[SOLVED]Always need to ping to establish a connection

cesjr

Always need to ping to establish a connection

I have two subnet
192.168.1.0/24  GW:192.168.1.1
10.1.2.0/24    GW:10.1.2.254
The pfsense LAN interface IP is 192.168.1.1 , below is pfsense routing table

| Network | Gateway | Interface | Description |
| 10.0.0.0/24 | 192.168.1.244 | LAN | LAN2 |

The 10.1.2.254 is a Freebsd Router ,has two interface below

192.168.1.244 /24
10.1.2.254 /24
default router is 192.168.1.1

When I using vnc viewer from 10.1.2.0 to 192.168.1.0 , I always need to ping clinet's IP
, but if I change the clients default gateway to 192.168.1.244 , it is working fine .

How should I fix this problem , any suggestion will be arrpeciated ,thanks

viragomann

@cesjr:

The pfsense LAN interface IP is 192.168.1.1 , below is pfsense routing table

| Network | Gateway | Interface | Description |
| 10.0.0.0/24 | 192.168.1.244 | LAN | LAN2 |

A typo at the network?

cesjr

sorry , It should be this , I was paste wrong info :'(

Network         Gateway             Interface Description
10.1.2.0/24 192.168.1.244     LAN         LAN2

viragomann

In System > Advanced > Firewall and NAT try to check "Bypass firewall rules for traffic on the same interface".

cesjr

Thanks your suggestion ,after I applies this option , it is working fine , do not need to ping anymore.
By the way ,why this option is not enable by default ,and why I have to ping ,if I do not enable it.

Derelict

Because you are trying to hairpin in and back out the same interface which is an unsound network design.

No idea about the ping. Something tells me you're not really seeing what you think you're seeing.

cesjr

LOL, I think I have to study hard , and watch careful
What is the best network  design of multiple subnet , In my case ,should I change the 10.1.2.0/24 default gateway to pfsense ,  or let router do routing , gathering  all subnet  gateway on router .

Derelict

You should talk to the downstream router on a dedicated transit network, not an address on LAN. In the configuration you have you would need to put a route for 10.1.2.0/24 on every LAN client pointing at 192.168.1.244. Otherwise they will send traffic for that network to the default gateway which, in turn, has to hairpin it back out the same interface it came in on.

cesjr

OK , I will think more carefully and adjusting my network design ,thanks :)

cmb

It's not a good design. But the reason a ping first works is almost certainly because it makes the host pick up the ICMP redirect, then when you try the TCP connection, it routes it directly accordingly.