Firewall off – routing problem



  • Hello and thank you if you can help,

    This is very simple but I have searched to no avail–perhaps it is too simple.  I am trying to set up a network in OPT1 to give clients there access to the internet via WAN and to a few servers in LAN.  I am sure the WAN will work out, but I am trying to get the LAN access working first.

    So:

    LAN is 10.0.0.47 on a 10.0.0.0/16 network.  There is a server at 10.0.1.159.
    OPT1 is 192.168.70.1 on 192.168.70.0/23  There is a client PC (Windows) at 192.168.70.10  DHCP server is on for this interface.
    WAN is down.  (I want to get this OPT1/LAN thing right first.)

    The default gateway router for 10.0.0.0/16 (at 10.0.0.196--it is not the pfsense machine) is set with a static route to find 192.168.70.0/23 at 10.0.0.47.  This seems to be working correctly, since I can ping from the server to the client.

    But I can't from ping from client to server.  I have the firewall disabled in the Advanced tab so that I can get the routing working first.  Cannot figure out why this does not just work--do I need a static route on the pfsense side?  Why?

    Thanks for any help you can be!  I am sure that I am just being incredibly dense.

    SteveO



  • You need to add a rule for Opt1 to allow communicate to the LAN..

    By default the LAN can speak to any interface

    When you add a Opt interface you need to add the rule manually.

    As a test on the opt1 all any to any.

    See what happens..



  • Hi Craig,

    Thanks for your reply.  At the moment, I have the firewall part off altogether, so the routing alone is functional.

    Before that, I did have the firewall on and a rule allowing access to LAN from OPT1.  Looking at the firewall logs, I could see that the packet was allowed out to the server.  Then nothing came back.

    That sounds like a problem on the LAN side network with routing, except that I can ping from the server on the LAN side network all the way to the client in OPT1 no problem, so it would appear that the LAN side default router is sending packets to the pfsense machine OK.  It would also seem to indicate that the pfsense machine can move packets from LAN to OPT1 and back OK internally.

    So, if I can ping from LAN to OPT1, and I can see that pfsense is allowing a packet from the client on OPT1 out to the server on the LAN side, under what circumstances would communication between the OPT1 client and the LAN side server die?

    Steve



  • With the firewall back on and OPT1 set to go anywhere, if I NAT the OPT1 network to the LAN IP address, the ping and lookup from OPT1 to the LAN network works, but that should not be necessary–what I really want is for the routing to work without disguising anything.  So I guess I am going to assume, unless someone here knows better, that the LAN network has a problem and start looking there instead of trying to fix this in the pfsense machine.



  • So, with the firewall on and the firewall set to allow OPT1 to go anywhere it wants, here are some packet examples of two attempts to ping LAN network's 10.0.1.159 from OPT1's 192.168.70.10:

    capturing OPT1:
    1 0.000000 192.168.70.10 10.0.1.159 ICMP 74 Echo (ping) request  id=0x0001, seq=97/24832, ttl=128

    capturing LAN:
    1 0.000000 192.168.70.10 10.0.1.159 ICMP 74 Echo (ping) request  id=0x0001, seq=101/25856, ttl=127

    So, the pfsense seems to be sending the packets out, but there are no reply packets.  I cannot figure out how I can ping from 10.0.1.159 to 192.168.70.10 but not the other way round.  Surely if 10.0.1.159 can send a ping to the OPT1 subnet and get replies it should be able to send a reply back?



  • Steve would you mind providing some screenshots of the setup you got there mate? Just having issues picturing what your doing.. Hopefully it may help other people as well. Sorry for the late reply.



  • @craigduff:

    Steve would you mind providing some screenshots of the setup you got there mate? Just having issues picturing what your doing.. Hopefully it may help other people as well. Sorry for the late reply.

    Hello, sorry to be so late getting back.  No wonder this is confusing; I made a fundamental error.  I think I have the problem figured out, but I am not sure how to fix it.

    The error is that I set up the networks asymmetrically.  10.0.0.0's gateway router had a static route to the pfsense's 192.168.70.0 network that routed to the pfsense's 10.0.0.47 address.  The pfsense just had that address at 10.0.0.47.  So computers in 10.0.0.0 could ping in and get replies since all the traffic was going through 10196, but if a machine in 192.168.70.0 initiated the conversation the packets would not come back since the pfsense wasn't looking for a reply from 10196–it was looking for a direct reply.

    Not sure how to fix this, probably because of the same ignorance that created the problem in the first place.



  • SteveO a Network Diagram would be nice you can make one at http://www.gliffy.com , however I think I know what your problem is. If I'm thinking correctly you have two routers that you are trying to route traffic back and forth? You are not using a dynamic routing protocol like RIP or OSPF but are just using static routes? From your PfSense router you have made a static route to your 192.168.x.x network my question is did you make a static route on your other router to send 10.0.x.x traffic back? If not it won't work. Sometimes people incorrectly think that a router will send traffic out of the same interface that it came on but you have to make a static route if your not using a routing protocol. To make your job easier I would use a routing protocol like RIP, this will make your life easier without having to make a butch of static routes.

    Option 2

    If you have a static route on your non-PfSense router do you have any access list that would block traffic on the far end? Try doing a traceroute from both sides to see where the traffic is dropping.

    On your second router if you are using something like Cisco you can issue the command show ip route to see what networks your router knows about. If you don't see something like:

    S    10.0.0.0/16 via 192.168.70.x
    S*  0.0.0.0/0 [254/0] via 192.168.70.x

    Then your router doesn't know how to reach your PfSense Network


Log in to reply