Static route issue
-
Hello,
I have a problem configuring some static route n WAN interface to private Network:My Internet GW (default gateway): 192.168.1.1
My pfsense (WAN interface): 192.168.1.3
My Local Network: (pfsense LAN interface: 10.55.2.254) 10.55.2.0/24I have no NAT because all NAT is on Internet GW (192.168.1.1)
I have another router for routing other LANs
Router: 192.168.1.2
Network behind this router: 172.16.0.0/16 (ip: 172.16.1.254)In pfsense, i have configured:
2 gateways:
WANGW (Default GW) -> Inerface WAN -> GW 192.168.1.1
ROUTERGW -> Inerface WAN -> GW 192.168.1.21 static route:
172.16.0.0/16 -> GW: ROUTERGWNo Outbounf NAT, No 1:1 NAT, no Port Forwarding
FW Rules (no gateway specifies, so no PBR):
WAN:
Any accept (Accept * * * * * * no queue)
LAN:
Any accept (Accept * * * * * * no queue)Routing table:
netstat -rn
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 0 26495 vmx3f1
10.55.2.0/24 link#2 U 0 133740 vmx3f0
10.55.2.254 link#2 UHS 0 4 lo0
127.0.0.1 link#5 UH 0 66 lo0
172.16.0.0/16 192.168.1.2 UGS 0 662 vmx3f1
192.168.1.0/24 link#3 U 0 393896 vmx3f1
192.168.1.3 link#3 UHS 0 0 lo0=> Seem to be OK
I have a computer with IP 172.16.1.40
Ping from 172.16.1.40 to 192.168.1.1 => OK
Ping from 172.16.1.40 to 192.168.1.2 => OK
Ping from 172.16.1.40 to 192.168.1.3 => KOPing from pfsense 192.168.1.3 to 192.168.1.1 => OK
Ping from pfsense 192.168.1.3 to 192.168.1.2 => OK
Ping from pfsense 192.168.1.3 to 172.16.1.40 => KONow, from 172.16.1.40: ping -t 192.168.1.3
For tcpdump:On the pfsense (interface vmw3f1 is 192.168.1.3):
tcpdump -ni vmx3f1 icmp and host 172.16.1.40
listening on vmx3f1, link-type EN10MB (Ethernet), capture size 96 bytes
10:33:53.978486 IP 172.16.1.40 > 192.168.1.3: ICMP echo request, id 768, seq 5641, length 40
10:33:53.978527 IP 192.168.1.3 > 172.16.1.40: ICMP echo reply, id 768, seq 5641, length 40=> Work fine
On the Router (interfcae seth4 is 192.168.1.2):
tcpdump -ni seth4 icmp and host 172.16.1.40
listening on seth4, link-type EN10MB (Ethernet), capture size 96 bytes
22:03:37.123283 IP 172.16.1.40 > 192.168.1.3: ICMP echo request, id 768, seq 12553, length 40
22:03:42.885379 IP 172.16.1.40 > 192.168.1.3: ICMP echo request, id 768, seq 12809, length 40=> Only request, no reply
On the Internet GW (bge0 is 192.168.1.1):
tcpdump -ni bge0 icmp and host 172.16.1.40
listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
08:41:44.023409 IP 192.168.1.3 > 172.16.1.40: ICMP echo reply, id 768, seq 21257, length 40
08:41:49.505862 IP 192.168.1.3 > 172.16.1.40: ICMP echo reply, id 768, seq 21513, length 40=> Reply appear here… Not normal because pfsense must route packet to 192.168.1.2 for destination IP 172.16.0.0/16 based on routing table
Now, i check the box "Disable all packet filtering" in System / Advanced / Firewall/NAT
All work fine!
ing from 172.16.1.40 to 192.168.1.1 => OK
Ping from 172.16.1.40 to 192.168.1.2 => OK
Ping from 172.16.1.40 to 192.168.1.3 => OKPing from pfsense 192.168.1.3 to 192.168.1.1 => OK
Ping from pfsense 192.168.1.3 to 192.168.1.2 => OK
Ping from pfsense 192.168.1.3 to 172.16.1.40 => OKSo, there is a routing issue in my configuration, but i don't understand where...
Anybody can help me?