Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help me settle the routing problem

    Scheduled Pinned Locked Moved NAT
    17 Posts 4 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrlonely78
      last edited by

      Guys;

      I have setup my pfsense with 4 interface.

      1. LAN - 192.168.1.1/24
      2. WAN - 219.93.x.x/29
      3. OPT1 - 192.168.0.1/24 - DMZ
      4. OPT2 - 10.200.11.18/29

      I have created a routing in my pfsense so that any 10.122.17.x will be routed to 10.200.11.17 as a gateway, and i managed to ping the 10.122.17.x ip's.

      My problem now, from my LAN, i can access 10.200.11.x ip to do ssh or telnet, but i cant do telnet or ssh to 10.122.17.x ip's from my LAN.

      I need some help on this.

      Please advise.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Please show us the firewallrules at LAN. Also make sure there are some reverse routes on the gateways behind OPT2 to find the way back to your LAN. Did you enter a gateway at interfaces>opt2?

        1 Reply Last reply Reply Quote 0
        • S
          sopont
          last edited by

          Hi, Friend…
          Please checked....

          1. static route LAN Subnet ---- > Distrination subnet + mask ----- > gateway  is correct,
          2. firewall rule (LAN interface) permit LAN subnet to 10.122.17.x

          1 Reply Last reply Reply Quote 0
          • M
            mrlonely78
            last edited by

            guys,

            I've setup my OPT2 interface to have 10.200.11.17 as a gateway.

            Apart from that, i have create a rule in LAN whereby the 10.122.17.x destination from LAN subnet is allowed and via the gateway 10.200.11.17.

            Still, i can't ssh or telnet or ping from my LAN to 10.122.17.x ip's.

            I didnt put any static routing since i have allowed the rules in LAN as well as put the OPT2 gateway interface.

            Please advise.

            Thanks.

            1 Reply Last reply Reply Quote 0
            • S
              sopont
              last edited by

              are you move rule permit LAN sybnet to 10.122.17.x on the top or above rule loadbalancing and policy routing?.

              if you still can't access to 10.122.17.x please step by step…
              1. remove existing rule for acccess to 10.122.17.x
              2. add new rule on LAN interface easy protcol (telnet = 23, SSH = 22) and move to top

              if you still can't access try to add rule on OPT2 interface for LAN subnet can access to 10.122.17.x, i think you something wrong.

              if you not completed please post your summary network diagram (if can)...

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Don't set a gateway at interfaces>opt2 unless this is an additional WAN type interface. Add a static route instead. Does it work now?

                1 Reply Last reply Reply Quote 0
                • M
                  mrlonely78
                  last edited by

                  guys;

                  I've done as advised.

                  I can see the logs in my pfsense.

                  Apr 7 09:37:04 pf: 2. 981875 rule 625.qlandef.112/0(match): pass in on rl0: (tos 0x0, ttl 128, id 63102, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.200 > 10.122.17.55: ICMP echo request, id 512, seq 2816, length 40

                  Unfortunately, the ping from LAN to 10.122.17.55 still failed.

                  C:\Documents and Settings\Kryz>ping 10.122.17.55

                  Pinging 10.122.17.55 with 32 bytes of data:

                  Request timed out.
                  Request timed out.
                  Request timed out.
                  Request timed out.

                  I've added this;

                  1. Remove gateway 10.200.11.17 from OPT2 interface.
                  2. Added static routing 10.122.17.0/24 gw 10.200.11.17 in pfsense.
                  3. Added LAN rule that ICMP from LAN subnet to network 10.122.17.0/24 is allowed.
                  4. Added OPT2 rule that ICMP from LAN subnet to network 10.122.17.0/24 is allowed.

                  Please advise.

                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    @mrlonely78:

                    1. Added static routing 10.122.17.0/24 gw 10.200.11.17 in pfsense.

                    You don't need any routes for local subnets on your pfSense interfaces. Drop the route. You only need firewallrules.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mrlonely78
                      last edited by

                      Hoba,

                      If i remove my statis routing, the pfsense can't even ping to 10.122.17.x network forget about LAN then.

                      I think the static routing must be there, otherwise, the pfsense doesn't know where it should forward the packet to.

                      Please take note that i didnt set any gateway to my OPT2 interface.

                      Please advise.

                      Thanks.

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        Never mind, I was wrong here and had a different setup in mind.

