Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN-to-LAN routing blocking [solved]

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Oliver_
      last edited by

      Hi,

      I have a new installation and there are Problems when I route to other networks through the LAN interface.
      I have a Cisco 3750x Stack as Core-Router (Intervlanrouting) and as Internetbreakout i want to use Pfsense.
      They are both configured to use OSPF, and they are fully adj., so the routing is no problem! I can ping everywhere without any Problem.
      But SMB-shares or Remote-Desktops are blocked and after blocking for 5 sec. the connection can be established…

      I Have no idea what i must set in Pfsense to allow the packetflow without interuption!

      Thanks Oli

      PS: I am using Pfsense 2.0.3 because of MultiWan with Sqiud!

      netplan.PNG
      netplan.PNG_thumb
      blockung.PNG
      blockung.PNG_thumb
      ![lan rules.PNG](/public/imported_attachments/1/lan rules.PNG)
      ![lan rules.PNG_thumb](/public/imported_attachments/1/lan rules.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        This is another asymmetric routing case. Old clients (192.168.178.0/24) will be using pfSense LAN as their default gateway (192.168.178.1). Then pfSense routes this traffic through to Cisco (192.168.178.9). Cisco delivers the packet. The reply is delivered directly by the Cisco to the old client, because Cisco and old client are in the same subnet. pfSense does not see the replies, and pfSense states time out.
        pfSense will send ICMP redirect messages back to the old client, and if the old client is smart enough it will take note of those and start using Cisco directly as the gateway to those other private networks.
        You can:
        a) If pfSense has an extra interface, connect Cisco to pfSense by a separate cable to pfSense, and use a different subnet for Cisco-pfSense. Then all traffic from old clients in both directions has to go through pfSense; or
        b) System: Advanced: Firewall and NAT - Bypass firewall rules for traffic on the same interface - then this traffic should be passed.
        c) Switch to Manual Outbound NAT, add a NAT rule for interface LAN source 192.168.178.0/24 destination those subnets behind Cisco, NAT to the LAN IP. Then all the traffic from "old clients" will appear to come from 192.168.178.1 and so the reply packets will all go back from Cisco to pfSense, be unNATed, and then deliverd to the "old client".

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • O
          Oliver_
          last edited by

          Thank u so much!

          I had a knot in my brain!  :o

          As i read "asymmetric routing" i get a red head! ;)

          What a novice error, i realy feel  feel ashamed..

          The Solution was:  of course builing a separate transport-network between Cisco-Stack and Pfsense, 172.30.29.0 /26

          thanks again, and regards oli

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.