Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Noobie Q about routing (ver 2.0.3-Release)

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gurvindernarula
      last edited by

      Hello all,

      I'm new to pfSense so this could be a very basic question, but I'm baffled about how routing is working in my environment.

      My setup is as follows :

      +–---------------+
      | Internet Router  |
      |  (AT & T uVerse) |
      +-----------------+
              ^
              |
              v <-WAN
      +------------------+     
      | pfSense Firewall    |
      |    172.16.0.1        | <---> LAN (172.16.0.0/24)
      |    192.168.0.1      | <---> DMZ (OPT1 - 192.16.0.0/24) - Not yet a true DMZ - I'm running some tests before I 'expose' any ports to the public Internet.
      +------------------+

      I've not change the LAN and WAN  rules that pfSense configured 'out-of-the-box' (OTB).

      On the DMZ side, I've configured the rule just like the LAN side (Action : Pass, Protocol : Any, Source : DMZ Net, Source Port : Any, Destination : Any, Destination Port : Any).

      I've also left the default OTB Routing as-is : Name : WAN, Interface WAN, IP Address : My external (public) IP Address assigned via DHCP by my ISP.

      I'm able to 'ping' different computers between the 2 subnets without any issues.

      The issue comes up when I try to do a trace-route. The trace seems to indicate that my packets are going all over the Internet before reaching my server. e.g. when I try to traceroute from 172.16.0.17 (on the LAN) to 192.168.0.10 (on the DMZ), I get the following results :

      C-Prompt:>tracert 192.16.0.10

      Tracing route to 192.16.0.10 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  172.16.0.1
        2    *        *        *    Request timed out.
        3    46 ms    26 ms    27 ms  my-IP-Address.domain-assigned-by-ISP
        4    *        *        *    Request timed out.
        5    29 ms    28 ms    27 ms  75.26.64.14
        6    *        *        *    Request timed out.
        7    27 ms    27 ms    27 ms  12.83.32.173
        8    36 ms    33 ms    35 ms  ggr4.cgcil.ip.att.net [12.122.133.33]
        9    33 ms    33 ms    33 ms  chi-bb1-link.telia.net [213.248.87.253]
      10    34 ms    78 ms    33 ms  edgecast-ic-157045-chi-bb1.c.telia.net [62.115.9
      .130]
      11    34 ms    33 ms    34 ms  198-7-19-109.edgecastcdn.net [198.7.19.109]
      12    32 ms    33 ms    32 ms  192.16.0.10

      Is this normal ? It does take quite a while for me to invoke any services between the computers on the different sub-nets.

      What am I doing wrong ?

      Thanks in advance,
      Gurvinder

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        If its not just a typo, then this is your problem:

        12    32 ms    33 ms    32 ms  192.16.0.10
        

        192.16.0.10 is a real public IP.
        It should be 192.168.0.10 (look for the missing "8" anywhere on the OPT1 setup, and systems in the OPT1 subnet)

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • G
          gurvindernarula
          last edited by

          :-[ - Duh …...

          Thanks that was it - it was a typo -

          1 Reply Last reply Reply Quote 0
          • M
            mikeisfly
            last edited by

            Another thing,

            Isn't the purpose of a DMZ to keep that traffic segregated from the rest of your network? You should create a rule on your DMZ to block all traffic going to any LAN IP and make sure its before that allow any any rule.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.