Noobie Q about routing (ver 2.0.3-Release)
-
Hello all,
I'm new to pfSense so this could be a very basic question, but I'm baffled about how routing is working in my environment.
My setup is as follows :
+–---------------+
| Internet Router |
| (AT & T uVerse) |
+-----------------+
^
|
v <-WAN
+------------------+
| pfSense Firewall |
| 172.16.0.1 | <---> LAN (172.16.0.0/24)
| 192.168.0.1 | <---> DMZ (OPT1 - 192.16.0.0/24) - Not yet a true DMZ - I'm running some tests before I 'expose' any ports to the public Internet.
+------------------+I've not change the LAN and WAN rules that pfSense configured 'out-of-the-box' (OTB).
On the DMZ side, I've configured the rule just like the LAN side (Action : Pass, Protocol : Any, Source : DMZ Net, Source Port : Any, Destination : Any, Destination Port : Any).
I've also left the default OTB Routing as-is : Name : WAN, Interface WAN, IP Address : My external (public) IP Address assigned via DHCP by my ISP.
I'm able to 'ping' different computers between the 2 subnets without any issues.
The issue comes up when I try to do a trace-route. The trace seems to indicate that my packets are going all over the Internet before reaching my server. e.g. when I try to traceroute from 172.16.0.17 (on the LAN) to 192.168.0.10 (on the DMZ), I get the following results :
C-Prompt:>tracert 192.16.0.10
Tracing route to 192.16.0.10 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.16.0.1
2 * * * Request timed out.
3 46 ms 26 ms 27 ms my-IP-Address.domain-assigned-by-ISP
4 * * * Request timed out.
5 29 ms 28 ms 27 ms 75.26.64.14
6 * * * Request timed out.
7 27 ms 27 ms 27 ms 12.83.32.173
8 36 ms 33 ms 35 ms ggr4.cgcil.ip.att.net [12.122.133.33]
9 33 ms 33 ms 33 ms chi-bb1-link.telia.net [213.248.87.253]
10 34 ms 78 ms 33 ms edgecast-ic-157045-chi-bb1.c.telia.net [62.115.9
.130]
11 34 ms 33 ms 34 ms 198-7-19-109.edgecastcdn.net [198.7.19.109]
12 32 ms 33 ms 32 ms 192.16.0.10Is this normal ? It does take quite a while for me to invoke any services between the computers on the different sub-nets.
What am I doing wrong ?
Thanks in advance,
Gurvinder -
If its not just a typo, then this is your problem:
12 32 ms 33 ms 32 ms 192.16.0.10192.16.0.10 is a real public IP.
It should be 192.168.0.10 (look for the missing "8" anywhere on the OPT1 setup, and systems in the OPT1 subnet) -
:-[ - Duh …...
Thanks that was it - it was a typo -
-
Another thing,
Isn't the purpose of a DMZ to keep that traffic segregated from the rest of your network? You should create a rule on your DMZ to block all traffic going to any LAN IP and make sure its before that allow any any rule.