4. Issue with 172.n.n.n networks (Private Addy Space)

Issue with 172.n.n.n networks (Private Addy Space)

  • P

    I am running pfs 2.0-release on an ALIX2d3 embedded system. I am using the three physical interfaces as follows:

    Untrust - WAN: ISP with DHCP
    DMZ - Static Address Assignment for DMZ devices
    Trust - LAN networks - trunk - multiple VLANs

    On the Trust side I have 6 VLANs configured.

    Four of the VLANs are in the address space 10.n.n.n/24

    One of the VLANs is in the address space 172.16.n.n/24

    The final VLAN is in the address space of 172.30.n.n/24

    All the VLANs pass traffic correctly except the one in address space 172.30

    I have spent considerable amounts of time looking at why this is. The firewall rules are fine. No messages in the logs to indicate any issue.

    As a last ditch effort in testing I re-ip'd the interface to 172.16.2.254/24 and a workstation to 172.16.2.10/24. It works! Traffic passes. As soon as I return the configuration to 172.30.2.254/24 and the workstation to 172.30.2.10/24 the traffic flow stops. Packet sniffing shows traffic outbound, nothing returning inbound. Nothing odd about routes (no static routes defined).

    I then tried some different network address combinations - such as 172.20.2.0/24 and 172.17.2.0/24. None of them work. It only passes if I use 172.16.n.n

    Has anyone else seen this??

    RFC1918 defines the following as a private address space range:

    172.16.0.0      -  172.31.255.255  (172.16/12 prefix)

    Technically I should not have an issue with 172.30.

    0

  • I use 172.31.0.0/16  here.

    172.31.125.0/24  site one.
    172.31.110.0/24  site two…  ect...

    no issues...

    Ill try 172.30. on my test box later if no one else comments...

    0
  • W

    Presumably you have a VLAN capable switch in the configuration. What is its IP address? Hopefully not 172.30.2.10

    If duplicate IP addresses don't seem to be the problem I would examine a simplified configuration: pings between pfSense and workstation. Does a ping from pfSense to the workstation get a response? Does a ping from the workstation to pfSense get a response? Does a packet capture on pfSense show both request and response? Does a packet capture on the workstation show request and response?

    0
  • P

    Hi guys. Thanks for the replies. After stepping away for a while and coming back I made a discovery. I ran packet traces on both the trust and untrust side. On the untrust I immediately noticed something. The 172.30.2.10 address was being seen on the outside. I jumped back into my NAT settings and noticed I "fat-fingered" an ip address.

    I can't tell you how many times I checked these settings, but apparently I glossed over it repeatedly. Sorry about that. Thanks again for the replies!

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy