Multi Internal LAN Routing problem

ugnet

Hello,

Browsing through this area I do not see any topic that clearly addresses my problem. Please excuse me if I have missed one.

I have an aging FreeBSD firewall that I am replacing with a new 2.0.2 PFSense box. My firewall has an internal IP of 10.200.1.1. The next hop downstream is my core Avaya routers 10.200.1.2 and 10.200.1.3. These are using RSMLT.

My issue is that on my old FreeBSD box all I needed to do was use the following in the rc.conf:

static_routes="01 02 03 04 05 06 07 08 09 10 11 12 13 14 100 222"
route_01="-net 10.1.0.0/16 10.200.1.2"
route_02="-net 10.2.0.0/16 10.200.1.2"
route_03="-net 10.3.0.0/16 10.200.1.2"
route_04="-net 10.4.0.0/16 10.200.1.2"
route_05="-net 10.5.0.0/16 10.200.1.2"
route_06="-net 10.6.0.0/16 10.200.1.2"
route_07="-net 10.7.0.0/16 10.200.1.2"
route_08="-net 10.8.0.0/16 10.200.1.2"
route_09="-net 10.9.0.0/16 10.200.1.2"
route_10="-net 10.10.0.0/16 10.200.1.2"
route_11="-net 10.11.0.0/16 10.200.1.2"
route_12="-net 10.12.0.0/16 10.200.1.2"
route_13="-net 10.13.0.0/16 10.200.1.2"
route_100="-net 10.100.0.0/16 10.200.1.2"
route_222="-net 10.222.0.0/16 10.200.1.2"

Then I have a default route on my core routers:

DST MASK NEXT
–-----------------------------------------
0.0.0.0 0.0.0.0 10.200.1.1

This all works fine and dandy with my FreeBSD firewall.

I configured my new PFSense box to have a WANGW (default) and a LANGW (10.200.1.2).

Name Interface Gateway Monitor IP Description

WANGW (default) WAN 172.16.0.193 172.16.0.193 Oasis
LANGW LAN 10.200.1.2 Core

I then set up each of the static routes:

[2.0.2-RELEASE][admin@my.pfsense]/root(1): netstat -r
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default oasis UGS 0 2008 em0
10.1.0.0 10.200.1.2 UGS 0 0 em1
10.2.0.0 10.200.1.2 UGS 0 0 em1
10.3.0.0 10.200.1.2 UGS 0 0 em1
10.4.0.0 10.200.1.2 UGS 0 0 em1
10.5.0.0 10.200.1.2 UGS 0 0 em1
10.6.0.0 10.200.1.2 UGS 0 0 em1
10.7.0.0 10.200.1.2 UGS 0 0 em1
10.8.0.0 10.200.1.2 UGS 0 0 em1
10.9.0.0 10.200.1.2 UGS 0 0 em1
10.10.0.0 10.200.1.2 UGS 0 0 em1
10.11.0.0 10.200.1.2 UGS 0 0 em1
10.12.0.0 10.200.1.2 UGS 0 0 em1
10.13.0.0 10.200.1.2 UGS 0 0 em1
10.100.0.0 10.200.1.2 UGS 0 3458 em1
10.200.0.0 link#3 U 0 1764 em1
my link#3 UHS 0 0 lo0
10.222.0.0 10.200.1.2 UGS 0 0 em1
localhost link#8 UH 0 383 lo0
172.16.0.192/27 link#2 U 0 3626 em0
my link#2 UHS 0 0 lo0

When I bring up the PFSense box in production I lose "internet connectivity". I am not sure what is happening.
From a machine connected to the core router:
-I cannot ping 10.200.1.1 (PFSense int interface).
-I can navigate to the PFSense webgui (10.200.1.1).
-I can ssh to PFSense (10.200.1.1).
-I cannot ping through the PFsense box to an external IP.
-There are no firewall logs showing that things are getting blocked.
-A tracroute to 10.200.1.1 dies at the vlan interface on my core router (10.100.1.1).

From my core router:
-I can ping 10.200.1.1 (PFSense int interface)
-I can ping through the PFsense box to an external IP.
-I can traceroute through the PFsense box to an external IP.

From PFSense:
-I can ping 10.200.1.2 and 10.200.1.3(both Core routers 10.200 vlan interface).
-I can traceroute through the cores to an internal IP.

Have I missed something in my PFSense config? I have seen some posts recommending creating multiple vlans on the internal interfaces and then adding a static route but I wanst sure if this was applicable to my case. Is this something I should attempt? Also, I am not tagging traffic nor do I have vlans configured on my current FreeBSD firewall.

Any help would be appreciated.

Thank you,
Peter

cmb

Routing looks fine. I think need to check your LAN rules, the default LAN firewall rule permits only source "LAN subnet", so it won't permit everything you have a static route for, only the 10.200.1.0/24 subnet.

ugnet

CMB,

Thank you very much! That was it. I looked at that rule originally, saw the pass "all", and assumed it was good.

Peter