Why is pfSense responding to ssh, ping and all other traffic? - SOLVED



  • pfSense Setup for interfaces:

    WAN (MAC 00:00:00:00:00:AA) - VLAN50 = 192.168.50.0/24 (Actually this is a really public /24 address in real setup)
    InternalNet1 (MAC 00:00:00:00:00:BB) - VLAN60 = 10.10.60.0/24
    InternalNet2 (MAC 00:00:00:00:00:CC) - VLAN70 = 10.10.70.0/24

    • NOTE: I am just using these MAC address to keep this simple and easy to follow.  These are not the really MAC addresses

    pfSense setup for NAT

    1:1
    192.168.50.10 -> 10.10.60.10
    192.168.50.20 -> 10.10.70.20

    pfSense setup for Firewall Rules

    WAN = Fully opened into both InternalNet1 and InternalNet2 with all protocols  (NO RESTRICTIONS)
    InternalNet1 = Fully opened for all protocols - (NO RESTRICTIONS)
    InternalNet2 = Fully opened for all protocols - (NO RESTRICTIONS)

    The test (Both 10.10.60.10 and 10.10.70.20 are both running fresh install of CentOS 6.4 with iptables disabled.)

    1.  On 10.10.70.20 I run tcpdump to monitor network communications
    2.  On 10.10.60.10 I run:
          # ping 10.10.70.20  - This works on both servers.  Meaning I see replies on 10.10.60.10 and I see the ICMP packets being received and sent on 10.10.70.20 -  GREAT SO FAR
    3.  On 10.10.60.10 I run:
          # ping 192.168.50.10 - This DOES NOT WORK FULLY - Meaning, I see the replies on 10.10.60.10, but I DO NOT see any traffic via the tcpdump running on 10.10.70.20.

    NOTE:  when I capture the packets on pfsense FW and show details, I see the when I run step 3 above the MAC addresses that are communicating are

    MAC Address for 10.10.60.10 and InternalNet2 (00:00:00:00:00:CC)

    Why is pfSense not passing traffic through to 10.10.70.20 and answering this requests?  This is ALSO true for when I attempt to ssh from 10.10.60.10 to 10.10.70.20.  I get the login prompt for pfsense and not the actual server?

    I know this is long and complex, but this is driving my crazy.

    Thank you big time for all the take the time to understand and reply.

    rick



  • Solved - Here is what I did and it was so simple.

    For the two server, 10.10.60.10 and 10.10.70.20 I enabled NAT reflection for the 1:1 NAT.  After that, I was able to ping, ssh and everything else just fine using the public IP address.

    Thank you

    Rick


Log in to reply