ISP(Comcast)–>pFsense(firewall)--->Cisco(2811)--->Cisco(2950x2)
-
First I want to think you for taking the time to assist me on this project.
My situation is as follows: I'm attempting to setup a home lab/test network for learning purposes (my background is servers and VM, so this networking is a little difficult for me). I have the following setup and need to know the best way to deploy all the parts. I have a cable modem coming in from comcast going to my pfsense boxes WAN port (DHCP from ISP). From there I've connected my OPT1 (IP 192.168.100.1/24) to my Cisco 2811 (fa0/1 = 192.168.100.2/24). Then from Cisco 2811 (fa0/0; this is configure with sub interfaces fa0/0.1 - fa0/0.9 192.168.0.0/24 - 192.168.9.0/24) to Cisco 2950 (fa0/24 trunking vlan all) from there I'm going to a second 2950 (fa0/23 on both switches are trunked with a crossover cable). I'm running AD/DHCP/DNS (192.168.2.100 Server 2008).
IP HELPER-ADDRESS - 192.168.2.100 and DG/DNS on each sub-interface is correctly configured via DHCP.
From any of my defined VLANs I'm able to get the correct IP address from my DHCP server. I'm also able to PING any part of my internal network (all my servers, VM's, workstations etc etc.). From my workstations and servers I'm able to ping all my default gateways, and the fa0/1 of the 2811 (192.168.100.2). I can't ping the pfsense (192.168.100.1).
From the router I can ping all of my workstations and default gateways and I can ping the pfsense box succesfully…
Pfsense Settings:
The LAN port on pfsense (IP 192.168.2.250/24) is connected to my VLAN2 network. If I change a hosts default gateway to 192.168.2.250 on VLAN2 I can then access the internet. But I only want to use the LAN for managing the pfsense box (once it is working I'll delete the LAN -> WAN rule).
The WAN is configured for DHCP
The OPT1 (192.168.100.1/24) and I've entered a firewall rule (OPT1 -> WAN and WAN-> OPT1), which should allow any traffic on the 192.168.100.0/24 subnet to pass through to the WAN interface and vice versa.
The OPT2 (Unused but active - planning on setting up a unsecured wireless connection on this interface)Some of my assumptions.
1. That it is possible that I've got a NAT issue on the Cisco 2811 (though I can't seem to figure out what).
2. That my issue is how I have the firewall configure - because it works from the LAN interface but not OPT1.Any and all comments are welcome on helping to resolve this issue.
Regards,
Benjamin M. Mitchel
www.complete-geek.com
-
Please post your firewall rules in a format like this for each interface:
* LAN net * * * * Default LAN -> any
That may help give a little more detail on your config.
-
I'm heading home right now - I'll do that as soon as I get home.
I've been talking to one of the network engineers here and they seem to think the issue is routing between the 2811 and pFsense. I need to apply a static route on both devices pointing to the other.
2811 = A and pfsense = B
A. route 0.0.0.0 (any ip) 0.0.0.0 (any subnet) 192.168.100.1 (ip of the pfsense LAN)
B. route 192.168.0.0 (any 192.168 IP) 255.255.0.0 (class b of 192.168) 192.168.100.2 (interface of my Cisco 2811.This should allow the traffic to know which way to go :)
Thanks for the quick reply and I'll post those logs.
Ben Mitchell
-
Sounds plausible that routing may be your issue. Good luck!
-
Well I tried to add my routes to both pFsense and the 2811. And currently I'm able to ping my entire network from the pfsense + the internet. I can also ping the internet from my 2811. I'm still unable to ping 192.168.100.1 or the internet from inside my network. It appears to be a routing issue on the 2811 at this point.
I'm not sure how to pull any real logs from the pfsense. But here is it's setup of both devices.
3 Interfaces enabled
- WAN (DHCP connected to my Cable Modem)
- LAN (Static 192.168.2.250/24; used for management)
- WAN2LAN (Static 192.168.100.1; used for internet traffic)
Static Route configured
192.168.0.0/16 192.168.100.2Cisco 2811 Config
sh run Building configuration... Current configuration : 2675 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname TMFRT01 ! boot-start-marker boot-end-marker ! enable secret 5 $1$4EN2$Lc9iVLaxtyGjAA35PLvpD/ ! memory-size iomem 10 no aaa new-model ip subnet-zero ! ! ip cef ! ! no ftp-server write-enable ! ! ! ! interface FastEthernet0/0 description Blank Network ip address 192.168.0.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/0.1 description Default Network encapsulation dot1Q 1 native ip address 192.168.1.254 255.255.255.0 ! interface FastEthernet0/0.2 description Server Network encapsulation dot1Q 2 ip address 192.168.2.254 255.255.255.0 ! interface FastEthernet0/0.3 description PC Network encapsulation dot1Q 3 ip address 192.168.3.254 255.255.255.0 ! interface FastEthernet0/0.4 description TViP Network encapsulation dot1Q 4 ip address 192.168.4.254 255.255.255.0 ! interface FastEthernet0/0.5 description Wireless Network encapsulation dot1Q 5 ip address 192.168.5.254 255.255.255.0 ! interface FastEthernet0/0.6 description na encapsulation dot1Q 6 ip address 192.168.6.254 255.255.255.0 ! interface FastEthernet0/1 description WAN Interface ip address 192.168.100.2 255.255.255.0 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.100.1 ! no ip http server ! ! ! ! control-plane ! banner motd ^CC .-------------. / \ / .-----. \ I am the Great Cornholio!! |/ --`-`-\ \ | \ | I need TP for my bunghole!! | _-- \ | _| =-. | | Come out with your pants down! o|/o/ | | / ~ | | ARE YOU THREATENING ME?? (____@) ___ | | _===~~~.`| | Oh. heh-heh. Sorry about that. _______.--~ | | \_______ | | heh-heh. This is cool. heh-heh | \ | | \_/__/ | / __\ !!AUTHORIZED ACCESS ONLY!! -| TMF || | || Security || | || || | /| / / ^C ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 password cisco login ! scheduler allocate 20000 1000 ! end
-
It may be too early but I'm getting a little confused about how your network is set up. Can you make a simple diagram? One thing to remember is pfSense applies firewall rules on the interface the traffic is coming IN to. So if traffic is coming IN on your WAN2LAN interface, you need to have a rule allowing traffic FROM 192.168.100.1/24 AND any other subnets that traffic will be originating from, especially if that traffic initiates from another subnet that is no assigned to that interface. You can always try an allow any from any to any rule just to test if that's where the issue lies.
Yes, you will also need static routes on pfsense for any subnets that it is not directly connected to or it won't know how to send the traffic back.
-
Let me know if this makes sense to you.
(WAN) (WAN2LAN) fa0/1 fa0/0
((ISP))–-|(pFsense)|------------------------|(2811)|--|trunk|---(2950)---|trunk|---(2950)-----PC
DHCP | 192.168.100.1/24 192.168.100.2 |
|________________________________________________________|
Management (LAN = 192.168.2.250) -
One thing to remember is pfSense applies firewall rules on the interface the traffic is coming IN to. So if traffic is coming IN on your WAN2LAN interface, you need to have a rule allowing traffic FROM 192.168.100.1/24 AND any other subnets that traffic will be originating from, especially if that traffic initiates from another subnet that is no assigned to that interface. You can always try an allow any from any to any rule just to test if that's where the issue lies.
Thanks focalguy!!! That was the piece I was missing. I had my firewall rule on WAN2LAN set to only allow traffic on that specific subnet. Once I change it to 'any' everything started working. Now that I know that is the issue I can start creating custom rules for the traffic.
Ben Mitchell.
-
Great! That is a stumbling block for a lot of people. Good luck with the rest of your project. It sounds interesting.
-
Thanks again for your help :)
;D