Multi-WAN Not Returning Traffic
-
Hi Guys,
I am trying to setup a gateway for three ADSL connections.
I have setup a test lab using some cisco routers to pose as the internet. Each of the tree WAN interfaces are connected to one of the cisco routers. Each router has a loopback interface with 2.2.2.2 to simulate the internet. After making sure I had all the correct firewall rules and turning off NAT, there is something very interesting happening…
I can ping the loopback interface from the pfsense box but not from a LAN-side PC. I turned off all packet filtering and the same behaviour was still occuring.
To debug the situation I turned on ICMP debugging on the cisco routers. This proved that the traffic was going out with correct IP addresses and the router was returning the ICMP to the LAN interface.
However, the ping never manages to go past the pfSense box on it's way throught to the LAN.I have setup the Multi-WAN using the gateways section and setting all gateways to teir 1.
Please help... this is driving me nuts!
-
If you turn off NAT on the pfsense, than the pfsense is running as a routing only plattform. This means, you have to edit static routes on the cisco routers to point to the LAN subnet behind your pfsense firewall.
Subnet-A –- CISCO ----- Subnet-B --- pfsense --- Subnet-C
This means, that the cisco router has to know that Subnet C is reachable over the pfsense.
If this is ist configured like this, a poing from a Client in Subnet-C will go over the pfsense as default GW, next to the cisco router and the cisco router has no gateway configured for Subnet-C so it sends all traffic over its default gateway to the Subnet-A. -
This means, that the cisco router has to know that Subnet C is reachable over the pfsense.
I'm pretty sure that the cisco routers have a static route pointing back to the LAN - simplest implementation…
I will have to confirm this when I get back to work in a few days...
However, the router was returning the traffic, if it didn't have a route, it would simply drop the traffic. -
I have added the routes on the routers pointing to subnet C.
The same behaviour is happening… :-(The routers are reporting that they are replying to the ICMP packets, so something i up with the pfSense return rules.
Gateways
WANGW (default) WAN 200.200.1.1 2.2.2.2 Router 2 GW GW2 WAN2 200.200.2.1 1.1.1.1 Router 1 GW
Gateway Group
LoadBalance WANGW Tier 1 GW2 Tier 1
Firewall Rule on both WAN interfaces
ID Proto Source Port Destination Port Gateway Queue Schedule Description * * * * * LoadBalance none
LAN Firewall Rules
ID Proto Source Port Destination Port Gateway Queue Schedule Description * * * LAN Address 22 80 * * Anti-Lockout Rule * LAN net * * * LoadBalance none Default allow LAN to any rule ``` And NAT is turned off as well. A tracert from the LAN also times out with no results. From a shell on the pfSense box, I can ping the 'internet' interfaces on the balanced routers. The LAN can only ping as far as the outside interfaces on the firewall…
-
New information:
I can ping the WAN interface from the router but not the LAN interface even though all routes are in place.
Something on the firewall is blocking the traffic through to the LAN… even when IP filtering is turned off!!
Nothing shows in the logs either!