SIMPLE CONFIG

leroz

Hello I have pretty straightforward config however I cannot seem to get the routing quite right When I tracert from LAN 1 back to LAN 2 I time out @ 10.0.0.2 I can however tracert back from LAN2 to LAN1 When looking in the logs I see an error 516704 rule 84/0(match): block in on nve0: 71.xxx.xxx.xxx.44049 > 10.0.0.1.57137: UDP, length 173. I really just want any traffic to flow between LAN 1 and LAN 2 as the connection is a dedicated Point to Point connection.

LAN2
                                                206.187.xxx.xxx
                                                          |
                                                  |PFSENSE2|–--WAN2 71.xxx.xxx.xxx
                                                          |
                                                      OPT
                                                    10.0.0.2
                                                          |
                                                          |
                                                    10.0.0.1
                                                      WAN1
                                                          |
                                                  |PFSENSE1|
                                                          |
                                                          |
                                                      LAN1
                                                    172.17.xxx.xxx

GruensFroeschli

Are you having the same physical subnet on multipe interfaces?

Did you uncheck the "Block private networks" checkbox on the WAN config?

Do both pfSense's know the routes back?

Are you aware that you're doing NAT?

leroz

Did you uncheck the "Block private networks" checkbox on the WAN config? Yes

Do both pfSense's know the routes back? Not sure

Are you having the same physical subnet on multiple interfaces? No each adapter has a diff subnet (except the 10.x.x.x)

GruensFroeschli

Did you disable NAT from LAN1 to WAN1?
If not: you have to.
Otherwise you'll never be able to access anything in the 172.17.x.x range.

Then add a route on your pfSense2 that points to 10.0.0.1 for the 172.17.x.x range.

leroz

Did you disable NAT from LAN1 to WAN1? NAT is Disabled

I do have a route on Pfsense2 for 10.0.0.1 that points to 172.17.x.x

Interface    Network              Gateway
LAN      172.17.x.x/24    10.0.0.1

GruensFroeschli

Set the interface to OPT in the static route.

How do your rules on the OPT interface look like?
Are you allowing the 172.17.x.x range?

leroz

I have two new errors maybe these will help

pf: 3. 465370 rule 77/0(match): block in on nve0: fe80::20a:95ff:fed7:3622 > ff02::2: ICMP6, router solicitation, length 16

pf: 1. 668777 rule 77/0(match): block in on nve0: 71.x.x.x.16013 > 10.0.0.1.55558: UDP, length 173

The 71.x is the WAN interface on the PFSENSE2 Box that is not plugged in at this time.

GruensFroeschli

As dumb as it sounds: are you sure that you plugged in the right interface?

leroz

LOL - yep I can transverse the two networks using vnc and even copy data up from lan2 to lan1 I just cannot seem to come back from lan1 to lan2. it just keep sending packets to the WAN interface for some reason instead of from OPT to the LAN

GruensFroeschli

That's why i ask.
If OPT isnt plugged in, and you plugged your WAN on pfSense2 instead, you should be able to access LAN1 from LAN2.
But since you have a blockrule on WAN2 you never can access LAN2 from LAN1.
Another thing that points to this is that you cannot ping 10.0.0.2 (your trace before).

Maybe just swap the cable on the interfaces as a test :)

If that doesnt work: What rules do you have on the OPT1 interface?

leroz

Ill give it a try and see what happens