Newbie Routing/Firewall question

cybercorty

Hi everyone,

this is definitely a newbie question, but I'm stuck and don't know how to search further. Most likely the problem is lack of some basic routing or firewall knowlegde… The setup is as follows (ips are fictional):

private subnet 2 (192.168.10.0/24) ---- (192.168.10.1) pfsense firewall with two interfaces (192.168.11.1) ---- private subnet 1 (192.168.11.0/24) --- router (192.168.11.6) --- Internet

---- means physical or virtual network cable

private subnet 1 and 2 are phyiscally separated, the only link is the pfsense firewall which has interfaces into both network segments. The interface to private subnet 1 is the lan interface in pfsense, the interface to private subnet 2 the wan interface in the initial setup. pfSense is version 2.1 RC0.

Hosts in private subnet 1 should be allowed to access the Internet through NAT (works perferct on hardware router 192.168.11.6). Default gateway of private subnet 1 is 192.168.11.6. Hosts in private subnet 1 should also be allowed to access any hosts in private subnet 2.

hosts in private subnet 2 should neither be allowed to access hosts in private subnet 1 nor the internet, but only hosts within private subnet 2. I assign ips in private subnet 2 via dhcp, default gateway is 192.168.10.1 (the pfsense interface in private subnet 2 = wan interface).

I have configured a static route in router 192.168.11.6, that defines 192.168.11.1 as gateway to 192.168.10.0/24. I have also removed firewall rules in pfsense, that blocked traffic from private ip's (since pfSense only handles private ip's in this setup). A firewall rule was defined to allow all ip4 traffic (all protocolls) that is received on the interface to private subnet 1. Aside from the standard bogon block rules no other firewall rules are defined.

I can ping all hosts in private subnet 2 from private subnet 1, but I cannot access any services on a Debian 7 host in private subnet 2 from private subnet 1. They are accessible within private subnet 2. Surprisingly the web interface of a cheap switch within private subnet 2 can be accessed from private subnet 1.

I assume it must be something either in the pfsense configuration or the debian host (which of course would be offtopic here, but I need some hint to narrow the problem.) Since route on the debian host shows 192.168.10.1 as default gateway, it should know where to answer if a service is accessed from private subnet 1 (eg adress range 192.168.11.0/24).

Could someone give me a hint where to look?

Many thanks in advance.

Ralf

phil.davis

To encourage you, what you are doing is unusual, but from the description you give it should work. The pfSense by default will do NAT between LAN and WAN. So when you connect from the LAN side 192.168.11.n into the "hidden" subnet 192.168.10.n the packets will be NAT'd and the clients in 192.168.10.n will see them as coming from 192.168.10.1 - that should not matter, it is just like the "hidden" subnet is an internet. In fact, that should hide complexity from the Debian host. It should think it is talking locally to someone connecting from 192.168.10.1