Noobie Q about routing (ver 2.0.3-Release)

gurvindernarula

Hello all,

I'm new to pfSense so this could be a very basic question, but I'm baffled about how routing is working in my environment.

My setup is as follows :

+–---------------+
| Internet Router  |
|  (AT & T uVerse) |
+-----------------+
        ^
        |
        v <-WAN
+------------------+     
| pfSense Firewall    |
|    172.16.0.1        | <---> LAN (172.16.0.0/24)
|    192.168.0.1      | <---> DMZ (OPT1 - 192.16.0.0/24) - Not yet a true DMZ - I'm running some tests before I 'expose' any ports to the public Internet.
+------------------+

I've not change the LAN and WAN  rules that pfSense configured 'out-of-the-box' (OTB).

On the DMZ side, I've configured the rule just like the LAN side (Action : Pass, Protocol : Any, Source : DMZ Net, Source Port : Any, Destination : Any, Destination Port : Any).

I've also left the default OTB Routing as-is : Name : WAN, Interface WAN, IP Address : My external (public) IP Address assigned via DHCP by my ISP.

I'm able to 'ping' different computers between the 2 subnets without any issues.

The issue comes up when I try to do a trace-route. The trace seems to indicate that my packets are going all over the Internet before reaching my server. e.g. when I try to traceroute from 172.16.0.17 (on the LAN) to 192.168.0.10 (on the DMZ), I get the following results :

C-Prompt:>tracert 192.16.0.10

Tracing route to 192.16.0.10 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  172.16.0.1
  2    *        *        *    Request timed out.
  3    46 ms    26 ms    27 ms  my-IP-Address.domain-assigned-by-ISP
  4    *        *        *    Request timed out.
  5    29 ms    28 ms    27 ms  75.26.64.14
  6    *        *        *    Request timed out.
  7    27 ms    27 ms    27 ms  12.83.32.173
  8    36 ms    33 ms    35 ms  ggr4.cgcil.ip.att.net [12.122.133.33]
  9    33 ms    33 ms    33 ms  chi-bb1-link.telia.net [213.248.87.253]
10    34 ms    78 ms    33 ms  edgecast-ic-157045-chi-bb1.c.telia.net [62.115.9
.130]
11    34 ms    33 ms    34 ms  198-7-19-109.edgecastcdn.net [198.7.19.109]
12    32 ms    33 ms    32 ms  192.16.0.10

Is this normal ? It does take quite a while for me to invoke any services between the computers on the different sub-nets.

What am I doing wrong ?

Thanks in advance,
Gurvinder

phil.davis

If its not just a typo, then this is your problem:

12    32 ms    33 ms    32 ms  192.16.0.10

192.16.0.10 is a real public IP.
It should be 192.168.0.10 (look for the missing "8" anywhere on the OPT1 setup, and systems in the OPT1 subnet)

gurvindernarula

:-[ - Duh …...

Thanks that was it - it was a typo -

mikeisfly

Another thing,

Isn't the purpose of a DMZ to keep that traffic segregated from the rest of your network? You should create a rule on your DMZ to block all traffic going to any LAN IP and make sure its before that allow any any rule.