Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense not reaching wanGW from lan

    General pfSense Questions
    2
    7
    731
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shh last edited by

      Hi

      I have a test setup where my pfsense cluster works flawlessly, I have pulled network cables, and power cables alike to test.
      But when i move to production enviroment, where i have the exact same ip adresses - only difference is that instead of the webserver, i have my hosting providers Cisco switch, no traffic from lan reaches the cisco switch.

      TEST enviroment
      Laptop <-LAN-> Pfsense <-WAN-> Webserver

      Laptop setup:
      LAN ip 10.0.0.20 (NAT 1:1 x.x.x.20)
      local firewall disabled

      Pfsense1 BACKUP
      LAN ip 10.0.0.2
      LAN CARP ip 10.0.0.1
      WAN ip x.x.x.2
      WAN CARP ip x.x.x.4
      Default Gateway x.x.x.1

      Pfsense2 MASTER
      LAN ip 10.0.0.3
      LAN CARP ip 10.0.0.1
      WAN ip x.x.x.3
      WAN CARP ip x.x.x.4
      Default gateway x.x.x.1

      Webserver
      LAN ip x.x.x.1
      did: route add x.x.x.20 mask 255.255.255.255 x.x.x.4

      With this test setup Laptop can view webpages on the Webserver, and Webserver can view webpages on the Laptop No flaws what so ever.
      When laptop telnets x.x.x.1 on port 80 i can see in netstat and iis logs both, that i present myself as the correct nat x.x.x.20
      i have enabled ICMP so i can allso ping from laptop to webserver and webserver to laptop.

      Once i move the pfsense cluster to my production enviroment, things change.

      Instead of webserver i now have a cisco switch with a vlan to my two pfsense boxes.

      My MASTER node is able to ping x.x.x.1(cisco switch) from wan interface
      The cisco switch can ping all wan adresses on the pfsense cluster .2 .3 and .4

      when trying to ping from LAN side of the pfsense again a server with ip 10.0.0.20 that is natted to x.x.x.20 i can see the icmp passed in the firewall log. But the cisco switch never recieves the traffic
      the lan side server can ping x.x.x.2 x.x.x.3 and x.x.x.4 (pfsense wan side ips) but somehow the traffic is not passed on to the cisco switch.

      Added info, from wan ip in diagnostics -> ping i can ping 8.8.8.8 - traffic is passed nicely.

      on the cisco switch i do not see other ip adresses on the vlan contacting it than x.x.x.2 x.x.x.3 and x.x.x.4
      When i fail back to my old firewall (non pfsense) the cisco switch is instantly populated with around 125 ipadresses. (all my natted addresses)

      I am at a loss as to what i should look for here. Keep in mind that i never so much as changed an ip adress. Since my test enviroment ip wise replicates the exact setup, with public ips and everything.

      i tried testing again back in the test enviroment, and spoof the mac address on my webserver which acts as the wanGW to see if it was somehow the ARP messing me about. It isnt, everything works.

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        Do you have VIPs on the WAN to NAT to?

        If you're using NAT there should be no need to add routes on the WAN side server (or switch) as the x.x.x.20 address is in the same subnet.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          shh last edited by

          @stephenw10:

          Do you have VIPs on the WAN to NAT to?

          If you're using NAT there should be no need to add routes on the WAN side server (or switch) as the x.x.x.20 address is in the same subnet.

          Steve

          Thank you.

          The wan webserver is a windows machine. It has x.x.x.0 routed on-link shown by route print

          so when it recieves packages from x.x.x.20 it never goes to its gateway, thats why i have that route in the test setup as i have it switched in a non managed switch. On the production network the switch has an ip addr directly connected to the firewall.

          So it feels like the pfsense is not even sending its natted packages to the cisco vlan in the production enviroment, im gonna try and put up a build with no CARP to see if its my outbound natrules somehow messing things, they work in test though.

          I control all the x.x.x.x ips so im not sure about your VIP question, i dont think i should have to make a VIP for every nat manually, it should be taken care off by the outbound nat rules right?

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            If you don't have VIPs then there will be nothing to respond to ARP at those IPs.
            Run a packet capture on the WAN to see what is actually happening there.

            I'm not clear on the route you added. I would not expect it to go to it's gateway as it's in the same subnet as you say. That should be OK though since the IP is 1:1 NAT'd so the external address that the web-server sees is in that subnet.

            Steve

            1 Reply Last reply Reply Quote 0
            • S
              shh last edited by

              The route is only in my test enviroment, because the Default gateway for the pfsense box is a windows machine, and that windows machine needs to know how to reply on x.x.x.y network. If i dont add a route to x.x.x.4 it will try to reply on-link.

              That windows machine is not part of the production enviroment, in production, im connectet to a cisco switch vlan.

              When setting VIP i only make a 1:1 nat rule, and have outbound to automaticly do the rest, in test i can see from lan to wan that the correct nat is tranlated and sent to the webserver on wan side.

              i have a /28 range, how in pfsense would i set all my nat VIPs, other than in 1:1 nat ?
              /Shh

              1 Reply Last reply Reply Quote 0
              • stephenw10
                stephenw10 Netgate Administrator last edited by

                Hmm, well I'm stil not sure why you need the route. If you are NATing then the traffic will all appear to be coming from the same subnet as the Windows box so it can reply directly without needing a route.
                Anyway given that's only your test environment that's an aside right now.

                You can add a range of VIPs if you use the Proxy ARP type and a matching range of 1:1 NAT entries by specifying the subnet size.

                Steve

                1 Reply Last reply Reply Quote 0
                • S
                  shh last edited by

                  Rumor has it that the problem was solved yesterday, and we will test it in production, at the start of next week.
                  Solved with adding VIPs as you said Stephen, i will write a status and follow up on this when its in production, with the resolution incase someone else misconfigures the same way i have and stumples on this thread later.

                  Thank you for the help :)

                  /shh

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy