New firewall not routing traffic
-
I'm trying to setup a pfsense firewall for the first time. I have created rules, and turned logging on and I can see that the traffic is not being blocked, (as I have an any any rule in place) but traffic is not being routed.
my setup is as follows
WAN Interface 192.168.52.78 /24
LAN Interface 192.168.1.78 /24WAN test Server 192.168.52.95 /24 with default gateway of 192.168.52.78 (WAN interface on FW)
LAN test Server 192.168.1.16I am trying to do an nslookup or ping from 192.168.52.95 to my dns server of 192.168.1.16 and nothing is coming back. Do I need to create static routes?
Any help would be magic,
Thanks
Jim
-
This is a pretty non-standard configuration, as it looks like you're using the WAN interface as a LAN interface. Make sure you have a pass rule (TCP/UDP 53 at the least) on your WAN interface, and that you have "block private networks" and "block bogon networks" unchecked in your WAN interface configuration.
-
Hi Tim, those boxes are unchecked. And I do have a rule in place for DNS, and I can see from the system log, that nothing is being blocked. :
Apr 22 15:39:56 WAN 192.168.52.95:57652 192.168.1.17:53 UDPwe are using the firewall as a middle tier firewall, hence the strange config.
-
What does the routing table on your LAN test server look like (netstat -rn)? If this pfSense box isn't your default gateway for that machine, you'll need to either create a static route on it, or on its default gateway so that it knows how to talk to the 192.168.52.0/24 range.
-
I've attached a screen shot of the output from a netstat -rn. This is the same as my default gateway, which is the pfsense WAN interface, so I assume I don't need any static routes?
-
I can also ping the 192.168.52.78 address but not the LAN side of the pfSense 192.168.1.78
-
I'm a bit confused at your routing table. Do you have an interface on both subnets? In any case, your next hop for the 192.168.1.0 subnet is 192.168.1.91, which is not your stated LAN or WAN interface address. I'd try adding a static route for 192.168.1.16 and 192.168.1.78 to 192.168.52.78. You have a really strange routing table there, and that is going to cause some complication. I'd lab this out on a completely different set of subnets first, personally.
-
The routing table is okay, but your overall setup is very strange as said already.
The computer (192.168.52.95) from which the screenshot is is attached to your WAN interface of pfSense and you have configured the WAN IP (192.168.1.78) as gateway for its interface.
And your LAN net is 192.168.1.78 /24.Okay, so WAN and LAN are different networks and you cannot ping a LAN computer from WAN side unless you set appropriate NAT rules. You have to set up NAT port forwarding rules and firewall rules for that. You can forward ICMP to a LAN computer or to LAN address.
Then the ping should work, however the ping destination you have to enter is still a WAN address. -
That's incorrect, his configuration will work without any NAT whatsoever. The routing table is not correct, anything destined for 192.168.1.16 from the 192.168.52.0/24 network needs to have 192.168.52.78 as its next hop - not 192.168.1.91 as is reflected in that routing table.
-
Thanks for all the input guys, I've added a static route, does this look better? as it still doesn't work :(
===========================================================================
Interface List
13 …02 bf c0 a8 01 5d ...... Intel(R) PRO/1000 MT Network Connection #2
10 ...00 50 56 83 5f 58 ...... Intel(R) PRO/1000 MT Network Connection
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.nor.norlandtech.com
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
14 ...00 00 00 00 00 00 00 e0 isatap.{6832356F-FDB4-45A8-8ED9-4AF0F07FE655}IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.52.78 192.168.52.95 258
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.52.78 192.168.52.95 3
192.168.1.91 255.255.255.255 On-link 192.168.1.91 257
192.168.1.93 255.255.255.255 On-link 192.168.1.91 257
192.168.52.0 255.255.255.0 On-link 192.168.52.95 258
192.168.52.95 255.255.255.255 On-link 192.168.52.95 258
192.168.52.255 255.255.255.255 On-link 192.168.52.95 258
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.91 257
224.0.0.0 240.0.0.0 On-link 192.168.52.95 258
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.91 257
255.255.255.255 255.255.255.255 On-link 192.168.52.95 258Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.52.78 Default
192.168.1.0 255.255.255.0 192.168.52.78 1IPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-linkPersistent Routes:
None -
I'm just trying to troubleshoot this problem, using the web gui of the firewall, should I be able to ping from the WAN to 192.168.1.16? The firewall rules are there to allow this, but no routing is setup on the frewall.
-
If you have a 192.168.1.78 address set up, yes, you should be able to ping 192.168.1.16 from the firewall's WAN interface. Shouldn't need any static routes on the firewall.
I've replicated your exact address configuration (aside from your routing table weirdness), and it works right out of the box. Are you able to ping 192.168.52.95 from 192.168.1.16?
-
hmm, that is very strange,
I am unable to ping 192.168.52.95 from 192.168.1.16, but would I need a route added to this machine for it to work?
the 192.168.1.78 is the ip of the LAN interface on the firewall, and I cannot ping this from the WAN via the firewall gui.
-
Post the routing table of your LAN device, and post your current LAN and WAN firewall rules.