New firewall not routing traffic



  • I'm trying to setup a pfsense firewall for the first time. I have created rules, and turned logging on and I can see that the traffic is not being blocked, (as I have an any any rule in place) but traffic is not being routed.

    my setup is as follows
    WAN Interface 192.168.52.78 /24
    LAN Interface 192.168.1.78 /24

    WAN test Server 192.168.52.95 /24 with default gateway of 192.168.52.78 (WAN interface on FW)
    LAN test Server 192.168.1.16

    I am trying to do an nslookup or ping from 192.168.52.95 to my dns server of 192.168.1.16 and nothing is coming back. Do I need to create static routes?

    Any help would be magic,

    Thanks

    Jim



  • This is a pretty non-standard configuration, as it looks like you're using the WAN interface as a LAN interface. Make sure you have a pass rule (TCP/UDP 53 at the least) on your WAN interface, and that you have "block private networks" and "block bogon networks" unchecked in your WAN interface configuration.



  • Hi Tim, those boxes are unchecked. And I do have a rule in place for DNS, and I can see from the system log, that nothing is being blocked. :
    Apr 22 15:39:56 WAN 192.168.52.95:57652 192.168.1.17:53 UDP

    we are using the firewall as a middle tier firewall, hence the strange config.



  • What does the routing table on your LAN test server look like (netstat -rn)? If this pfSense box isn't your default gateway for that machine, you'll need to either create a static route on it, or on its default gateway so that it knows how to talk to the 192.168.52.0/24 range.



  • I've attached a screen shot of the output from a netstat -rn. This is the same as my default gateway, which is the pfsense WAN interface, so I assume I don't need any static routes?




  • I can also ping the 192.168.52.78 address but not the LAN side of the pfSense 192.168.1.78



  • I'm a bit confused at your routing table. Do you have an interface on both subnets? In any case, your next hop for the 192.168.1.0 subnet is 192.168.1.91, which is not your stated LAN or WAN interface address. I'd try adding a static route for 192.168.1.16 and 192.168.1.78 to 192.168.52.78. You have a really strange routing table there, and that is going to cause some complication. I'd lab this out on a completely different set of subnets first, personally.



  • The routing table is okay, but your overall setup is very strange as said already.

    The computer (192.168.52.95) from which the screenshot is is attached to your WAN interface of pfSense and you have configured the WAN IP (192.168.1.78) as gateway for its interface.
    And your LAN net is 192.168.1.78 /24.

    Okay, so WAN and LAN are different networks and you cannot ping a LAN computer from WAN side unless you set appropriate NAT rules. You have to set up NAT port forwarding rules and firewall rules for that. You can forward ICMP to a LAN computer or to LAN address.
    Then the ping should work, however the ping destination you have to enter is still a WAN address.



  • That's incorrect, his configuration will work without any NAT whatsoever. The routing table is not correct, anything destined for 192.168.1.16 from the 192.168.52.0/24 network needs to have 192.168.52.78 as its next hop - not 192.168.1.91 as is reflected in that routing table.



  • Thanks for all the input guys, I've added a static route, does this look better? as it still doesn't work :(

    ===========================================================================
    Interface List
    13 …02 bf c0 a8 01 5d ...... Intel(R) PRO/1000 MT Network Connection #2
    10 ...00 50 56 83 5f 58 ...... Intel(R) PRO/1000 MT Network Connection
      1 ........................... Software Loopback Interface 1
    12 ...00 00 00 00 00 00 00 e0  isatap.nor.norlandtech.com
    11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
    14 ...00 00 00 00 00 00 00 e0  isatap.{6832356F-FDB4-45A8-8ED9-4AF0F07FE655}

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.52.78    192.168.52.95    258
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.1.0    255.255.255.0    192.168.52.78    192.168.52.95      3
        192.168.1.91  255.255.255.255        On-link      192.168.1.91    257
        192.168.1.93  255.255.255.255        On-link      192.168.1.91    257
        192.168.52.0    255.255.255.0        On-link    192.168.52.95    258
        192.168.52.95  255.255.255.255        On-link    192.168.52.95    258
      192.168.52.255  255.255.255.255        On-link    192.168.52.95    258
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.1.91    257
            224.0.0.0        240.0.0.0        On-link    192.168.52.95    258
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.1.91    257
      255.255.255.255  255.255.255.255        On-link    192.168.52.95    258

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    192.168.52.78  Default
          192.168.1.0    255.255.255.0    192.168.52.78      1

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
      1    306 ff00::/8                On-link

    Persistent Routes:
      None



  • I'm just trying to troubleshoot this problem, using the web gui of the firewall, should I be able to ping from the WAN to 192.168.1.16? The firewall rules are there to allow this, but no routing is setup on the frewall.



  • If you have a 192.168.1.78 address set up, yes, you should be able to ping 192.168.1.16 from the firewall's WAN interface. Shouldn't need any static routes on the firewall.

    I've replicated your exact address configuration (aside from your routing table weirdness), and it works right out of the box. Are you able to ping 192.168.52.95 from 192.168.1.16?



  • hmm, that is very strange,

    I am unable to ping 192.168.52.95 from 192.168.1.16, but would I need a route added to this machine for it to work?

    the 192.168.1.78 is the ip of the LAN interface on the firewall, and I cannot ping this from the WAN via the firewall gui.



  • Post the routing table of your LAN device, and post your current LAN and WAN firewall rules.