1. Home
  2. pfSense® Software
  3. Routing and Multi WAN
  4. [RESOLVED] WAN interface - 2nd route OK but pfsense still sending to default GW

[RESOLVED] WAN interface - 2nd route OK but pfsense still sending to default GW

  • F

    Hi all
    I have set up a pfsense as a Captive Portal (call it "PORTAL").
    This machine manages 1 LAN (Guests) and connects to an external network (WAN) hosting a router (WANGW) and another firewall for internal networks (called FW).

    I want to give management access to the PORTAL from one of the internal networks, thus through the FW.

    IP addresses :
    WANGW : 10.21.101.11
    FW : 10.21.101.254
    PORTAL (ext.): 10.21.101.20

    PORTAL (int) : 10.21.4.254
    Guests net : 10.21.4.0/24
    internal net : 10.21.2.0/24

    In PORTAL : There is a default gateway via WANGW.
    I then created another gateway pointing to 10.21.101.254 (=FW) and created a static route 10.21.2.0/24 via FW.

    When I try to connect to PORTAL from host 10.21.2.1, I see the packets arriving at PORTAL, but then it sends answers back to WANGW, not FW !

    Here is an example of two packets captured (ICMP ping) :
    1 0.000 10.21.2.1 10.21.101.20 ICMP 98 Echo (ping) request  id=0x1fb0, seq=1/256, ttl=64 (reply in 2)
    Ethernet II, Src: Netasq_0e:e9:65 (00:0d:b4:0e:e9:65), Dst: HewlettP_34:6e:d2 (00:23:7d:34:6e:d2)

    2 0.000 10.21.101.20 10.21.2.1 ICMP 98 Echo (ping) reply    id=0x1fb0, seq=1/256, ttl=64 (request in 1)
    Ethernet II, Src: HewlettP_34:6e:d2 (00:23:7d:34:6e:d2), Dst: Anovo_e9:1b:ab (40:5a:9b:e9:1b:ab)

    the reply is sent to WANGW (MAC = anovo…) instead of going back to FW (MAC = Netasq...) : that should not be since there is a route defined to 10.21.2.0/24 via FW

    Any clue ? This is not a rules issue since the PORTAL sends a reply.

    Some config extracts :
    <interfaces><wan><enable><if>bce0</if>

    <alias-address><alias-subnet>32</alias-subnet>
    <spoofmac><ipaddr>10.21.101.20</ipaddr>
    <subnet>24</subnet>
    <gateway>WANGW</gateway></spoofmac></alias-address></enable></wan>
    <lan><enable><if>bce1</if>

    <spoofmac><ipaddr>10.21.4.254</ipaddr>
    <subnet>24</subnet>
    <ipaddrv6>slaac</ipaddrv6></spoofmac></enable></lan></interfaces>
    <staticroutes><route><network>10.21.2.0/24</network>
    <gateway>FW</gateway></route>
    [snip]

    <gateways><gateway_item><interface>wan</interface>
    <gateway>10.21.101.11</gateway>
    <name>WANGW</name>
    <weight>1</weight>
    <ipprotocol>inet</ipprotocol>
    <interval><avg_delay_samples><avg_loss_samples><avg_loss_delay_samples><monitor_disable><defaultgw></defaultgw></monitor_disable></avg_loss_delay_samples></avg_loss_samples></avg_delay_samples></interval></gateway_item>
    <gateway_item><interface>wan</interface>
    <gateway>10.21.101.254</gateway>
    <name>FW</name>
    <weight>1</weight>
    <ipprotocol>inet</ipprotocol>
    <interval><avg_delay_samples><avg_loss_samples><avg_loss_delay_samples><descr><monitor_disable></monitor_disable></descr></avg_loss_delay_samples></avg_loss_samples></avg_delay_samples></interval></gateway_item></gateways>

    I finally created 2 specific VLANs on the internal interface : one for the guests and one interconnect to internal networks (specific FW interface) and it works.
    (I arranged the VLANs on the switching hardware too.)</staticroutes>

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy