pfSense English Support > Routing and Multi WAN

pfSense not routing traffic

(1/4) > >>

bryanz:
Hello, for some reason I can't pass traffic between my LAN and WAN interfaces in either direction, no matter what I try. I have pfSense 1.0.1 embedded on a Soekris net4501. My config is attached. I have a computer with an IP of 192.168.1.2 attached to my LAN interface of 192.168.1.1. My WAN interface is a wireless card with an IP of 192.168.0.50 associated with a WEP protected network. My default gateway is another wireless router with an internal IP of 192.168.0.1 and a public external IP. I have placed a route in the default gateway router to route all 192.168.1.x traffic to 192.168.0.50. I have disabled "Block private networks" on my WAN interface, permitted all IP traffic from LAN to WAN as well as WAN to LAN, enabled "Advanced outbound NAT", and deleted all NAT rules.

From the pfSense web interface I can ping the computer on my LAN interface and the default gateway on my WAN interface. From the computer on my LAN interface I can ping as far as my WAN interface at 192.168.0.50, but I can't ping the default gateway at 192.168.0.1. From the default gateway I can ping as far as my LAN interface at 192.168.1.1, but I can't ping the computer at 192.168.1.2. I've been beating on this for the last day but haven't figured out what the problem is. Does anyone have any suggestions?

Thanks,
-Bryan


  <?xml version="1.0" ?>
- <pfsense>
  <version>2.3</version>
  <lastchange />
  <theme>pfsense</theme>
- <system>
  <optimization>aggressive</optimization>
  <hostname>xxxx</hostname>
  <domain>xxxx</domain>
  <username>xxxx</username>
  <password>xxxx</password>
  <timezone>America/Los_Angeles</timezone>
  <time-update-interval />
  <timeservers>pool.ntp.org</timeservers>
- <webgui>
  <protocol>https</protocol>
  <port />
  <certificate />
  <private-key />
  </webgui>
  <disablenatreflection>yes</disablenatreflection>
  <dnsserver>192.168.0.1</dnsserver>
  <dnsallowoverride />
- <ssh>
  <port />
  </ssh>
  <maximumstates />
  </system>
- <interfaces>
- <lan>
  <if>sis0</if>
  <ipaddr>192.168.1.1</ipaddr>
  <subnet>24</subnet>
  <media />
  <mediaopt />
  <bandwidth>100</bandwidth>
  <bandwidthtype>Mb</bandwidthtype>
  </lan>
- <wan>
  <if>wi0</if>
  <mtu />
  <media />
  <mediaopt />
  <bandwidth>100</bandwidth>
  <bandwidthtype>Mb</bandwidthtype>
  <spoofmac />
- <wireless>
  <standard>11b</standard>
  <mode>bss</mode>
  <protmode>off</protmode>
  <ssid>xxxx</ssid>
  <channel>0</channel>
  <authmode />
  <txpower>99</txpower>
  <distance />
- <wpa>
  <macaddr_acl />
  <auth_algs>1</auth_algs>
  <wpa_mode>1</wpa_mode>
  <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
  <wpa_pairwise>CCMP TKIP</wpa_pairwise>
  <wpa_group_rekey>60</wpa_group_rekey>
  <wpa_gmk_rekey>3600</wpa_gmk_rekey>
  <passphrase />
  <ext_wpa_sw />
  </wpa>
- <wep>
  <enable />
- <key>
  <value>0xxxxx</value>
  </key>
  </wep>
  </wireless>
  <disableftpproxy />
  <ipaddr>192.168.0.50</ipaddr>
  <subnet>24</subnet>
  <gateway>192.168.0.1</gateway>
  </wan>
  </interfaces>
  <staticroutes />
  <pppoe />
  <pptp />
  <bigpond />
- <dyndns>
  <type>dyndns</type>
  <username />
  <password />
  <host />
  <mx />
  </dyndns>
- <dhcpd>
- <lan>
  <enable />
- <range>
  <from>192.168.1.10</from>
  <to>192.168.1.245</to>
  </range>
  </lan>
  </dhcpd>
- <pptpd>
  <mode />
  <redir />
  <localip />
  <remoteip />
  </pptpd>
  <ovpn />
- <dnsmasq>
  <enable />
  </dnsmasq>
- <snmpd>
  <syslocation />
  <syscontact />
  <rocommunity>xxxx</rocommunity>
  </snmpd>
- <diag>
  <ipv6nat />
  </diag>
  <bridge />
  <syslog />
- <nat>
  <ipsecpassthru />
- <advancedoutbound>
  <enable />
  </advancedoutbound>
  </nat>
- <filter>
- <rule>
  <type>pass</type>
  <descr>Default LAN -> any</descr>
  <interface>lan</interface>
- <source>
  <network>lan</network>
  </source>
- <destination>
  <any />
  </destination>
  </rule>
- <rule>
  <type>pass</type>
  <interface>wan</interface>
  <max-src-nodes />
  <max-src-states />
  <statetimeout />
  <statetype>keep state</statetype>
  <os />
- <source>
  <any />
  </source>
- <destination>
  <any />
  </destination>
  <descr />
  </rule>
  </filter>
- <ipsec>
  <preferredoldsa />
  </ipsec>
  <aliases />
  <proxyarp />
  <wol />
  <installedpackages />
- <revision>
  <description>/firewall_rules_edit.php made unknown change</description>
  <time>1162942292</time>
  </revision>
  </pfsense>

hoba:
Tracerouting from both directions might help to find out where it goes wrong. Also make sure all your clients behind LAN use the pfSense LAN IP as gateway.

bryanz:
Here's a traceroute from the computer on the LAN interface to the pfSense router's default gateway:

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 40 byte packets
 1  none (192.168.1.1)  1.312 ms  1.307 ms  1.223 ms
 2  none (192.168.1.1)  1.548 ms !H  1.831 ms !H  1.634 ms !H


Here's a telnet from that same system to the web interface of the default gateway. This is another reason why I think it's a routing issue in the pfSense box:

root@laptop:~# telnet 192.168.0.1 80
Trying 192.168.0.1...
telnet: Unable to connect to remote host: No route to host


Here are the relevant states from the pfSense box for that connection attempt:

tcp     192.168.1.2:50639 -> 192.168.0.1:80     SYN_SENT:CLOSED
tcp    192.168.0.1:80 <- 192.168.1.2:50639    CLOSED:SYN_SENT


Here are the routes from the pfSense box:

default    192.168.0.1    UGS    0    98    1500    wi0
127.0.0.1    127.0.0.1    UH    0    0    16384    lo0
192.168.0    link#1    UC    0    0    1500    wi0
192.168.0.1    00:0f:66:47:66:2b    UHLW    2    32    1500    wi0    1170
192.168.1    link#2    UC    0    0    1500    sis0
192.168.1.2    00:00:86:46:66:c4    UHLW    1    2982    1500    sis0    984


Here's a traceroute from a system on the WAN interface to the computer on the LAN interface:
bob:~ bob$ traceroute -n 192.168.1.2
traceroute to 192.168.1.2 (192.168.1.2), 64 hops max, 40 byte packets
 1  192.168.0.50  6.358 ms  7.898 ms  7.317 ms
 2  * * *
 3  * * *^C


It's almost as if pfSense is ignoring the routes for the directly attached networks. It will route packets from one side to the other, but only to its interface, not any other hosts.

rsubr:
Check Interfaces -> WAN -> and ensure that the "Block private networks" option is disabled.

bryanz:
Yup, I mentioned that I checked that earlier. Thanks though.

Navigation

[0] Message Index

[#] Next page

Go to full version