I think i need ACL help
but i actualy dont know where my answer lies, so if anyone can point me in the right direction, i would appreciate it.
i have a pfSense 0.96.4 as my firewall. inside my network are 3-4 hosts, and as expected, they have no trouble accessing the internet (via the pfSense).
one host in particular tho, is a router (linux, FC4, and has no trouble routing in or out). as mentioned before, this host has no trouble accessing the net thru the pfSsense box… however, hosts behind it cannot access the net. here is a diagram:
i forgot to label EUROPA… its ip is 192.168.125.80. in the diagram, DEVROUTER is the router in question. the hosts listed above it can access any host on the physical inside network (which, is any 192.168.125.0/26 host).
of of my networking friends recommended to take a look at the ACL on the interfaces, that by default the behavior of BSD would not allow anything other than the local network outbound. so, if i need to backend another network (or networks) thru my pfSense, what is the best way to go about this?
i have already taken a look at the rules->LAN page, added 172.16.125 network, but that didnt do the trick. anyone have some advice for me here?
concerning my diagram, as i mentioned above, any host on the 172.16.125.0/26 network (S1NTDS1, 172.16.125.10 for instance), can sucessfully ping:
172.16.125.1 (inside address of router, and default gateway for 172.16.125.0/26 network)
192.168.125.116 (routers address on the 192.168.125.64/26 network)
192.168.125.65 (pfSense inside interface)
220.127.116.11 (pfSense outside interface)
if i can ping .171.83 from 172.16.125.10, why on earth can i not ping 18.104.22.168 (default gateway of pfSense, via DHCP from Comcast) ??
hoba last edited by
You have the same problem like in this post: http://forum.pfsense.org/index.php?topic=293.0
You nave to use advanced outbound nat and create some more nat rules for the subnets behind the other router. Also some static routes are needed at the pfsense to find back to the subnets behind the other box.
well, i read that article thuroughly, but turning on advanced natting didnt help any. as a matter of fact, i even reset the entire config in my PFS, and tried it with just advanced routing, and same thing. no packets can get out.
anything else i can check?
sullrich last edited by
You have to add the additional subnets after enabling advanced outbound nat.
Did you add the additional subnets?
i believe i may have found a bug in the gui.
when i turned on advanced outbound nat, my network shutdown.
my local lan subnet is 192.168.125.64/26. when i turned on AON in the gui, it added 192.168.125.0/26. i did not notice this at first, but this error was the obvious reason i had no outbound connection whatsoever.
this error was repeated several times, until i noticed that it was adding the wrong subnet. once i manually changed the 192.168.125.0/26 to 192.168.125.64/26, everything functiond as it would be expected.
its finally working!!!
i had to recheck a couple of configurations, since i made some changes (for target implementation), so i had to fix a static route on CHIRON and default gw on DEVROUTER, but the entire DEV Virtual nework is now routing!!
22:07:10.439862 IP 10.0.0.10 > c-67-166-171-1.hsd1.tx.comcast.net: ICMP echo request, id 256, seq 30212, length 40
22:07:10.447707 IP c-67-166-171-1.hsd1.tx.comcast.net > 10.0.0.10: ICMP echo reply, id 256, seq 30212, length 40
22:07:11.455651 IP 10.0.0.10 > c-67-166-171-1.hsd1.tx.comcast.net: ICMP echo request, id 256, seq 30468, length 40
22:07:11.462818 IP c-67-166-171-1.hsd1.tx.comcast.net > 10.0.0.10: ICMP echo reply, id 256, seq 30468, length 40
thank you hoba and geekgod!!
hoba last edited by
Congratulations. Great! ;D