4. All but 2 networks are being blocked to the internet

All but 2 networks are being blocked to the internet

  • S

    i have pfense as my firewall and a cisco 1800 router as my main router with 7 networks on it, all the networks can ping all the subnets in the LAN but only 2 can get to the internet. I have the rules set up all the same, i am just lost been trying to figure this out for a week now.

    thanks for the help

    0
  • S

    here are my firewall rules http://postimg.org/image/5aa8gth8n/
    here is my router config http://pastebin.com/8pV5t9Lr

    network 192.168.2.0/24 and 192.168.20.0/24 are the ones that work

    0

  • Hard to tell by the infos given, you probably have your filter-set reversed,

    On the LAN tab you allow/block/reject what's coming in from the LAN subnet to other (local) subnets and/or the internet.
    This are all ingress rules, NOT egress.

    0
  • LAYER 8 Global Moderator

    Looks like a completely BORKED setup to me… Why would you have all your networks setup on both your cisco and pfsense?

    So all these networks on your router are all on the same interface?? interface FastEthernet0/1 and then subinterfaces for your vlans??

    What is doing all the routing for your vlans??  Why do you have them all allowed on the lan?  That would point to having the networks downstream of pfsense...

    0
  • M

    Agreed.  We need more info:

    • Post a network map with IP's, so we can help you troubleshoot.

    • All of those PFsense LAN rules are redundant considering you have an implicit allow at the bottom.  Remove everything above the IPv4 LAN net rule and turn the LAN net rule into an any/any rule until you get all communication working.

    • What do your static routes look like on PFsense?  If your setup is how I think it is, there should be a static route for every subnet.

    0
  • LAYER 8 Global Moderator

    So if the cisco is upstream of pfsense, why would you have all those networks on subinterfaces?

    If the cisco is upstream of there would be 1 transit network connecting to the downstream pfsense.  And same thing if cisco was downstream of the pfsense..

    I no idea what OP is trying to do..  Whatever it is seems borked, and agree with the rules be redundant, have no idea what the mask is on his lan net.. If they all fall under lan net then sure.  But if the networks are downstream and use the lan interface as the transit then he would need rules to allow the traffic.

    I would be interested in a drawing of what they are trying to do, and then we can work out how to make it work.

    0
  • S

    okay i will started from the beginning, I just got tossed on this network about a week and half ago. this is not how i would of make this network. okay here it goes this is the replace a dated ssg550 that failed i did plan to replace it with a Cisco ASA but my boss told me to install PFSense as our firewall. anyways all the inter vlan routing is done on the router the ip of interface0/0 is 192.168.80.2/24 that is what is connected to PFSense 192.168.80.1/24, on the router there are subinterfaces on fa0/1 that is the for all the vlans for the different areas in the office. I would do the vlan routing on PFsense but im not aloud to, to that out of the question, just the biggest issue is that only the 192.168.20.0/24 and the 192.168.2.0/24 are the only networks that are on the router that can get to the internet, but they all can ping eachother. I just need help getting this borked network working till i can get my ASA and rebuild the network. o one last thing is that the firewall and the router are using ripv2 to do routing between eachother and am working on a map with all the ip's

    0
  • LAYER 8 Global Moderator

    and you ran out of crayons and a napkin?

    DRAW IT DUDE!!!

    Use gliffy if you want - its free..

    if you have your router in front of pfsense, and its routing other vlans… Why do you have all those rules on pfsense lan interface??  POINTLESS... When would traffic come into pfsense lan interface from those networks??

    DRAW IT!!!

    So your vlans off your cisco that is is connected to the internet can not get to the internet?  How does that have anything in the world to do with pfsense?  And how is pfsense being your firewall if your routing traffic off your cisco?  So you have pfsense in front of your cisco???  Then you need to connect cisco to pfsense with transit.. Create routes on pfsense to the downstream networks.

    your cisco has
    ip route 0.0.0.0 0.0.0.0 192.168.80.1

    Where is that connected to pfsense???  Is that your pfsense lan which you want to use as transit?  Is there anything else on this lan?  Create routes on pfsense to all the downstream networks, also if pfsense connected to internet your going to have to have it nat all those downstream networks to its wan IP..

    Since all your network are 192.168 would be easier to just summarize it use say 172.16.0.0/30 as your transit on pfsense lan.  Then you only need one route and one outbound nat rule.

    Normally downstream would be done with a transit network see attached.  Create a gateway on pfsense pointing to router interface on the transit for all your network or summarize.  Set your outbound nat to nat those networks as well.  And sure create allow on that transit interface for the downstream networks..  Any Any would be easiest.  Vs adding all of them individual


    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy