Routing Problem fritzbox <> pfsense

vanhaakonnen

Hello,

I have a PFSense running on an ESXi5 in a dedicated VLAN with a fritbox 6360. All clients are behind the pfsense firewall. Between the fritzbox and pfsense I use 10.0.0.1 for the fritzbox and 10.0.0.2 for pfsense (this is the WAN-Interface of pfsense and marked as Exposed Host on the fritzbox).

As normal LAN I use 192.168.100.x/24 adresses on the pfsense firewall. All clients have the 192.168.100.1 (lan of pfsense) as default gateway. So I can access from my client (for example 192.168.100.10) the pfsense on lan (192.168.100.1) and wan (10.0.0.2) and the fritzbox (10.0.0.1).

From behind the pfsense everything is fine. WAN and normal lan are seperated in different vlans.

If I have another client on the fritzbox network with for example 10.0.0.5 I can acess the fritzbox and WAN-Interface of pfsense but I can´t access the 192.168.100.x network behind pfsense.

I configured a simple ipv4 route on the fritzbox like network=192.168.100.0 netmask=255.255.255.0 gateway=10.0.0.2. But I can´t get on the 192.168.100.x ips.

What is wrong there?  :-\

Thanks

VanHaakonnen

marcelloc

I think the problem is That you configured pfsense to do nat between 10.x network and 192.x.

Disable nat and test again.

Also check your wan rules.

vanhaakonnen

Thanks!

I diabled NAT and add a firewallrule for the wan interface. Now I can access clients from both networks :
Proto * | Source WAN set | Port * | Destination LAN set | Port * | Gateway * | …

The Clients in the 10.x.x.x and 192.x.x.x network should talk without any firewallrule to eachother. But the "real" wan (internet) comes also from a 10.0.0.1 (Fritzbox). Is this rule a good idea?

marcelloc

This way pfSense is acting just like a router, without rules.

You can specify some rules on wan to protect only 192.x.x.x as internet can reach 10.x.x.x  without passing through pfSense.

Nachtfalke

@vanhaakonnen:

Thanks!

I diabled NAT and add a firewallrule for the wan interface. Now I can access clients from both networks :
Proto * | Source WAN set | Port * | Destination LAN set | Port * | Gateway * | …

The Clients in the 10.x.x.x and 192.x.x.x network should talk without any firewallrule to eachother. But the "real" wan (internet) comes also from a 10.0.0.1 (Fritzbox). Is this rule a good idea?

I think you are right.

Internet–--fritzbox--------pfsense------LAN

when you set a rule on the pfsense interface which is connected to fritzbox like this than traffic FROM Internet is blocked but from netwrok between fritzbox and pfsense is allowed:

Source port: any
source ip: WAN subnet
destination IP: any
destination port: any