Routing between subnets (works just fine!)


  • Netgate Administrator

    Hi All,
    This seems like a very basic question and one that I thought I knew the answer to but…

    Does pfSense 2.0 (13th May snapshot) route between two LAN interfaces configured with different subnets?

    If you had asked me yesterday I would have said yes, by default, but my own installation appears not to.
    I have upgraded my main box over the weekend and am now finding I have no access between lan interfaces. I don't remember ever having this problem under 1.2.3.

    I have a number of interfaces configured on different /24 subnets.
    They each have firewall rules: allow, any protocol, any destination, from interface subnet.
    I can ping any address on any subnet from the pfsense box.
    I can ping any pfsense interface from a machine on one subnet.
    I cannot ping any machine on another subnet.
    There is nothing in the firewall logs.

    The only other thing I have done is setup an extra static interface on the same NIC as my PPPOE WAN in order to access the modem. To make this work I had to add a gateway for that interface. Outbound NAT left as automatic. Could it be that I have to add gateways for each LAN interface?

    Any suggestions much appreciated.

    Steve


  • Netgate Administrator

    Something realted to this?
    http://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    There's no date on that document so don't know which pfSense version it refers to.



  • I have no problem routing between local interfaces on the May 1 build (and countless prior), so unless there's a bug in your build I'm inclined to think you have a configuration problem. Do any of your subnets overlap (they shoudn't)? Do you need a static route (in other words, do you have any hosts that don't talk directly to pfsense, but through another router)? Do you have any rules in the floating tab that would prevent inter-LAN traffic? The floating rules are parsed first and can override your LAN pass rules.


  • Netgate Administrator

    Thanks for the reply.
    As is usually the case, for me at least, it turned out to be a self inflicted problem.
    A combination of events conspired against me such that the tests I was running all came up bad. That combined with a sleep deprived brain lead me to question some basic assumptions, like does pfSense route. Of course it does!  :-[
    It was routing between subnets just fine. Everything I was pinging was incapable of replying or refusing to do so.

    I did find a few interesting things though.
    As I said above I have an ADSL modem and use pppoe for connection. In order to access the modem stats page I have a second interface setup on the same NIC with a static IP in same subnet as the modem.

    If you read the wiki page on how to set this up, [url=http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall]here, you have to then setup manual outbound NAT in order to access the modem. But doing this turns off automatic NAT which seems like something I'd rather avoid.
    An alternative is to set the modem IP as a gateway. This will trigger an auto NAT rule and allow access.
    This also seems undesirable. I couldn't see why pfSense wouldn't route traffic to the modem IP just as it would to any other LAN subnet. In fact it seems that it does and the only reason you need to use NAT is that the modem can only respond packets from it's own subnet as it has no route to anywhere else.
    In my case at least the modem setup expects it to be a router and so doesn't allow you to set a gateway for it's LAN side IP. Hence anything that's not on the same subnet has no route.

    I solved this problem by simply setting the subnet mask on the modem to include all of my other subnets, in my case 255.255.0.0. Now I can access the modem web/telnet interface from any other LAN interface without using NAT at all.
    However I have tried this with two modems and it only worked on one.

    Steve



  • @stephenw10:

    An alternative is to set the modem IP as a gateway. This will trigger an auto NAT rule and allow access.
    This also seems undesirable.

    Why?

    I couldn't see why pfSense wouldn't route traffic to the modem IP just as it would to any other LAN subnet. In fact it seems that it does and the only reason you need to use NAT is that the modem can only respond packets from it's own subnet as it has no route to anywhere else.

    Correct. pfsense has no problem routing from LAN to the modem, but the modem doesn't know how to route back to the LAN host because the latter is outside its subnet and it has no route to it except via the default route, which is on the wrong interface.

    In my case at least the modem setup expects it to be a router and so doesn't allow you to set a gateway for it's LAN side IP. Hence anything that's not on the same subnet has no route.

    Unlucky you. I use the Thomson Speedtouch 516v6 and it is the same, hence I use NAT. I'm using AON anyway, so no big deal for me.

    I solved this problem by simply setting the subnet mask on the modem to include all of my other subnets, in my case 255.255.0.0. Now I can access the modem web/telnet interface from any other LAN interface without using NAT at all.
    However I have tried this with two modems and it only worked on one.

    Clever solution. I'm not sure why it would work on one modem and not the other. packet dumps might be enlightening. Still, I don't see why you don't just set up the modem as a gateway.


  • Netgate Administrator

    Hmm, having more gateways than is necessary just seems like it might cause trouble with load balancing and fail over but perhaps not.  ::)

    I'm not sure why it didn't work on the other router perhaps it's hard coded to route out of it's wan port. It's a BT Home Hub 3. I'm using it as a WIFI access point on a separate interface. If I set a gateway in that subnet then devices connected to the access point can no longer access the internet.

    Steve


Log in to reply