pfSense Support Subscription

Author Topic: routing problem between LAN and DMZ net  (Read 190 times)

0 Members and 1 Guest are viewing this topic.

Offline AMizil

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
routing problem between LAN and DMZ net
« on: October 07, 2017, 09:51:20 am »
Hello

I have setup a pfsense box at a friend's office a couple of years ago as   follows:

2.2.1-RELEASE (i386)  on a Atom D2500 mainboard,  em0 having VLANs  : LAN, DMZWIFI  - NanoBSD 4G USB stick;
WAN 1 - PPoE  ( Public IP addres 93.11x.y.z/32)
WAN 2 - DHCP ( from a 4G  router , WAN 02 Ip address 192.168.8.1/24)
MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2

LAN  address : 192.168.1.x/24 ( VLAN 1)
DMZWIFI address 10.0.2.x/24 ( VLAN 2)
DVR  IP address 10.0.2.2
Switch L2 with management 192.168.1.12 ( used for testing).

The internet is working ok on both networks , from LAN to any , from DMZWIFI to any except LAN .

The problem is that users  from LAN  can't access the DVR located on 10.0.2.2/24 network. IN fact I can't access any device on DMZWIFI from LAN .


Primary troubleshooting  makes me think that pfsense is routing  10.0.2.1/x network to its default gateway to the internet. But this only happends when requests are coming from LAN devices, if I ping from pfsense 10.0.2.2


I have started a ping from a L2 manged switch 192.168.1.12  to 10.0.2.2  and I have enabled packet capture on the LAN and WAN  of pfsense   :

INTERFACE LAN  - packet capture
17:11:56.931082 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 0, length 72
17:11:57.931170 IP 192.168.1.12 > 10.0.2.2: ICMP echo request, id 23756, seq 256, length 72
NO RESPONSE BACK ..

INTERFACE WAN .. packet capture

17:10:39.683694 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2048, length 72
17:10:40.684302 IP  93.11x.y.z > 10.0.2.2: ICMP echo request, id 1958, seq 2304, length 72


So it makes clear that the packets are routed outside the WAN ...

Other considerations :

When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN ..
When I VPN from remote location I can access DMZWIFI network !!
When I ping from Pfsense the DMZWIFI  it is ok ..


Routing table

192.168.1.0/24    link#7    U    2334657    1500    em0_vlan1
10.0.2.0/24    link#8    U    2123003    1500    em0_vlan2

Where is the problem ?

Thanks,
Adrian

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1331/-194
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: routing problem between LAN and DMZ net
« Reply #1 on: October 07, 2017, 10:35:19 am »
"MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline AMizil

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: routing problem between LAN and DMZ net
« Reply #2 on: November 04, 2017, 11:17:21 am »
"MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet.

BR,
Adrian