Upgraded to 2.1, now i cannot access other subnets on LAN



  • Hello,

    I upgraded to pfsense 2.1, from 2.0.3 and now i cannot access other subnets that my pfsense machine handles.  i.e. if i am on 192.168.2.X and i want to access a machine in the DMZ at 10.0.0.X i am not able to do that. But i can ping pfsense's interface on that subnet (10.0.0.1).

    I am not sure what is causing this but i have tried putting allow all rules in the firewall without luck.

    If someone could give me any suggestions that would be greatly appreciated.



  • The rules to negate policy routing over-matched in some cases in pre-2.1 versions. You need firewall rules above your policy routing rules (anything specifying a gateway other than "default") allowing traffic between your local LANs, with gateway left at "default".



  • I am not sure i understand. Could you please elaborate? Thanks a lot.

    P.S. I do have multiple WAN connections.



  • Do you have rules that specify a gateway? (known as policy-routing)
    If so, then the behavior has changed a little in pfSense 2.1.
    The rule might be:
    Pass source LANnet destination all gateway MyGatewayGroup

    In older versions of pfSense, underneath in the rule set, it would "help you out" - that "destination all" rule would send EVERYTHING to MyGatewayGroup, even traffic for another local LAN on pfSense itself (e.g. OPT1net). So pfSense code put another rule just before the gateway rule:
    Pass source LANnet destination OPT1net gateway default

    This allowed that traffic to be passed through to the normal routing, which delivered it locally - rather than being forced out the gateway.

    Now pfSense does just what it is told - the extra rule is not added in the background.

    You need to add a rule, above the "policy-routing" rules, on LAN:
    Pass source LANnet destination DMZnet gateway default

    That will let the local traffic through without forcing it into/out a gateway.



  • Awesome! Thanks a lot, that has been giving me trouble for quite a while.