Routing between LANs not working



  • I know I have to be overlooking something simple, but I am currently stumped. I have a network that looks like the following

    Site1
    LAN1/22
    LAN2/22

    I then have a direct connection between sites configured as PTP/24

    Site2
    RemoteLAN1/19

    I can ping LAN1 & LAN2 from the PTP Interface at Site2
    I can ping RemoteLan1 from PTP Interface at site1
    I can not ping any of the above from the LAN interface of either PFsense box
    I can not ping any of the remote networks from PCs behind any of the PFSense boxes.

    I have tried both static routes, and using the RIP protocol to get the sites talking.
    If I configure an IPSEC tunnel, then all sites are able to talk to each other no problem. The fact the IPSec tunnel works is part of reason I am so confused. As it would seem in order for the different sites to see each other through the IPSec tunnel, or a direct Route, the firewall rules would pretty much be the same. And they seem to be. Yet for some reason the firewall rules are allowing sites to talk when going through IPSec, but not a direct connection with static or RIP routes in place.

    In troubleshooting I have also attempted wide open rules of allowing any and all traffic on the PTP interface.  And both sites have LAN configurations that allow anything from the LAN subnet to go anywhere.

    What could I possibly be overlooking?



  • Is this your configuration:

    LAN-A–----pfsense-A------WAN-----pfsense-B-----LAN-B
    ?

    Is the part I named "WAN" a WAN connection or is it just another LAN subnet? If it is just another LAN subnet then you probably have to disable NAT of pfsense-A and pfsense-B WAN interface.

    Further pfsense-A needs a static route to LAN-B with gateway pfsense-B-WAN-interface
    And pfsense-B needs a static route to LAN-A with gateway pfsense-A-WAN-interface.
    pfsense-A/B must allow all traffic on WAN and LAN interfaces.

    When you talk from "PTP" - do you just mean a direct connection like connecting a computer to a switch or do you mean any VPN solution (PPTP)? I am asking this because you are talking about IPsec in the next chapter.

    So I guess you need to disable NAT:
    system --> advanced --> !?!
    Check if there is any checkbox for disabling NAT ONLY. If there isn't any go to "Ountbound NAT" on firewall --> NAT and select "Manual Outbound NAT" and then delete all existing NAT rules. This disables NAT.



  • Here are some more details for you

    Site1, PFSENSE A
    LAN Interface
    VLAN Interface
    WAN Interface for Internet, Uses NAT
    PTP Interface uses a local subnet to route between to physical sites, no VPN at play here, it is direct connection between sites provided by our internet provider.

    Site 2, PFSENSE B
    LAN Interface
    VLAN Interface
    WAN Interface for Internet, Uses NAT
    PTP Interface on local subnet.

    So I can not turn NAT off entirely, I tried creating a rule for NAT that sais source Site1LAN destination Site2LAN and then checked the box that claims to turn nat off within that config, associated with the PTP interface and it did not work.



  • The you need to disable NAT only on the PTP interface.

    So go to outbound NAT rules, select automatic rules which generates NAT rules for all interfaces. Then switch back to manual outbound NAT rules. It shows you all the rules and then you probably only need to delete the rules for the P2P interfaces - on both sites.

    But the static routes on both sites must still be configured. And the firewall rules on the P2P interfaces must allow traffic from the other site.


Log in to reply