Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie Routing/Firewall question

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cybercorty
      last edited by

      Hi everyone,

      this is definitely a newbie question, but I'm stuck and don't know how to search further. Most likely the problem is lack of some basic routing or firewall knowlegde… The setup is as follows (ips are fictional):

      private subnet 2 (192.168.10.0/24) ---- (192.168.10.1) pfsense firewall with two interfaces (192.168.11.1) ---- private subnet 1 (192.168.11.0/24) --- router (192.168.11.6) --- Internet

      ---- means physical or virtual network cable

      private subnet 1 and 2 are phyiscally separated, the only link is the pfsense firewall which has interfaces into both network segments. The interface to private subnet 1 is the lan interface in pfsense, the interface to private subnet 2 the wan interface in the initial setup. pfSense is version 2.1 RC0.

      Hosts in private subnet 1 should be allowed to access the Internet through NAT (works perferct on hardware router 192.168.11.6). Default gateway of private subnet 1 is 192.168.11.6. Hosts in private subnet 1 should also be allowed to access any hosts in private subnet 2.

      hosts in private subnet 2 should neither be allowed to access hosts in private subnet 1 nor the internet, but only hosts within private subnet 2. I assign ips in private subnet 2 via dhcp, default gateway is 192.168.10.1 (the pfsense interface in private subnet 2 = wan interface).

      I have configured a static route in router 192.168.11.6, that defines 192.168.11.1 as gateway to 192.168.10.0/24. I have also removed firewall rules in pfsense, that blocked traffic from private ip's (since pfSense only handles private ip's in this setup). A firewall rule was defined to allow all ip4 traffic (all protocolls) that is received on the interface to private subnet 1. Aside from the standard bogon block rules no other firewall rules are defined.

      I can ping all hosts in private subnet 2 from private subnet 1, but I cannot access any services on a Debian 7 host in private subnet 2 from private subnet 1. They are accessible within private subnet 2. Surprisingly the web interface of a cheap switch within private subnet 2 can be accessed from private subnet 1.

      I assume it must be something either in the pfsense configuration or the debian host (which of course would be offtopic here, but I need some hint to narrow the problem.) Since route on the debian host shows 192.168.10.1 as default gateway, it should know where to answer if a service is accessed from private subnet 1 (eg adress range 192.168.11.0/24).

      Could someone give me a hint where to look?

      Many thanks in advance.

      Ralf

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        To encourage you, what you are doing is unusual, but from the description you give it should work. The pfSense by default will do NAT between LAN and WAN. So when you connect from the LAN side 192.168.11.n into the "hidden" subnet 192.168.10.n the packets will be NAT'd and the clients in 192.168.10.n will see them as coming from 192.168.10.1 - that should not matter, it is just like the "hidden" subnet is an internet. In fact, that should hide complexity from the Debian host. It should think it is talking locally to someone connecting from 192.168.10.1

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.