[resolved] pfSense not routing between connected subnets

b3nno · Mar 9, 2014, 9:57 PM

Greetings!

Been at a problem I've had for quite some time, googled most any combination of words and reading topics.

My problem is simply, pfSense will not route between two connected subnets on LAN: 10.0.10.0/24 and DMZ: 192.168.1.0/24.

pfSense is 10.0.10.1 and 192.168.1.1 respectively. Running version 2.1.

Computers connected to each of these networks ofcourse have the correct default route to the pfsense box. Computers connected to LAN and DMZ can ping the pfSense firewall. Hosts are configured to reply to ICMP. They reply to pings made from the pfsense webGUI.

Computers in LAN can also ping the interface of the pfsense box facing the DMZ network(192.168.1.1). But not anything else in the DMZ network.
Computers in DMZ can also ping the interface of the pfsense box facing the LAN network (10.0.10.1). But not anything else in the LAN network.

I've tried Manual NAT mode, and deleted all rules in that pane, No go. I've tried ticking the "Disable all packet filtering" in System: Advanced: Firewall/NAT, no go.

I've tried different firewall rules for both DMZ and LAN. They're both now configured with Allow source: any, proto: any, dest: any.

I've tried switching NICs for LAN and DMZ, no go.

Both LAN and DMZ can successfully access the Internet with manual NAT Outbound config through the WAN interface. I can configure NAT between LAN and DMZ which works, but I do not want NAT between these networks.

Does anyone have any idea whats going on here?

If you need more info, I will supply it.

podilarius · Mar 9, 2014, 11:18 PM

Is your WAN on a private IP or a public one? With firewall rules disabled, it should route without any problems.

b3nno · Mar 10, 2014, 9:22 AM

My WAN is currently in a private adress space.. 10.0.0.0/24.

Yeah that is what I understood about pfSense too, but seems mine does not route, only NAT..

I've tried 2.0.2 and 2.0.3 versions too. Same problem.

I've tried different IP subnets, disconnecting WAN, fresh install but to no avail.

jswj · Mar 10, 2014, 9:47 AM

on pfsense, all LAN interface must not have gateway IP set. both clients host should point its gateway to its respective LAN IP of the pfsense LAN interface.

create firewall rules on both LAN interface on pfsense to allow any to any traffic, for now. see if client host on both LAN can reach each other.

pfsense WAN, disable blocked private networks, and enable auto outbound NAT.

would that work?

b3nno · Mar 10, 2014, 10:26 AM

Neither LAN nor DMZ interface on pfSense is configured with a gateway. It is set to "none".

Hosts in DMZ:192.168.1.0/24 have 192.168.1.1 as default gateway. Hosts in LAN:10.0.10.0/24 have 10.0.10.1 as their default gateway.

Both LAN and DMZ have rules that say allow traffic from any to any. Clients can not reach each other.

WAN interface is ofcourse not configured with "block private networks", because the WAN adress space is in such a network.

I will try enabling Auto Outbound NAT later today.. Doubt it will work however, because it did not work with Manual NAT & no rules.

NAT/PATing works wonderful however. Hosts in both LAN and DMZ currently have internet access. They can not reach each other though.

I've successfully tried NATing with source LAN destination DMZ with a NAT rule as pictured in the attachment. Hosts on LAN:10.0.10.0/24 can that way access hosts in DMZ:192.168.1.0/24 but not the other way without manually mapping ports etc. This would probably be fine for a normal DMZ network but not in this case :)

jswj · Mar 10, 2014, 11:08 AM

Remove all the mappings on the manual NAT configurations. If both LAN and DMZ can ping to its own gateway, they should be able to talk to each other.

It is maybe stupid of me by saying this, but sometime the LAN cable is not where its suppose to be check LAN and DMZ are connected to the correct interface on t pfsense, just maybe.

I have simulate your situation within a virtual environment, all works ok.

b3nno · Mar 10, 2014, 6:44 PM

I tried removing the NAT configurations. In this scenario both LAN and DMZ can ping to its own gateway, but they can not talk to each other.

Yeah I'm pretty sure about where the cables go. LAN and DMZ hosts rely on DHCP leases so that is another way to know for sure hosts are connected to the correct interface.

What other settings/rules have you configured to manage this in your virtual environment?

I'm starting to think the motherboard simply can not be used for routing.. Tried m0n0wall too, no luck there. Maybe I should start over with some other hardware.

Attached: firewall rules and NAT rules. This is the current setup. If I delete all NAT rules there is no internet access (of course), and hosts in LAN (10.0.10.0/24) can not access DMZ hosts (192.168.1.0/24) at all.

podilarius · Mar 10, 2014, 6:51 PM

Do you have promiscuous mode turn on for the vswitches in ESX?

b3nno · Mar 10, 2014, 6:56 PM

This is a physical pfsense box.. hosts are physical aswell :) no vswitches.

podilarius · Mar 10, 2014, 7:00 PM

Sorry posted in wrong thread. Let me look over the attachment.

podilarius · Mar 10, 2014, 7:13 PM

I have heard of this only one other time, and it was hardware related then. What type of NICs and hardware are you running?

b3nno · Mar 10, 2014, 8:30 PM

Its running on a Jetway 7F4K1G5DS-LF motherboard, 1,5 Ghz VIA C7-D embedded processor, with two realtek gigabit NICs onboard with RTL8101SC chip. Third NIC is a generic 100/10 mbit davicom. Booting from 512MB CF-card in a CF-IDE converter.

mikeisfly · Mar 11, 2014, 1:03 AM

What network is your WAN on? can you post screen shots of your LAN interfaces?

podilarius · Mar 11, 2014, 12:39 PM

I have not heard of this davicom nic. What chip set is it using? Do you have another NIC, preferably Intel, that you can replace it with for further testing?

b3nno · Mar 11, 2014, 1:17 PM

My WAN network lies in 10.0.0.0/24. I have tried to replace the davicom PCI card with realtek PCI 100/10 NIC. Still no routing happening. LAN and DMZ is configured on the onboard NICs. I did try to use the third PCI for LAN, still no routing. Realtek 100/10 PCI card is using RL driver. Onboard Realtek NICs is using RE driver.

Attached screens from LAN and DMZ int config page.

podilarius · Mar 11, 2014, 3:22 PM

With that setup and the correct rules, it should route without issue. Did you say that if you disable the firewall in advanced, it still will not route?

b3nno · Mar 12, 2014, 9:56 AM

That is correct. It will not route between connected subnets even with firewall disabled.

I will try routing between nets on different vlans in a trunk from the pfsense box later today. If the NICs support vlan/trunking at all :)

b3nno · Mar 12, 2014, 10:36 PM

Breaking news!

The error of my ways has revealed it self. Windows firewall blocks both icmp and IP traffic from an other subnet than that the host resides in. All this time the poor pfSense box was doing its job probably perfectly.

Sorry for wasting your time people, but thanks a bunch for your posts :) really appreciate it.

podilarius · Mar 13, 2014, 3:33 AM

Good old Windows … At least they are error on somewhat safe now. Good luck.

b3nno · Mar 13, 2014, 7:05 AM

Hehe yeah. Both hosts were running Win 8 so maybe its something new. I have not heard of this atleast. I figured it out when I put a cisco switch in to the mix, which I could ping from all subnets.