Multiple LAN not routing to default gateway

  • Hi!

    I am having some troubles whereby I can't get any LAN traffic to route out the default gateway.
    Current setup is 4 vlans, one is WAN and the other 3 are internal LANs. Subnets (for argument sake):

    I can only seem to get traffic routing from a client device on a lan subnet to the internet, if I use a policy based gateway inside the firewall rule. Everything I seem to read just says as long as you have a default gateway it should work. The NAT is set to automatic and I have set a "default allow rule" on the firewall.

    I am a bit lost.

    One more note in case it helps. From a client machine, being on subnet, I can sucessfully ping (which is the pfsense address on another subnet)

    Thanks for your help

  • You are right - it just works by default, so you won't find much help when searching!
    a) System->Routing that the WAN gateway is actually selected as default
    b) Diagnostics->Routes - that it does actually show a default route to your upstream WAN gateway
    c) Ordinary pass rule/s on all the LAN interfaces to allow the traffic
    d) NO gateway set on any LAN interface

  • Thanks,

    I have check all as suggested and this is the only discrepancy:

    Under diagnostic > routes, it is blank. There is nothing listed here.

  • After a few seconds gathering the data, it should show similar to the attachment - and you definitely need a default route (I put a red box around it).
    That is really weird. From the command line try:

    netstat -r

    That had better spit out a list of routes the box knows about, or some error as to why you have no routing.

  • Hi.

    Sorry my mistake, the default route is appearing there, but still no traffic routing from internal vlana unless I set a policy based 'gateway' routenin the firewall rules

  • Hmmm, now I am struggling  :(

    and I have set a "default allow rule" on the firewall.

    Assuming that rule is on the vlana interface, then the traffic will be passed through to the normal routing and should go out the default gateway.
    And I assume the IP address listed for the default route is actually the IP address of the upstream router/ISP on WAN?

  • I know, I have been scratching my head all afternoon.

    The rule is from vlana (first lan vlan) to any - allow/pass.

    Correct the IP in the default route is the IP provided by DHCP from the upstream router.

  • I think it is time to post the rule/s you have - there might (must?) be some odd rule setting that is causing it not to match traffic.

  • Thanks for your persistence.

    This is the only rule (attached) that is applied on the VLAN-A (vlana).

    Regarding the rules on the WAN: It is pass: IPv4 from * to * with no other settings.

  • Netgate Administrator

    If by simply applying a gateway (policy based route) to the default LAN rules you can get out to the internet it seems pretty clear that the system routing must be incorrect. When you apply a gateway to override the system routing.


    Sorry my mistake, the default route is appearing there

    But what is the default route? Is it correct?

    You never directly answered Phil as to whether there are any gateways on any LAN interface. You should have only one gateway defined and it should be on WAN, as listed in System: Routing: Gateways:


  • Sorry - there is no gateway set In the vlan-a.

    The only gateway listed under system routing gateways is the correct gateway for the wan.

  • Netgate Administrator

    In fact re-reading this I see you did say you'd checked all of Phils suggestions. Better to double check.  ;)

    Ok, so the system default gateway is on the correct interface but is it correct? Presumably, since you have only one gateway, when you set the gateway in the LAN rule you only have the one choice: WAN_DHCP. So that would imply the gateway is correct. So what is different when you specify a gateway? One thing that does change is that specifying a gateway negates any static routes you might have entered, do you have any?

    It would be much easier if you showed us your routing table. Redact anything you deem to be confidential.


Log in to reply