Passing traffice between OPT1 and LAN, dual LAN, single WAN



  • I am using  pfSense version 2.0.1-RELEASE (amd64)

    I have two LANs which need to be able to pass traffic between one another and use the same WAN connection.

    I currently have the following setup:

    WAN - Sidera 100Mb fiber
    LAN (CallCenterLAN) - 10.2.0.0/24, interface is at 10.2.0.254
    OPT1 (MGMT_LAN) - 10.2.1.0/24, interface is at 10.2.1.254

    I have successfully gotten internet access two both the LAN and OPT1 networks. The challenge now is that I need to pass traffic between the networks. I've tried a bunch of different things and I have probably entered an bunch of unnecessary firewall rules. I have attached images of the MGMT_LAN and CallCenterLAN interface firewall rules.

    I have also created gateways in the System>Routing for both the CallCenterLAN and MGMT_LAN interfaces.

    I still cannot pass data between the networks. Nothing is showing up in the firewall logs for anything I test (i.e. pings from 10.2.1.50 to 10.2.0.10, and IP which responds to PING). I am at a loss as to what I should do  next. I've read a lot of post but I haven't been able to find a solution.

    ![Call Center Rules.jpg](/public/imported_attachments/1/Call Center Rules.jpg)
    ![Call Center Rules.jpg_thumb](/public/imported_attachments/1/Call Center Rules.jpg_thumb)
    ![MGMT LAN Rules.jpg](/public/imported_attachments/1/MGMT LAN Rules.jpg)
    ![MGMT LAN Rules.jpg_thumb](/public/imported_attachments/1/MGMT LAN Rules.jpg_thumb)



  • Just as important as the firewall configuration is the configuration of the two systems that are attempting to communicate through the firewall. For example, if 10.2.1.50 and 10.2.0.10 had network masks of 16 they would each think the other was on the same network and would attempt to communicate directly rather than going through the firewall. Similarly, if the network masks were correct but they had incorrect routing (for example, a default gateway that wasn't the firewall) then they might not be able to communicate. A traceroute (tracert on Windows) can be very helpful in detecting routing problems.

    It is sometimes necessary to reset firewall states after firewall rule changes, see Diagnostics -> States, click on Reset States tab.

    Firewall rules apply to packets received on the nominated interface. Unless there is a configuration error, I suspect you shouldn't be receiving packets from the MGMT_LAN subnet on the CallCentreLAN interface so you might want to block such packets (or let the default drop rule have them). (Similarly the CallCentreLAN subnet on the MGMT_LAN interface.)



  • Thanks for your reply wallabybob.

    The subnet mask for both networks is 24 bit (255.255.255.0)

    The device at 10.2.1.50 has a default gateway of 10.2.1.254. The device at 10.2.0.10 has a default gateway of 10.2.0.254. I want to pass traffic from each network to the other which is why I made sure there were rules to allow traffic to and from each network on each interface. I have gone so far as to reboot the entire device, but that didn't help.



  • Ok so I went back and reconfigured everything on the router. Something I forgot to mention is that the main reason I want two networks is that I have other gateways on the CallCenterLAN network. I am phasing these out, but I need to be able to assign certain devices to certain gateways until I have tested out new fiber connection.

    I can pass data between devices which are using the 10.2.0.254 and 10.2.1.254 gateways, but not from the 10.2.1.254 network to devices on 10.2.0.254 which do not have the 10.2.0.254 gateway. Other devices on 10.2.0.254 have different gateways, but are on the network and can communicate with one another.

    For example when pinging 10.2.0.133/24 (the device has a gateway of 10.2.0.250), I see an ARP go from my computer at 10.2.1.50 to the 10.2.1.254 gateway, which gets passed to 10.2.0.254 and the ARP gets broadcasted; there is a response from 10.2.0.133 to 10.2.0.254, but I never see it get back to the 10.2.1.254 interface, nor the 10.2.1.0/24 network. Is that never going to work?



  • @seanpd:

    For example when pinging 10.2.0.133/24 (the device has a gateway of 10.2.0.250), I see an ARP go from my computer at 10.2.1.50 to the 10.2.1.254 gateway, which gets passed to 10.2.0.254 and the ARP gets broadcasted; there is a response from 10.2.0.133 to 10.2.0.254, but I never see it get back to the 10.2.1.254 interface, nor the 10.2.1.0/24 network. Is that never going to work?

    The details are important here: The arp asks for the MAC address of which computer?
    Assuming it is all correctly configured, this is (roughly) how it should work:
    10.2.1.50 attempts to ping 10.2.0.133. The ping destination is off network (the first 24 bits of 10.2.0 is not 10.2.1) so the ping has to be sent to the default gateway 10.2.1.254. If the MAC address of the default gateway is not know an ARP request for it will be sent. On receiving the ARP response, 10.2.1.50 will know the MAC address to which to send the ping. pfSense will receive the ping on 10.2.1.254 and forward it to 10.2.0.133 through its interface on the 10.2.0.0/24 network. However the MAC address of 10.2.0.133 may not be known so pfSense may need to send an ARP request for the MAC address of 10.2.0.133 on the 10.2.0.254 interface.

    ARPs should not be "forwarded" unless the interfaces are in a bridge, but you have made no mention of bridging.


  • Netgate Administrator

    Surely the problem here is that 10.2.0.133 on receiving the ping from 10.2.1.50 it will attempt to respond but, because it's on a different subnet, will send the response to it's gateway (10.2.0.250) not pfSense. Does this other gateway have a route to the 10.2.1.0/24 subnet?

    Steve



  • No it doesn't. We are transitioning off several AT&T Uverse circuits and those routers are very limited in their features. It won't be an issue after I've gotten rid of them. In the short term, I just added another network adapter to my desktop connected to the 10.2.0.0/24 network so that I can reach those devices not connected to the 10.2.0.254 gateway. I can to realize that's really the only computer I need to have full access to both networks. The AD servers are using the 10.2.0.254 gateway, so people on the 10.2.1.0/24 network have access to AD, print server, DNS, etc. After such a long day of work, it's easy to lose perspective.



  • You can find Dual Wan configuration in following link
    http://linuxhotcoffee.blogspot.in/2012/09/pfsense-201-dual-wan-configuration.html


  • Rebel Alliance

    @sreerajuv:

    You can find Dual Wan configuration in following link
    http://linuxhotcoffee.blogspot.in/2012/09/pfsense-201-dual-wan-configuration.html

    1º Your Blog post is wrong:

    Having "WAN1" on Tier 1 & "WAN2" on Tier 2 and using "Member Down" as trigger level you are NOT Doing "Load Balance" you are doing "Fail Over".

    Please review your "Blog" post, then come back with accurate info.

    You can check the info from the pfSense Docs: http://doc.pfsense.org/index.php/Multi-WAN_2.0#Gateway_Groups

    If any two gateways are on the same tier, they will load balance.

    If they are on different tiers, they will do failover preferring the lower tier.

    If the tier is set to "Never" then the gateway is not considered part of this group.

    2º OP is talking about Single WAN & Multi LAN


  • Netgate Administrator

    Poster above has only posted 3 times. All identical posts linking to his blog.
    I don't wish to put anyone off contributing but this seems a little suspicious.  ;)

    If I'm wrong then I apologise.

    Steve


Log in to reply