>60</wpa_group_rekey>
          <wpa_gmk_rekey>3600</wpa_gmk_rekey>
          <passphrase><ext_wpa_sw></ext_wpa_sw></passphrase></macaddr_acl></wpa>

      • <wep><enable>- <key><value>0xxxxx</value></key></enable></wep></distance></authmode></wireless>
          <disableftpproxy><ipaddr>192.168.0.50</ipaddr>
          <subnet>24</subnet>
          <gateway>192.168.0.1</gateway></disableftpproxy></spoofmac></mediaopt></media></mtu></wan></interfaces>
          <staticroutes><pppoe><pptp><bigpond>- <dyndns><type>dyndns</type>
          <username><password></password></username></dyndns>

      • <dhcpd>- <lan><enable>- <range><from>192.168.1.10</from>
          <to>192.168.1.245</to></range></enable></lan></dhcpd>

      • <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
          <ovpn>- <dnsmasq><enable></enable></dnsmasq>

      • <snmpd><syslocation><syscontact><rocommunity>xxxx</rocommunity></syscontact></syslocation></snmpd>

      • <diag><ipv6nat></ipv6nat></diag>
          <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound><enable></enable></advancedoutbound></ipsecpassthru></nat>

      • <filter>- <rule><type>pass</type>
          <descr>Default LAN -> any</descr>
          <interface>lan</interface>

      • <source>
          <network>lan</network>

      • <destination><any></any></destination></rule>

      • <rule><type>pass</type>
          <interface>wan</interface>
          <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
          <os>- <source>
          <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>

      • <ipsec><preferredoldsa></preferredoldsa></ipsec>
          <aliases><proxyarp><wol><installedpackages>- <revision><description>/firewall_rules_edit.php made unknown change</description>
          <time>1162942292</time></revision></installedpackages></wol></proxyarp></aliases></syslog></bridge></ovpn></bigpond></pptp></pppoe></staticroutes></lastchange></pfsense>

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Tracerouting from both directions might help to find out where it goes wrong. Also make sure all your clients behind LAN use the pfSense LAN IP as gateway.

        1 Reply Last reply Reply Quote 0
        • B
          bryanz
          last edited by

          Here's a traceroute from the computer on the LAN interface to the pfSense router's default gateway:

          traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 40 byte packets
          1  none (192.168.1.1)  1.312 ms  1.307 ms  1.223 ms
          2  none (192.168.1.1)  1.548 ms !H  1.831 ms !H  1.634 ms !H

          Here's a telnet from that same system to the web interface of the default gateway. This is another reason why I think it's a routing issue in the pfSense box:

          root@laptop:~# telnet 192.168.0.1 80
          Trying 192.168.0.1…
          telnet: Unable to connect to remote host: No route to host

          Here are the relevant states from the pfSense box for that connection attempt:

          tcp  192.168.1.2:50639 -> 192.168.0.1:80  SYN_SENT:CLOSED
          tcp 192.168.0.1:80 <- 192.168.1.2:50639 CLOSED:SYN_SENT

          Here are the routes from the pfSense box:

          default 192.168.0.1 UGS 0 98 1500 wi0
          127.0.0.1 127.0.0.1 UH 0 0 16384 lo0
          192.168.0 link#1 UC 0 0 1500 wi0
          192.168.0.1 00:0f:66:47:66:2b UHLW 2 32 1500 wi0 1170
          192.168.1 link#2 UC 0 0 1500 sis0
          192.168.1.2 00:00:86:46:66:c4 UHLW 1 2982 1500 sis0 984

          Here's a traceroute from a system on the WAN interface to the computer on the LAN interface:
          bob:~ bob$ traceroute -n 192.168.1.2
          traceroute to 192.168.1.2 (192.168.1.2), 64 hops max, 40 byte packets
          1  192.168.0.50  6.358 ms  7.898 ms  7.317 ms
          2  * * *
          3  * * *^C

          It's almost as if pfSense is ignoring the routes for the directly attached networks. It will route packets from one side to the other, but only to its interface, not any other hosts.

          1 Reply Last reply Reply Quote 0
          • R
            rsubr
            last edited by

            Check Interfaces -> WAN -> and ensure that the "Block private networks" option is disabled.

            1 Reply Last reply Reply Quote 0
            • B
              bryanz
              last edited by

              Yup, I mentioned that I checked that earlier. Thanks though.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Your config.xml is hard to read, please add it as attachment next time or use the "code" option to display it correctly.

                Does it work if you disable advanced outbound NAT again? (going from LAN-client at pfSense to the webgui of the gateway at WAN)
                Also make sure the webgui of the gatewayrouter allows administration from subnets other than his own LAN.
                Also check your clients routing. Your telnet displays a "no route to host".

