Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [RESOLVED] WAN interface - 2nd route OK but pfsense still sending to default GW

    Routing and Multi WAN
    1
    1
    543
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      f.meunier last edited by

      Hi all
      I have set up a pfsense as a Captive Portal (call it "PORTAL").
      This machine manages 1 LAN (Guests) and connects to an external network (WAN) hosting a router (WANGW) and another firewall for internal networks (called FW).

      I want to give management access to the PORTAL from one of the internal networks, thus through the FW.

      IP addresses :
      WANGW : 10.21.101.11
      FW : 10.21.101.254
      PORTAL (ext.): 10.21.101.20

      PORTAL (int) : 10.21.4.254
      Guests net : 10.21.4.0/24
      internal net : 10.21.2.0/24

      In PORTAL : There is a default gateway via WANGW.
      I then created another gateway pointing to 10.21.101.254 (=FW) and created a static route 10.21.2.0/24 via FW.

      When I try to connect to PORTAL from host 10.21.2.1, I see the packets arriving at PORTAL, but then it sends answers back to WANGW, not FW !

      Here is an example of two packets captured (ICMP ping) :
      1 0.000 10.21.2.1 10.21.101.20 ICMP 98 Echo (ping) request  id=0x1fb0, seq=1/256, ttl=64 (reply in 2)
      Ethernet II, Src: Netasq_0e:e9:65 (00:0d:b4:0e:e9:65), Dst: HewlettP_34:6e:d2 (00:23:7d:34:6e:d2)

      2 0.000 10.21.101.20 10.21.2.1 ICMP 98 Echo (ping) reply    id=0x1fb0, seq=1/256, ttl=64 (request in 1)
      Ethernet II, Src: HewlettP_34:6e:d2 (00:23:7d:34:6e:d2), Dst: Anovo_e9:1b:ab (40:5a:9b:e9:1b:ab)

      the reply is sent to WANGW (MAC = anovo…) instead of going back to FW (MAC = Netasq...) : that should not be since there is a route defined to 10.21.2.0/24 via FW

      Any clue ? This is not a rules issue since the PORTAL sends a reply.

      Some config extracts :
      <interfaces><wan><enable><if>bce0</if>

      <alias-address><alias-subnet>32</alias-subnet>
      <spoofmac><ipaddr>10.21.101.20</ipaddr>
      <subnet>24</subnet>
      <gateway>WANGW</gateway></spoofmac></alias-address></enable></wan>
      <lan><enable><if>bce1</if>

      <spoofmac><ipaddr>10.21.4.254</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>slaac</ipaddrv6></spoofmac></enable></lan></interfaces>
      <staticroutes><route><network>10.21.2.0/24</network>
      <gateway>FW</gateway></route>
      [snip]

      <gateways><gateway_item><interface>wan</interface>
      <gateway>10.21.101.11</gateway>
      <name>WANGW</name>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval><avg_delay_samples><avg_loss_samples><avg_loss_delay_samples><monitor_disable><defaultgw></defaultgw></monitor_disable></avg_loss_delay_samples></avg_loss_samples></avg_delay_samples></interval></gateway_item>
      <gateway_item><interface>wan</interface>
      <gateway>10.21.101.254</gateway>
      <name>FW</name>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval><avg_delay_samples><avg_loss_samples><avg_loss_delay_samples><descr><monitor_disable></monitor_disable></descr></avg_loss_delay_samples></avg_loss_samples></avg_delay_samples></interval></gateway_item></gateways>

      I finally created 2 specific VLANs on the internal interface : one for the guests and one interconnect to internal networks (specific FW interface) and it works.
      (I arranged the VLANs on the switching hardware too.)</staticroutes>

      (mostly ZOTAC CI or CA nano barebones)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post