Packet forwarding not working in a LAN only configuration


  • I am using pfSense 1.2.3 (please don't give me grief on the old version) as a LAN only router. The network is isolated on a single VMware ESXi host an there is no need/desire to route outside of the host – only between subnets on the router. I got this to work on another host without problems. The only difference is that in the non-working environment I am using non-RFC1918 subnets and in the working environment I was using 192.168.x.x subnets.

    I have a check mark in "Disable all packet filtering" and each interface has a rule that allow any traffic. The router is able to ping virtual machines directly on the subnets and the virtual machines are able to ping the router. The problem seems to be that packets are not being forwarded between interfaces. When I ping an interface on a different subnet from a virtual machine I get The ARP table shows the MAC addresses of the virtual machines I have pinged. The routing table shows all of the interfaces and all of the subnets. I have checked and double-checked things such as the IP addresses and subnet masks on the interfaces.

    I'm stuck. Any help would be appreciated.


  • Do you have a route in the source machines that is specifically putting the other subnet's IP through pfSense or is there a different default route? If you have not, try rebooting after having disabled firewalling.


  • I figured out the problem: partially due to PEBKAC and partially due to missing static routes. I should also mention that the subnets in the isolated network were duplicates of our production network.

    I did not fully explain to the user, for which this was built, how it was intended to be used. The other, and more important reason, was that a jump machine was configured with two vNICs: one inside the isolated network and the other outside that was routable to our production network. In order to communicate to the hosts inside the isolated I needed to add static host routes for each of the (dozen) hosts.

    route /p add <ip of="" host="" on="" isolated="" network="">mask 255.255.255.255 <ip address="" of="" vnic="" on="" isolated="" network="">Route
    http://technet.microsoft.com/en-us/library/ff961510.aspx

    This meant of course that the jump machine would not be able to contact the production instance of the hosts we had in the isolated network, but that was not a real problem.</ip></ip>