Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I think i need ACL help

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 3 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sharaz
      last edited by

      but i actualy dont know where my answer lies, so if anyone can point me in the right direction, i would appreciate it.

      i have a pfSense 0.96.4 as my firewall.  inside my network are 3-4 hosts, and as expected, they have no trouble accessing the internet (via the pfSense).

      one host in particular tho, is a router (linux, FC4, and has no trouble routing in or out).  as mentioned before, this host has no trouble accessing the net thru the pfSsense box… however, hosts behind it cannot access the net.  here is a diagram:

      http://www.dfwlp.com/~jhorne/pics/network/Troubleshooting-Routing-20051220.jpg

      i forgot to label EUROPA... its ip is 192.168.125.80.  in the diagram, DEVROUTER is the router in question.  the hosts listed above it can access any host on the physical inside network (which, is any 192.168.125.0/26 host).

      of of my networking friends recommended to take a look at the ACL on the interfaces, that by default the behavior of BSD would not allow anything other than the local network outbound.  so, if i need to backend another network (or networks) thru my pfSense, what is the best way to go about this?

      i have already taken a look at the rules->LAN page, added 172.16.125 network, but that didnt do the trick.  anyone have some advice for me here?

      Jonathan

      1 Reply Last reply Reply Quote 0
      • S
        Sharaz
        last edited by

        an update:

        concerning my diagram, as i mentioned above, any host on the 172.16.125.0/26 network (S1NTDS1, 172.16.125.10 for instance), can sucessfully ping:

        172.16.125.1 (inside address of router, and default gateway for 172.16.125.0/26 network)
        192.168.125.116 (routers address on the 192.168.125.64/26 network)
        192.168.125.65 (pfSense inside interface)
        67.166.171.83 (pfSense outside interface)

        if i can ping .171.83 from 172.16.125.10, why on earth can i not ping 67.166.171.1 (default gateway of pfSense, via DHCP from Comcast) ??

        totally befuddled

        Jonathan

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by

          You have the same problem like in this post: http://forum.pfsense.org/index.php?topic=293.0
          You nave to use advanced outbound nat and create some more nat rules for the subnets behind the other router. Also some static routes are needed at the pfsense to find back to the subnets behind the other box.

          1 Reply Last reply Reply Quote 0
          • S
            Sharaz
            last edited by

            well, i read that article thuroughly, but turning on advanced natting didnt help any.  as a matter of fact, i even reset the entire config in my PFS, and tried it with just advanced routing, and same thing.  no packets can get out.

            anything else i can check?

            Jonathan

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              You have to add the additional subnets after enabling advanced outbound nat.

              Did you add the additional subnets?

              1 Reply Last reply Reply Quote 0
              • S
                Sharaz
                last edited by

                i believe i may have found a bug in the gui.

                when i turned on advanced outbound nat, my network shutdown.

                my local lan subnet is 192.168.125.64/26.  when i turned on AON in the gui, it added 192.168.125.0/26.  i did not notice this at first, but this error was the obvious reason i had no outbound connection whatsoever.

                this error was repeated several times, until i noticed that it was adding the wrong subnet.  once i manually changed the 192.168.125.0/26 to 192.168.125.64/26, everything functiond as it would be expected.

                Jonathan

                1 Reply Last reply Reply Quote 0
                • S
                  Sharaz
                  last edited by

                  its finally working!!!

                  i had to recheck a couple of configurations, since i made some changes (for target implementation), so i had to fix a static route on CHIRON and default gw on DEVROUTER, but the entire DEV Virtual nework is now routing!!

                  22:07:10.439862 IP 10.0.0.10 > c-67-166-171-1.hsd1.tx.comcast.net: ICMP echo request, id 256, seq 30212, length 40
                  22:07:10.447707 IP c-67-166-171-1.hsd1.tx.comcast.net > 10.0.0.10: ICMP echo reply, id 256, seq 30212, length 40
                  22:07:11.455651 IP 10.0.0.10 > c-67-166-171-1.hsd1.tx.comcast.net: ICMP echo request, id 256, seq 30468, length 40
                  22:07:11.462818 IP c-67-166-171-1.hsd1.tx.comcast.net > 10.0.0.10: ICMP echo reply, id 256, seq 30468, length 40

                  thank you hoba and geekgod!!

                  Jonathan

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Congratulations. Great!  ;D

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.