                        1 Reply Last reply Reply Quote 0
                        • S
                          SB HidDeN
                          last edited by

                          needs some steps to understand the situation:

                          1. remove any gateways on any interface except WAN
                          2. create alias "OPT2WAY" and include 10.122.17.x subnet 10.200.11.x subnet
                          3. create rule at top on LAN interface for ICMP (Lan subnet)-> (OPT2WAY) alias
                          4. add rule at top on OPT2 interface for ICMP (OPT2WAY)->(Lan subnet)

                          then ping from any Lan station:

                          1. pfsense Lan interface IP(192.168.1.1)
                          2. pfsense OPT2 interface IP(10.200.11.18)
                          3. gateway's IP from your side(10.200.11.17)
                          4. other IP of gateway, that looks to 10.122.17.x subnet(i don't know this one)
                          5. then your station (10.122.17.55)

                          must be an answer only 1 to 4 steps
                          then add static route (10.122.17.0/24 gw 10.200.11.17)
                          repeat last 5 numbered steps.
                          must be all right!
                          if no answer on step 5 - you have no routing on 10.200.11.17 that redirects packets for your LAN subnet

                          I'm waiting for results…

                          1 Reply Last reply Reply Quote 0
                          • M
                            mrlonely78
                            last edited by

                            guys;

                            I've done this;

                            1. Add rule on LAN to allow LAN subnet to ICMP to OPT2 subnet
                            2. Add rule on OPT2 to allow OPT2 subnet to ICMP to LAN subnet
                            3. All rule created above put at the top of each interface rule

                            This is what i get when i Ping from my PC (192.168.1.200).

                            1. Ping to 10.200.11.20 or 10.200.11.21 - reply success
                            2. Ping to 192.168.1.1 - reply success
                            3. Ping to 10.200.11.17 (gateway to 10.122.17.x subnet) - no reply

                            10.200.11.17 is a Cisco router that connected to a leased line modem that go to 10.122.17.x private network.

                            Attached the pfsense firewall log.

                            pf: 2. 216031 rule 627.qlandef.143/0(match): pass in on rl0: (tos 0x0, ttl 128, id 60068, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.200 > 10.200.11.17: ICMP echo request, id 512, seq 4608, length 40

                            Log shown that the ICMP packet is allowed by pfsense. However, i still failed to ping to 10.200.11.17 - no reply.

                            Please advise.

                            Hope it helps.

                            Cheers.

                            1 Reply Last reply Reply Quote 0
                            • H
                              hoba
                              last edited by

                              The cisco router is missing routes.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mrlonely78
                                last edited by

                                guys;

                                Help me configure my Cisco then.

                                This is the current config;


                                interface FastEthernet0
                                ip address 10.200.11.17 255.255.255.240
                                speed auto
                                half-duplex
                                !
                                interface Serial0
                                ip address 10.200.254.214 255.255.255.252
                                no fair-queue
                                !
                                ip classless
                                ip route 0.0.0.0 0.0.0.0 10.200.254.213
                                ip route 10.122.0.0 255.255.0.0 10.200.254.213
                                ip route 172.28.0.0 255.255.0.0 10.200.254.213
                                no ip http server


                                from there, if you look, all is directed to 10.200.254.213 as a default gateway which i understand that the router should handle the 10.122 traffics.

                                but, if my pfsense OPT2 interface, it should not directed to 10.200.254.213, otherwise, confirm no packet can be send back to pfsense.

                                So, which gateway should i use in my Cisco router for my pfsense packet?

                                Please advise.

                                Thanks.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  SB HidDeN
                                  last edited by

                                  i think you need 1 more route:

                                  ip route 192.168.0.0 255.255.0.0 10.200.11.18

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mrlonely78
                                    last edited by

                                    Guys;

                                    I've done that;

                                    Now;

                                    1. Can ping from pfsense 10.200.11.17 and 10.122.17.55

                                    2. Can ping from my pc (192.168.1.200) to 10.200.11.17

                                    3. But failed to ping from my pc (192.168.1.200) to 10.122.17.55

                                    Added Cisco router config ip route 192.168.0.0 255.255.0.0 10.200.11.18

                                    Please advise.

                                    Thanks.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      SB HidDeN
                                      last edited by

                                      0.0.0.0 & 10.122.17.x - external to your network?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.