Multi subnet routing problem



  • Hello,

    I'm still new to PFsense and networking in general, but i'll do my best to explain the issue that i'm having.
    I need to connect 2 PC's (172.16.0.2 and 172.16.0.130) through a 2621 Cisco router (172.16.0.1) with a Subnet mask of 255.255.255.0.
    That 2621 Cisco router has a 192.168.200.99 IP address on the F0/1 interface, that is connected to PFsense at 192.168.200.254, also on a 255.255.255.0 subnet mask
    So far, i can ping everything on this side of my network.

    On the other side of my PFsense is 192.168.100.xxx connected indirectly to the internet, and that connection also works perfectly.
    However, my 2621 cisco router and anyting beyond it, cannot connect to anything beyond the 192.168.100.xxx side of PFsense,
    and i'm all out of ideas why this would be.

    I have added a static route from my Cisco 2621 to PFsense, and a Gateway and a static route from PFsense back to the 2621.
    I have tried a router RIP protocol, between Cisco and PFsense, but this didn't help either.
    I have disabled all firewalls on the PC hosts, and i temporarily made a Firewall rule in PFsense to enable ALL connections, but we still couldnt get through to 192.168.100.10.
    In the NAT outbound rules, i opened up all protocols and destinations.

    I don't know how i can get my connection to go through PFsense, towards the internet and back.
    If anyone has an idea that i didn't think of yet, i'd really appreciate it.

    Here's a link to a phot that might make it a little bit clearer.
    https://mijnwolkjes.nl/public.php?service=files&t=88e88a41e958d4f7529632c0309b8d80
    Its a self signed certificate so dont mind the https error. (check if its from hipstreet.nl)

    Thanks in advance,
    Robin.



  • Is the Cisco doing NAT on the way out to pfSense?
    If not, then the Cisco LAN IP addresses (like 172.16.0.2) will appear in packets going through pfSense. On pfSense you will need:

    1. Pass rules on LAN to allow 172.16.0.0/24
    2. Gateway back to the Cisco at 192.168.200.99 (just add a gateway on pfSense - do not actually make it a "default" gateway on LAN)
    3. Static route for 172.16.0.0/24 to the 192.168.200.99 gateway

    and obviously anything on the Cisco to allow the relevant packets through it.



  • There is no NAT on the Cisco as of yet.

    I tried adding a rule for my 172.16.0.0 network, and adding a gateway (not default) and a static route back and forth,
    but it still does not work.

    I think i will add NAT to the Cisco router as the next step.

    Thank you for your advice, and I'll post again if I find anything noteworthy.

    Robin



  • Thinking a bit more… The automatic outbound NAT rules generated by pfSense are only for the LANs that are local to the pfSense. So the Cisco subnet IPs will not be NAT'd out of pfSense towards the internet - thus the real internet will not be able to route back to them.

    1. Enable Manual Outbound NAT and add some new rules for the Cisco subnet; or
    2. NAT on the Cisco also (as you suggested) - but that hides the real Cisco subnet Ips from pfSense, so if you want to do any special filtering on parts of the Cisco subnet, that won't work.


  • NAT was set to manual and we added rules for my 172.16.0.0 network aswell.
    No luck so far.

    Just a bit of information that i think i forgot to tell.
    From the PC's on the 172.16.0.0 network, i can login to PFsense.
    But i still can't ping the 192.168.100.10 inteface on the other side of PFsense.



  • I jsut wanted to let you guys know that the issue is gone.
    The problem was in the Cisco 2621 after all.
    I forgot to set the "last resort" on this router, so anything on a network that it was not familiar with, was being dropped and never actually went to the PFsense.

    Thank you for your help
    Robin


Log in to reply