Routing Problem OPT1 to LAN



  • Hello everyone,

    I have a strange problem concerning routing between LAN and OPT1.
    We have pfsense 1.2 with WAN currently not connected (set as DHCP).
    LAN ist 192.0.1.0, OPT1 is 192.168.12.0.
    I want just routing between both subnets with firewall capabilities being enabled.

    My problem ist, that from LAN I can ping a host on OPT1, but from OPT1 I cannot ping to a host in LAN.
    I checked the system-logs, but didn't find anything.

    When I set Firewall to disabled (system/advanced/disable firewall) everything works fine.
    In my opinion it looks like a NAT-like stuff: only outgoing connections are possible whereas incoming connections are blocked.
    I spent 2 days now, but nothing worked.

    I have two firewall rules:

    Interface: LAN
    Source: LAN subnet
    Destination: any

    and

    Interface: OPT1
    Source: OPT1 subnet
    Destination: any

    NAT ist set to AON with no rules defined.

    Can anybody help?



  • Is LAN: 192.0.1.0 a typo or are you really running this range on this interface?

    If something gets blocked by the default block rule in the firewall it will be displayed in the firewall log.
    (tab firewall under status–>System logs)

    NAT does not occur between interfaces if you enable AoN and remove all rules.

    Does your client in the LAN-subnet has pfSense as default gateway?
    I suspect it does not since you say you didnt connect the WAN.
    How is your client in the LAN-subnet supposed to know the route to your OPT1-subnet?

    Do you have 3 interfaces right now?
    If you just want to route two networks together you could eliminate the OPT1 and use WAN and LAN instead. (WAN facing the subnet which has internet access).
    Enabling "Advanced outbound NAT" and removing all rules disables NAT on pfSense completly.
    Meaning you now have a purely routing platform with firewalling capabilities.



  • The really strange thing is, that if logging default blocking rules is enabled, no log-entries appear.
    If I turn on logging in the two firewall rules mentioned before, then a pass-entry appears in the log as if the connection would work.

    The LAN-Range is reality. I know it is not good, but it's a relict of the past.
    The client computer in LAN-subnet as a route in the OPT1 subnet, but it is not the default route. As mentioned before he is able to ping into OPT1-subnet. The thing that doesnt work is pinging from the OPT1-network into LAN.
    Since everything works fine when disabling the firewall completely I assume it is something like firewall or NAT.

    I have 3 interfaces right now, but at this time WAN is unused (want to use it, if this routing thing works).
    I also tried it with WAN instead of OPT1 and everything worked perfectly (I had to disable blocking packets from private networks in the interface section).

    Since I want to use WAN later for internet access, I do not want WAN for routing. WAN for my subnet and OPT1 for internet access would be an unusual configuration  :).



  • Did you specify a gateway at the opt1 interface? If so pfSense will do NAT by default on that link which will break the reverse direction. Either remove the gateway at OPT1 or use manual outbound nat to disable it.



  • How did you config your nic's /24? and what's the gateway



  • The LAN NIC is 192.0.1.21 / 24 ,
    the OPT1 NIC is 192.168.12.21/24, Gateway is the same (192.168.12.21).
    I tried to leave it blank or 0.0.0.0 but it is a required field. I also tried a completely different address.



  • Oh god!

    I tried to leave the gateway blank.
    If I put a blank in it, pfsense doesn't accept. If I leave it empty, then it works without a gateway (yes, I am a newbie in pfsense).

    So now have no gateway in OPT1 and now it works!

    Thank you very much!


Locked