[RESOLVED] VLAN network on LAN cannot access DMZ network; routes out WAN instead



  • Our wireless network network accesses the DMZ through the LAN port on the firewall. For some reason though we cannot access the DMZ from the wireless network. Instead, it is just routed out the WAN. What am I missing?! LAN works fine to DMZ.



  • I can't figure it out….

    Here's how our network is setup:

    [10.1.15.0/24]                                   [192.168.50.0/24]
    |LAN Network|                                     |DMZ Network|
            |                                                       |
            |                                                       |
    |Cisco Router|–----------|LAN|------------[pfSense]–-------|WAN1|
            |                      [10.1.15.10]                |      
            |                                                       |         –-----|WAN2|
    |Wireless Network|                                 |Guest LAN|
    [192.168.7.0/24]                                [172.16.30.0/24]


  • Rebel Alliance Developer Netgate

    A lot more information would be needed in order to guess what might be going on here.

    • Interface assignments/VLAN setup
    • If any interfaces are bridged
    • What firewall rules you have on LAN (screenshot is preferable)


  • We do not have any VLANs on the pfSense box. Only VLAN is the Wireless network.

    No interfaces are bridged.

    We have a rule that allows both the Wired LAN and Wireless LAN networks full access to the DMZ:


  • Rebel Alliance Developer Netgate

    So then how does the 192.168.7.x network talk to pfSense? Does it get NAT'd into 10.1.15.0/24 somehow?



  • The 192.168.7.X network has a router that routes data to the pfSense box as it's default route. It is the same router for the 10.1.15.X network.


  • Rebel Alliance Developer Netgate

    Then you probably need to switch to manual outbound NAT and add a rule that includes the .7.x subnet.

    And/Or add a static route to the 192.168.7.x subnet via its gateway on the 10.1.15.x subnet.



  • The 192.168.7.X network can get out to the internet (WAN1 or WAN2), just not the DMZ. So, it shouldn't be a routing issue as it's getting to the pfSense box. Also, that should mean the NAT setup is fine.

    I do, however have a static route on the pfSense box for 192.168.0.0/16 to the Cisco Router. This is for all of our VoIP traffic… would that override pfSense's routing to the DMZ network it's attached to?


  • Rebel Alliance Developer Netgate

    Ah, got the DMZ bit confused in my head for some reason (following too many threads will do that…)

    If you have a route to the Cisco that overlaps the DMZ, it could definitely cause some issues.



  • Ok, so I removed the "192.168.0.0/16 > Cisco Router" route and the LAN traffic heading to the DMZ started getting routed out the WAN….



  • Yeah, something is buggy in pfSense.

    If remove all my 192.168.X.X routes, the traffic goes out the WAN. If I add them back in, the way it was when at least the LAN could get to the DMZ, I have to reboot the pfSense box to get it to work again…resetting the states doesn't fix it.

    So, why does pfSense need a route to tell it how to get to a directly attached network (DMZ)? Not only that, but it's a route telling it to point to a different router to get to it.....


  • Rebel Alliance Developer Netgate

    It doesn't need any routes for directly connected networks, as long as pfSense knows they are directly connected (e.g. it has an IP in their subnet)

    There must be something else you have misconfigured along the way to make it misbehave this way.



  • Any ideas? NAT is not involved and we have the 192.168.0.0/16 network allowed on the LAN interface per the firewall rule pictured above.

    We could probably break down the 192.168.0.0/16 route into specific routes, but as soon as we removed it, we lost access to the DMZ network from the 10.1.15.X/24 LAN….


  • Rebel Alliance Developer Netgate

    Well at the very least, you should only specify the subnets you are using exactly, and not the more general /16 since that overlaps subnets on two different legs of your network.



  • I don't understand why pfSense allows the routing table to override what it knows to be directly connected to.



  • Wow, it's fixed….it was a rule on the LAN....... I have a rule that specifies the gateway to WAN1 for a few users. That rule was above the DMZ rule pictured above. I moved it directly below and it works now..... So firewall rules override static routes. good to know.


Log in to reply