General Firewallproblem with another gateway

  • I write this abnormal pfsense question here, because i believe to find somebody with the knowhow:

    I am using pfsense beta2 embedded (wrao).
    I configuered pfsense on lan2 briged to route several static ips..

    my networks:
    wan pppoe
    lan as bridged
    opt1 (private =lan)

    i am using a preconfiguered red derivate server "sme" in
    sme: iptabeles nic1 nic2, iptables, act as gateway/firewall too

    from my client in (gateway pfsense) i can´t access on
    if change the local subnet on to access via the public way = is possible.

    Do anybody know why iptables is blocking?

  • Replace the stinkin linux box with a real box.  AKA BSD.

    Problem solved.

    Seriously, you expected more asking a linux question on a BSD forum!?

  • Sorry - but i am working with preconfigured small business server sice 5 years. i am lazy in this point.
    I thought that is the firewall of the server, but today i fit a voip box -Fritzbox into the public ip space.
    The conf. possibibilities are not so good, and always the box has a gateway / routing function.

    There is the same prob. The device isnt reachable via public ip from local net.
    Do you have any idea. where is the problem - iguess it´s pfsense which see
    that the device has a local -(e.g. same local subnet) ip.

    I cant set a ping /traceroute from my local interface the public device.
    I testet it  with a other node which has 1 local ip and 1 public ip - but no routing / gateway acting - it runs!

    My conf - see at top is that i had assign the lan as with public adresse.
    And.. the opt1 iface with the nonpublic RFC 1918 adresses.

    Is it a opposit if itake Lan or opt? Preconfiguration?
    Should i change this e. g. opt1 = public network
    lan to rfc 1918?

    Thank ahead.

  • dit you make a rule on the pfsense server to let opt1 talk to the lan network ?
    action pass
    interface opt1
    protocol any
    source any
    source portrange any any
    destaition lan subnet
    Destination port range any any

    and one to let the lan subnet talk to the opt1 subnet?
    action pass
    interface lan
    protocol any
    source any
    source portrange any any
    destaition opt1 subnet
    Destination port range any any

  • Yes if i had this only rules, then i have access on opt to lan, but no other acess outside.
    Which rule is further urgent to have access from opt1 to outside?

  • You grant opt1 access to estination lan subnet and lan to destination opt1 subnet. If opt1 should have access outside you need a destination any rather than only lan subnet.

  • The lan is bridget to Wan.
    But i need a rule like this to have access on lan / opt1
    *  *  *  *  *  *
    I think it´s strange, but there was no other way to have access. I tried several other combination,
    only with this rule it works.

    So i still have the prob that the other node (1 public / 1 private adress) isn´t reachable. do i have a Loop?

    netstat -rn: (looks ok)

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            88.XXX.XXX.1        UGS        0    80907    ng0
    82.207.XXX.176    ff:ff:ff:ff:ff:ff  UHLWb      1    4835  sis0 =>
    82.207.XXX.176/29  link#1            UC          0        0  sis0
    82.207.XXX.177    lo0                UHS        0        0    lo0
    82.207.XXX.178    link#1            UHLW        1      10  sis0
    82.207.XXX.179    00:50:8b:bb:b4:ea  UHLW        1  543608  sis0
    82.207.XXX.180    link#1            UHLW        1      12  sis0
    82.207.XXX.181    link#1            UHLW        1      19  sis0
    82.207.XXX.182    link#1            UHLW        1      15  sis0
    82.207.XXX.183    ff:ff:ff:ff:ff:ff  UHLWb      1    4678  sis0        82.207.XXX.177    UH          1        0    ng0          UH          0        0    lo0
    192.168.1          link#3            UC          0        0  sis2      00:13:d4:53:f6:c9  UHLW        1  223015  sis2      00:15:0c:1e:2e:99  UHLW        1      172  sis2

  • I fix the prob - Dummy mistake.
    I forgot to make NAT -Outbound Rules on lan and opt1 for
    X Advanced flag

    the error was that the other machine was told on public net,  but route the packets  back on iface directly to client and
    not over the gw-adress.