Issues routing between subnets on Lan interface

    As my crudely drawn MS Paint diagram shows, I currently have a primary network sitting in the 192.168.200.x range that can not communicate to the 192.168.1.x subnet nested inside of it. Currently, I have a static route setup from within the router and firewall rules at the pfSense box that allows all traffic from any address on the 192.168.1.x subnet to ping any address on the 192.168.200.x subnet. I cannot, despite having an identical setup in reverse, do the same from the '200' net to the '1' net. I also want to mention that all systems on both subnets access the internet and related services without issue.

    From within the pfSense routing diagnostic tab I can see the counter for the route go up every time I attempt to ping into the 192.168.1.x net from the 192.168.200.x net, however all I receive are time out errors. Traceroute shows timeouts immediately after the first and only jump to

    So far I have LAN rules completely allowing all traffic from any address and port to any address or port within the LAN subnet and have checked the box for 'Bypass firewall rules for traffic on the same interface'. I have also tried various forms and combinations of NAT and Route rules to no beneficial effect.

    I know this may seem like an over complicated setup, but once I establish a baseline of communication between the networks I intend to lock them down from each other with only a few specific types of traffic from specific addresses to pass through.

  • If you add the Netgear router as gateway to pfSense and add a static route for the 192.168.1.x subnet to use it, you should be able to access 192.168.1.x from 192.168.200.x.

    Your link fails and has to be reworked..  Why do people not just attach the drawing here direct?

    So you disabled nat on that netgear??  I doubt that since you make no mention, and your picture is a typical soho nat router.  If you do not have nat off, then you have no need for routes in pfsense.  If you have nat off on that netgear then your setup is wrong since your downstream router is not on a transit network.

    What exactly are you trying to accomplish? 2 lan segments seems like.. So why are natting or routing to a downstream network??  Just connect direct to pfsense, you seem to show multiple interfaces on pfsense.

    Why would you not just use that netgear as AP, and connect it to an interface on pfsense so it was easier to route and firewall - what is your need for a downstream network be it natted or not?

    See my example drawing.

  • Thanks much for your replies! The issue with the main image in my first post has been fixed.

    Ideally I want to retain the router as its own independent subnet as devices come and go fairly freely from that network and I want an additional layer of general isolation between the boxes I host and the private computers that connect to the public network. Besides that, I've dumped so much time into getting this working that now I'm obsessing over getting it functional regardless of practicality.

    For whatever reason all connection attempts going into the '1' network from '200' fail, and I still cannot figure out why.

    I've attached another image that might help. I apologize for the mess that is my firewall rules page, I've been throwing configurations at the page to see what sticks, so to speak.

    EDIT: I forgot to mention, the pfSense box has only three ethernet jacks, all of which are in use (WAN, LAN, and remote management for the VSphere server pfSense and a webserver run in). The switch acts as a dumb hub, with all switching and routing disabled for the physical ports used for general networking. It only does L2 switching, anyway.

  • As far as I can see the netgear router drops the packets. Your netgear router, as all standard consumer routers, routes freely from the LAN to the WAN but blocks everything from WAN to LAN unless initiated from the LAN side. You are missing a firewall rule on the netgear router to allow incoming traffic on the WAN interface to be forwarded to the LAN interface.

    Your time will surely be better spent with replacing the consumer router with either a managed switch so that you can use VLANs, or at least a "smart" switch that supports VLANs. A simple 8 port switch with VLAN support and a basic webgui costs 30 or 40 bucks, and already turns your one available port on the pfsense box into 7 ports.

  • I think the problem is you need to switch your netgear  to route mode instead of Nat mode or disable Nat as it implies a firewall and will not route!  Like the other said you need to disable firewall on netgear.  You are better off using a separate interface and assigning that interface on the pfSense.  Switch the netgear ap mode then you have more granular control of your other subnet and don't have to worry about double Nat

