Routing between Network Interfaces



  • Hello,

    I'm new to pfSense and really like the software but I'm scratching my head on this question for 2 days now.
    I have a very simple setup, 3 interfaces, 1 WAN, 2 LAN with pfSense 2.2.2 as their default gateway.
    I originally encountered the issue with OpenVPN, I got it setup and the client to connect but even though the firwall rules were fully opened, I could not get the client to communicate with the LAN subnets.

    I then attempted to connect between the 2 LANs but same thing no routing between them still with open firewall rules.

    I then decided to spin up an even simpler setup, 1 pfSense with 2 LAN interfaces with their own private subnets. Still no routing even with the firewall completelly disabled.
    By capturing traces, I could see the ICMP requests on one interface but nothing on the destination.

    The only way I get the subnets on the different interfaces to communicate is by double nating them.

    Is this an expected behavior of the product or am I missing a setting to activate routing between interfaces?

    Thanks.



  • In the most basic setup, how are your interfaces configured? What IP and mask?

    Firewall rules are all there is to routing between networks in the most basic case. Where the traffic doesn't leave the destination interface in a basic setup, it's either blocked, or your interface config is wrong in some manner, like overlapping subnets on two interfaces, or one interface having a /32 mask so it's the only device on that subnet so it won't route anything out.



  • 2 LAN with pfSense 2.2.2 as their default gateway.

    You don't specify a gateway for LANs.

    With 2 LAN interfaces, pfSense will auto-create Allow All rules for LAN but nothing for OPT1.  You must create your own firewall rule on OPT1 to allow it to talk anywhere.

    Post your LAN & OPT1 interface details and your LAN & OPT1 firewall rules.



  • Thanks for your replies, I figured what was the problem, the firewall rules on the target workstations were allowing replies to their own subnets only. That's why it worked with nat only and not with the routing.
    As soon as I changed them problem was gone.

    Finally I can move forward now, I wouldn't have liked to leave double nat on, that a bit of an ugly workaround.

    Thanks again.


Log in to reply