PFsense not passing/routing traffic between WAN/LAN



  • Here is the setup I currently have in my lab to test a captive portal setup:

    Laptop (192.168.2.144) -> AP (192.168.2.100) -> LAN (192.168.2.1) PFSense WAN (192.168.1.2)-> (192.168.1.1) Linksys Router -> Internet
                                                                                                       Laptop wired interface (192.168.1.144)-/

    PFsense is not passing any traffic from the WAN to the LAN or vice-versa.

    Details:

    From my laptop wireless interface I can access the PFsense web configuration and ping everything in the 192.168.2.0/24 subnet. I cannot ping or access anything (the linksys router has a web interface) in the 192.168.1.0/24 subnet.

    From my laptop wired interface, I can ping and access the linksys router, but cannot ping anything in the 192.168.2.9/24 subnet. I think this is because I need to configure a static route.

    From PFsense I can ping everything.

    I have unblocked private IP address space on the WAN interface and my routing table and my arp table look fine. When I check the firewall logs, they don't show any traffic being blocked. I'm passing all traffic on both interfaces (except for bogon traffic on the WAN interface).

    PFsense is running on an IBM Eserver with 4 gigs of ram, 2 x 3GHz processors and 2 NICs. I don't think it's a hardware issue.

    Any ideas? Any more information I can give you?

    Thank you for your time.



  • @Seanny:

    From my laptop wireless interface I can access the PFsense web configuration and ping everything in the 192.168.2.0/24 subnet. I cannot ping or access anything (the linksys router has a web interface) in the 192.168.1.0/24 subnet.

    If the wireless AP is acting as a router rather than a bridge then pfSense needs a route to the network of the laptop. What is the IP address of the laptop's wireless interface?

    @Seanny:

    From my laptop wired interface, I can ping and access the linksys router, but cannot ping anything in the 192.168.2.9/24 subnet and cannot ping the PFsense WAN interface.

    1. Your laptop (or the Linksys) needs a route to the 192.168.2.0/24 network to be able to reach the 192.168.2.0/24 network.
    2. You possibly don't have a firewall rule on the pfSense WAN interface allowing these pings.



  • I have edited the above post to answer your questions.

    1. My wireless AP is a bridge (assuming that gateway mode is the same as bridge) and shares the same subnet as the laptop and the pfsense interface. The problem arises when I attempt to access the other subnet.

    2. I will configure a static route on my linksys and let you know the results, but really it's a secondary problem that appeared while I was troubleshooting.



  • UPDATE (am I not supposed to double post for this?): Configuring a static route stopped the "destination host unreachable" messages. Thanks. Unfortunately, the pings are still failing.



  • @Seanny:

    Unfortunately, the pings are still failing.

    Firewall rule on pfSense WAN interface?

    @Seanny:

    1. My wireless AP is a bridge (assuming that gateway mode is the same as bridge) and shares the same subnet as the laptop and the pfsense interface. The problem arises when I attempt to access the other subnet.

    On the (wireless) laptop a traceroute 192.168.1.1 shows?
    The laptop default gateway is ?

    With the wireless laptop pinging 192.168.1.1 does a packet capture on the pfSense LAN interface show the ping? Does the packet capture on WAN show the ping? Does the packet capture on WAN show ping response? Does the packet capture on LAN show the ping response? (Where does the ping or its response get blocked?)



  • Thank you Wallybob for walking me through routing troubleshooting. It was a routing problem all along. I thought the AP was acting as a bridge, but it was actually a DHCP server and didn't know where to forward 192.168.2.0/24 traffic. FACEPALM In my defense, it's my first week on the job…  :P

    Lessons learned:
    PFSense does not randomly drop traffic.
    If you can't reach something because of routing, you do not always get Destination Host Unreachable when pinging.
    Have faith in the system logs.

    Thanks,
    Seanny


Locked