Routing between opt and lan



  • Dear All,

    I have a strange issue, and I did not find any solution on the google. I have an opt and a lan interface, and I have rules on those interfaces that accept everything ingress. However it works from lan to opt, it doesn't work backward from opt to lan. We have a physical machine with pfsense 2.1.5, but i checked it, and it happens the same on a vbox machine with pfsense 2.1.5 and 2.1.4 as well. The config:
    WAN - i think irrelevant
    LAN - 192.168.70.1/24 (the bogon and private networks unchecked)
    OPT1 - 172.16.0.1/16 (the bogon and private networks unchecked)

    Lan rule:
    Proto Source Port Destination Port Gateway Queue
    IPv4 * * * * * * none
    LAN rule: ACCEPT everyting from any source to every destination

    OPT1 rule:
    Proto Source Port Destination Port Gateway Queue
    IPv4 * * * * * * none
    OPT rule: ACCEPT everyting from every source to every destination

    I think NAT is irrelevant, because the packets from the OPT to LAN should go through if pfsense translate the LAN address to OPT interface address or not. However both of inside subnet should go to the internet so I want only nat to the internet direction, I have these NAT rules:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
    WAN  192.168.70.0/24 * ! 172.16.0.0/16 * WAN address * NO
    WAN  172.16.0.0/16 * ! 192.168.70.0/24 * WAN address * NO

    FROM the LAN side everything is ok:
    -I can ping the pfsense LAN interface address
    -I can ping the pfsense OPT interface address
    -I can ping a host on the OPT subnet

    FROM the OPT side:
    -I can ping the pfsense LAN interface address
    -I can ping the pfsense OPT interface address
    -I CAN NOT ping a host on the LAN subnet

    There is no FIREWALL on the hosts at all, and I can not reach any services on the LAN subnet from the OPT.
    (Sorry I wrote "services on the opt from lan" previously by misstake, i corrected to "services on the LAN from OPT" now)

    I have checked many times the subnet mask, rules etc.
    Could you please suggest something to solve this misterious error?
    thank you very much


  • LAYER 8 Netgate

    You don't need those NAT rules.  They will only be in effect for traffic out WAN, which will not include the LAN <-> OPT1 traffic.  In your case it's sufficient to use automatic outbound NAT.

    Be sure to check your windows or other firewall settings on the clients themselves.  People never get tripped up by them because they trat the local subnet as friendly.  As soon as you do multiple subnets, the software firewalls start blocking "local" traffic because it's from a different subnet.

    People compensate by doing all sorts of things in pfSense.  Those pass any rules on LAN and OPT1 are all you need.

    You say there's no firewall on the hosts at all but SOMETHING's blocking that traffic and it's not pfSense.  If it was, it'd be in the firewall logs.


Log in to reply