                1 Reply Last reply Reply Quote 0
                • R
                  rsubr
                  last edited by

                  Sorry!  PEBKC error at my end :-)

                  1 Reply Last reply Reply Quote 0
                  • B
                    bryanz
                    last edited by

                    Sorry, I tried attaching it as a file but it said I could only upload various picture formats and I didn't know about the code option. Do you want me to repost it now or just do it next time?

                    I disabled advanced outbound NAT but that didn't help. Same story, but now in the state table the pfSense WAN IP is shown in the middle of the line as the traffic is NATed to it.

                    I did a tcpdump and saw that the no route error from the telnet is because the WAN IP of pfSense is sending an ICMP unreachable to the LAN host. For some reason pfSense really does not want to route between subnets.

                    I checked that the webgui of the gateway router allows traffic from all local subnets and also tried connecting to a webserver on pfSense's WAN subnet but no luck.

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba
                      last edited by

                      Well, I'm running out of ideas…  :-\

                      1 Reply Last reply Reply Quote 0
                      • B
                        bryanz
                        last edited by

                        Should I post this to the mailing list to see if anyone there has ideas? The website says not to crosspost so I don't want any bad mojo…

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba
                          last edited by

                          Please don't do. A lot of people are active at the mailinglist and the forum as well and this always means reading things twice. Be sure that at least all the devs have read your problem here.

                          Btw, one last thing to try:

                          • Reset to factory defaults
                          • only configure the wireless WAN interface (make sure to disable block private subnets), keep all the rest at default values
                          • test from a client behind the your pfSense's LAN to go to an IP at WAN (as it does NAT in default config no routing is needed)

                          If this doesn't work something must be seriously broken.

                          1 Reply Last reply Reply Quote 0
                          • B
                            bryanz
                            last edited by

                            I'll try that when I get home tonight.

                            I noticed on the serial console I'm getting an error on startup:
                            "route: writing to routing socket: No such process"
                            Maybe that has something to do with why it's not routing? Although the routing tables look ok, so maybe not.

                            1 Reply Last reply Reply Quote 0
                            • B
                              bryanz
                              last edited by

                              Bad news, resetting to factory defaults did not work, neither did re-flashing the CF card with a fresh image. I installed the latest version of m0n0wall and everything worked perfectly, both with and without NAT. I really like all the extra features in pfSense, so if you have any other suggestions I would appreciate them. If not I may have to settle for m0n0wall.

                              1 Reply Last reply Reply Quote 0
                              • W
                                wdp
                                last edited by

                                any updates on this one?

                                I am seeing the same issue on a Soekris net4801 platform
                                using fresh installs of two different releases:

                                http://system42.net/pfsense/downloads/pfSense-1.0.1-Embedded.img.gz

                                and

                                http://www.pfsense.com/old/pfSense-1.0-RC1a-Embedded.img.gz

                                After copying one of these images to a new CF card using physdiskwrite
                                and booting the image on a net4801, from the main menu I select option 1
                                to assign interfaces, assign sis0 to be the LAN interface, assign sis1 to be the WAN
                                interface, and then get this:

                                The interfaces will be assigned as follows:

                                LAN  -> sis0
                                WAN  -> sis1

                                Do you want to proceed [y|n]?y

                                One moment while we reload the settings…killall: warning: kill -TERM 638: No s
                                uch process
                                done!
                                route: writing to routing socket: No such process

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bryanz
                                  last edited by

                                  nope, sorry. but i'm glad to hear i'm not crazy, and this is happening to other people. m0n0wall, which pfsense is based on, worked perfectly for me. maybe we should open a bug report?

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    It is not a bug.  Do not open a ticket.  Work with someone to get your misconfiguration fixed.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bryanz
                                      last edited by

                                      Scott, unfortunately no one has been able to help us. Even with a fresh install and only changing the config to set the wireless card as the WAN interface we're still hosed. I have no idea why, as everything looks ok, minus the route socket error on the console. Have you seen that error in the past and do you know why it might occur?
                                      Thanks,
                                      Bryan

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        It means you do not have a default route.

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          bryanz
                                          last edited by

                                          Very strange. I get the message even though I have a default route, as shown earlier in the email string:

                                          default    192.168.0.1    UGS    0    98    1500    wi0

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            Merl
                                            last edited by

                                            hi,

                                            i'have also a problem with the routing, my WAN interface have 212.21.69.97 and the default gateway ip is 192.168.23.8.
                                            i'can ping the default gw very well but i dont get traffic over the gateway only if i set up a static route, for example to dns-server.
                                            the i'can ping the dns-server but nothing more around the world.

                                            i'work 5 years with freebsd and pf an hfsc … and i'dont understand it. the routing table look ok but the pfsense dont do it. ???

                                            maybe someone have the same problem and know a workaround.

                                            nice day for all ...
                                            merl

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.