Help me settle the routing problem
-
Guys;
I have setup my pfsense with 4 interface.
- LAN - 192.168.1.1/24
- WAN - 219.93.x.x/29
- OPT1 - 192.168.0.1/24 - DMZ
- OPT2 - 10.200.11.18/29
I have created a routing in my pfsense so that any 10.122.17.x will be routed to 10.200.11.17 as a gateway, and i managed to ping the 10.122.17.x ip's.
My problem now, from my LAN, i can access 10.200.11.x ip to do ssh or telnet, but i cant do telnet or ssh to 10.122.17.x ip's from my LAN.
I need some help on this.
Please advise.
Thanks.
-
Please show us the firewallrules at LAN. Also make sure there are some reverse routes on the gateways behind OPT2 to find the way back to your LAN. Did you enter a gateway at interfaces>opt2?
-
Hi, Friend…
Please checked....1. static route LAN Subnet ---- > Distrination subnet + mask ----- > gateway is correct,
2. firewall rule (LAN interface) permit LAN subnet to 10.122.17.x
-
guys,
I've setup my OPT2 interface to have 10.200.11.17 as a gateway.
Apart from that, i have create a rule in LAN whereby the 10.122.17.x destination from LAN subnet is allowed and via the gateway 10.200.11.17.
Still, i can't ssh or telnet or ping from my LAN to 10.122.17.x ip's.
I didnt put any static routing since i have allowed the rules in LAN as well as put the OPT2 gateway interface.
Please advise.
Thanks.
-
are you move rule permit LAN sybnet to 10.122.17.x on the top or above rule loadbalancing and policy routing?.
if you still can't access to 10.122.17.x please step by step…
1. remove existing rule for acccess to 10.122.17.x
2. add new rule on LAN interface easy protcol (telnet = 23, SSH = 22) and move to topif you still can't access try to add rule on OPT2 interface for LAN subnet can access to 10.122.17.x, i think you something wrong.
if you not completed please post your summary network diagram (if can)...
-
Don't set a gateway at interfaces>opt2 unless this is an additional WAN type interface. Add a static route instead. Does it work now?
-
guys;
I've done as advised.
I can see the logs in my pfsense.
Apr 7 09:37:04 pf: 2. 981875 rule 625.qlandef.112/0(match): pass in on rl0: (tos 0x0, ttl 128, id 63102, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.200 > 10.122.17.55: ICMP echo request, id 512, seq 2816, length 40
Unfortunately, the ping from LAN to 10.122.17.55 still failed.
C:\Documents and Settings\Kryz>ping 10.122.17.55
Pinging 10.122.17.55 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.I've added this;
- Remove gateway 10.200.11.17 from OPT2 interface.
- Added static routing 10.122.17.0/24 gw 10.200.11.17 in pfsense.
- Added LAN rule that ICMP from LAN subnet to network 10.122.17.0/24 is allowed.
- Added OPT2 rule that ICMP from LAN subnet to network 10.122.17.0/24 is allowed.
Please advise.
Thanks.
-
- Added static routing 10.122.17.0/24 gw 10.200.11.17 in pfsense.
You don't need any routes for local subnets on your pfSense interfaces. Drop the route. You only need firewallrules.
-
Hoba,
If i remove my statis routing, the pfsense can't even ping to 10.122.17.x network forget about LAN then.
I think the static routing must be there, otherwise, the pfsense doesn't know where it should forward the packet to.
Please take note that i didnt set any gateway to my OPT2 interface.
Please advise.
Thanks.
-
Never mind, I was wrong here and had a different setup in mind.
-
needs some steps to understand the situation:
- remove any gateways on any interface except WAN
- create alias "OPT2WAY" and include 10.122.17.x subnet 10.200.11.x subnet
- create rule at top on LAN interface for ICMP (Lan subnet)-> (OPT2WAY) alias
- add rule at top on OPT2 interface for ICMP (OPT2WAY)->(Lan subnet)
then ping from any Lan station:
- pfsense Lan interface IP(192.168.1.1)
- pfsense OPT2 interface IP(10.200.11.18)
- gateway's IP from your side(10.200.11.17)
- other IP of gateway, that looks to 10.122.17.x subnet(i don't know this one)
- then your station (10.122.17.55)
must be an answer only 1 to 4 steps
then add static route (10.122.17.0/24 gw 10.200.11.17)
repeat last 5 numbered steps.
must be all right!
if no answer on step 5 - you have no routing on 10.200.11.17 that redirects packets for your LAN subnetI'm waiting for results…
-
guys;
I've done this;
- Add rule on LAN to allow LAN subnet to ICMP to OPT2 subnet
- Add rule on OPT2 to allow OPT2 subnet to ICMP to LAN subnet
- All rule created above put at the top of each interface rule
This is what i get when i Ping from my PC (192.168.1.200).
- Ping to 10.200.11.20 or 10.200.11.21 - reply success
- Ping to 192.168.1.1 - reply success
- Ping to 10.200.11.17 (gateway to 10.122.17.x subnet) - no reply
10.200.11.17 is a Cisco router that connected to a leased line modem that go to 10.122.17.x private network.
Attached the pfsense firewall log.
pf: 2. 216031 rule 627.qlandef.143/0(match): pass in on rl0: (tos 0x0, ttl 128, id 60068, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.200 > 10.200.11.17: ICMP echo request, id 512, seq 4608, length 40
Log shown that the ICMP packet is allowed by pfsense. However, i still failed to ping to 10.200.11.17 - no reply.
Please advise.
Hope it helps.
Cheers.
-
The cisco router is missing routes.
-
guys;
Help me configure my Cisco then.
This is the current config;
interface FastEthernet0
ip address 10.200.11.17 255.255.255.240
speed auto
half-duplex
!
interface Serial0
ip address 10.200.254.214 255.255.255.252
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.200.254.213
ip route 10.122.0.0 255.255.0.0 10.200.254.213
ip route 172.28.0.0 255.255.0.0 10.200.254.213
no ip http server
from there, if you look, all is directed to 10.200.254.213 as a default gateway which i understand that the router should handle the 10.122 traffics.
but, if my pfsense OPT2 interface, it should not directed to 10.200.254.213, otherwise, confirm no packet can be send back to pfsense.
So, which gateway should i use in my Cisco router for my pfsense packet?
Please advise.
Thanks.
-
i think you need 1 more route:
ip route 192.168.0.0 255.255.0.0 10.200.11.18
-
Guys;
I've done that;
Now;
-
Can ping from pfsense 10.200.11.17 and 10.122.17.55
-
Can ping from my pc (192.168.1.200) to 10.200.11.17
-
But failed to ping from my pc (192.168.1.200) to 10.122.17.55
Added Cisco router config ip route 192.168.0.0 255.255.0.0 10.200.11.18
Please advise.
Thanks.
-
-
0.0.0.0 & 10.122.17.x - external to your network?