Firewall blocking traffic from LAN to routed subnet



  • Have secundary router on LAN to route traffic to clients on MPLS.
    Traffice from LAN to subnets are blocked in firewall:

    Log entry:
    Nov 7 13:59:52 LAN 172.16.0.15:3389 172.16.1.2:51598 TCP:S

    I have no problem what so ever to ping from eg: 172.16.1.2 -> 172.16.0.15 or the other way around.
    Client on 172.16.1.2 also have internet access. But when I try creating RDP session from client 172.16.1.2 to 172.16.0.15 it never works - or so I thourght. 1 out of lets say 10 times connection is made and user desktop gets displayed. after 10-15 seconds the connection is dropped.

    Why is LAN traffic blocked out of LAN to "LAN"
    Have tried to create Rule: *  172.16.1.0/24  *  *  *  *    but it changes nothing

    Help  ;)


  • Rebel Alliance Global Moderator

    Can you layout your network, where exactly is your secondary router?

    Does pfsense have interfaces in both lans?  What are the netmasks for these 2 different lan segments?



  • Thanks for your quick reply.

    Have attached diagram.

    ISP provide router with WAN and MPLS setup established - no trouble there.

    I have WAN on pfSense placed on WAN on ISP router.
    Same router have 172.16.0.1 as gateway to MPLS nets.
    I have setup static routes in pfSense to eg. 172.16.1.0/24 to point to 172.16.0.1 to get traffic to MPLS -> OK
    Have created Outbound manual NAT to get MPLS clients on Internet -> OK



  • Rebel Alliance Global Moderator

    So what is the wan interface of pfsense?

    So the way I see that setup why would your clients on your lan use the pfsense box to get to mpls clients?

    What is the gateway on the clients?  Do the clients have any specific routes setup.

    It looks to me like you could have asymmetric routing.

    So client wants to talk to mpls say 172.16.1.X, he goes through pfsense at 172.16.0.254 – what does pfsense nat that too?  Now when client at 172.16.1.x is coming back -- why would he go to the pfsense to get to 172.16.0 -- I would think he would see route to to 172.16.0 right on the isp router.

    Not sure what your trying to accomplish with that setup.  If you want to isolate your client segment via your pfsense - why would you have that segment directly connected to the isp router?  Wouldn't all traffic want to flow through the pfsense box be it towards or from the mpls or the internet.



  • pfSense WAN is public IP.

    Clients on local subnet contacts local gateway: 172.16.0.254 and gets static route from pfSense eg. 172.16.1.0/24 -> 172.16.0.1

    Routing is not the issue here. Routing works fine from MPLS to local LAN, LAN to MPLS, MPLS to WAN and LAN to WAN.
    ISP had configured router that provide access to Internet and MPLS - I have no access to that router. As I see it pfSense LAN don't allow traffic from LAN to MPLS, and again it is all TCP:S packages that are blocked.

    If I come from MPLS net to eg. my remote desktop server my route looks like this: 172.16.1.2->172.16.1.1->172.16.0.1->172.16.0.15 - as I wrote before: ping and trace works fine.

    All MPLS MPLS trafic are routed over 172.16.0.1 to 172.16.0.254. I asked the ISP if that was correct, and they answerd "yes no problem, We'll just route all traffic to 172.16.0.254 and then you handle the routing in and out of your own subnet".

    Is it making any sense?


Locked