2 network cards - can access WebGUI but not ping pfSense

lemon

Hi guys,

I've got 2 network cards in my Win7 computer:

• LAN1 10.0.0.10 with gateway 10.0.0.1 (internal network)
• LAN2 192.168.2.100 with gateway 192.168.2.1 (this is pfSense, connected to WAN)

with no specific routes set the traffic goes through LAN1, but obviously I need internet connection for some applications.
So I set the following routes:

destination    mask        gateway      interface      metric
0.0.0.0        0.0.0.0    192.168.2.1  192.168.2.100  10
10.0.0.0      255.0.0.0  10.0.0.1      10.0.0.10      20

The idea behind should be to direct every traffic to pfSense except the one directed to our internal servers.

Now every traffic seems to end in the nowhere, also pings are loss 100%. I even can't ping pfSense (192.168.2.1) though I can access without problem its webGUI. Pinging one of our internal servers works fine…
Squid is also installed on pfSense, and surfing through proxy works fine.

Any idea what I did wrong here?

Thank you very much!!!

chpalmer

Does the 10. network see the internet in anyway?  If not get rid of the gateway IP.  Leave it blank.

lemon

Hi chpalmer,

didn't change anything, I still can ping 10.0.0.1 but not 192.168.2.1.
By the way, the windows firewall is off.

What I tried now: i deactivated the 10.x network card on my computer, and even that didn't change anything. What the hell…?!?

Thank you again

viragomann

@lemon:

destination    mask        gateway      interface      metric
0.0.0.0        0.0.0.0    192.168.2.1  192.168.2.100  10
10.0.0.0      255.0.0.0  10.0.0.1      10.0.0.10      20

The idea behind should be to direct every traffic to pfSense except the one directed to our internal servers.

Do you really need the gateway 10.0.0.1 to reach the servers?
If not, delete these routes again, go to the interface configuration of LAN1 and delete the gateway (leave it blank), in LAN2 add the gateway 192.168.2.1 if it isn't already set and Windows will do the rest.

lemon

I already deactivated LAN1 and LAN2's gateway is automatically 192.168.2.1. But that doesn't solve my problem  :(
Maybe my settings are ok and there's something wrong with my windows installation?

viragomann

Check the Windows routing table. In cmd run "route print".

lemon

Ok, now LAN1 and LAN2 are active again, I've deleted the persistent routes I've added before and made a "IPCONFIG /RENEW", so that the interfaces are as they come "out of the box".

These are the active routes "route print" gives out:

===========================================================================
Interface List
22…90 1b 0e 3e 4d 56 ......Intel(R) Ethernet Connection I217-V
17...00 50 b6 0a a3 a0 ......ASIX AX88178 USB2.0 to Gigabit Ethernet Adapter
  1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
10...00 00 00 00 00 00 00 e0 Microsoft-Teredo-Tunneling-Adapter
21...00 00 00 00 00 00 00 e0 Microsoft-6zu4-Adapter
18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #5

===========================================================================
Active Routes:
Network Destination          Netmask          Gateway        Interface Metric
          0.0.0.0            0.0.0.0      100.1.18.10      100.1.18.102    10
          0.0.0.0            0.0.0.0      192.168.2.1    192.168.2.100    20
      100.1.18.0      255.255.255.0          On-Link      100.1.18.102    266
    100.1.18.102    255.255.255.255          On-Link      100.1.18.102    266
    100.1.18.255    255.255.255.255          On-Link      100.1.18.102    266
        127.0.0.0          255.0.0.0          On-Link        127.0.0.1    306
        127.0.0.1    255.255.255.255          On-Link        127.0.0.1    306
  127.255.255.255    255.255.255.255          On-Link        127.0.0.1    306
      192.168.2.0      255.255.255.0          On-Link    192.168.2.100    276
    192.168.2.100    255.255.255.255          On-Link    192.168.2.100    276
    192.168.2.255    255.255.255.255          On-Link    192.168.2.100    276
        224.0.0.0          240.0.0.0          On-Link        127.0.0.1    306
        224.0.0.0          240.0.0.0          On-Link    192.168.2.100    276
        224.0.0.0          240.0.0.0          On-Link      100.1.18.102    266
  255.255.255.255    255.255.255.255          On-Link        127.0.0.1    306
  255.255.255.255    255.255.255.255          On-Link    192.168.2.100    276
  255.255.255.255    255.255.255.255          On-Link      100.1.18.102    266

Persistent routes:
  None

What do you want me to do now?

viragomann

As shown, you've 2 default routes. One to 100.1.18.10 with metric 10 and one to 192.168.2.1 with 20. The lower metric value is the preferred route. Shure, you've deleted the routes you set first?

What shows "ipconfig /all"?

lemon

Hi,

sorry, was absent for a few days. I've connected now a notebook with a single network card to pfSense and it gets an IP address from it. Ok. But the notebook can't ping pfSense neither. What's the problem here? Seems to be a pfSense problem at this time, don't you think?

Thank you very much

EDIT: when activating the original firewall rule "default allow LAN to any rule" I can ping pfSense again and routes are working:

johnpoz

Well yeah the default any any rule allows icmp, if your not going to use a any any rule and you want to ping you would have to have a rule that allows icmp.

So my wireless guest segment is pretty locked down, but you can see I allow them to ping pfsense interface so they can validate connectivity.  Then any other IP of the firewall at all on any port is blocked.  I then allow them out to anything they want as long as not rfc1918 (local networks) - this allows them internet access.  Notice they can not even use pfsense for dns, I hand them public via dhcp for that.