I've been employing a terrible hack where I had an IP alias on my LAN
interface in order to allow me to use multiple subnets on the same physical
network. I'm trying to correct that, but i'm running into problems with
routing between interfaces.
My network looks like this:
DSL service (pppoe) ---| |-- LAN1 (10.0.1.0/24)
|-- pfsense --|
Cable service (em3) ---| |-- LAN2 (216.235.10.32/28)
There's one more RFC1918 LANs than shown, but I'm trying to keep this
explanation simple and clear.
I have Gateway Groups and NAT rules that result in the following:
1) Anything sourced from the routable block goes out the DSL service
interface without being NAT'd, unless the DSL is down in which case it gets
NAT'd out the cable interface
2) Anything sourced from an RFC1918 address is NAT'd and load balanced out
the two interfaces
pfsense has built what looks like a sane routing table on the firewall:
# netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 216.235.0.20 UGS pppoe0
10.0.1.0/24 link#10 U em0_vlan
10.0.1.1 link#10 UHS lo0
10.0.6.0/24 link#2 U em1
10.0.6.1 link#2 UHS lo0
127.0.0.1 link#8 UH lo0
135.23.141.64/27 link#4 U em3
135.23.141.77 link#4 UHS lo0
216.235.0.20 link#11 UH pppoe0
216.235.8.92 link#11 UHS lo0
216.235.10.32/28 link#9 U em0_vlan
216.235.10.33 link#9 UHS lo0
The weird thing is, if I do a traceroute from one of the routable addresses
to an RFC1918 address on LAN1, I get responses from routers outside my
network on the DSL service, implying that pfsense isn't doing interface
forwarding internally.
% ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether 00:25:00:f3:86:4f
inet6 fe80::225:ff:fef3:864f%en0 prefixlen 64 scopeid 0x4
inet 216.235.10.37 netmask 0xfffffff0 broadcast 216.235.10.47
nd6 options=1<PERFORMNUD>
media: autoselect (1000baseT <full-duplex,flow-control>)
status: active
% netstat -rn | grep default
default 216.235.10.33 UGSc 30 599 en0
% traceroute 10.0.1.43
traceroute to 10.0.1.43 (10.0.1.43), 64 hops max, 52 byte packets
1 agg2.tor.egate.net (216.235.0.24) 5.173 ms 4.967 ms 4.698 ms
2 vl501.ge-0-0-0.bdr2.tor.egate.net (216.235.0.133) 4.725 ms 4.998 ms
5.363 ms
3 ge-1-1-0.407.bb4.yyz1.neutraldata.net (204.16.202.170) 6.239 ms !N
5.170 ms !N 5.815 ms !N
And from a host in the RFC1918 space I get nothing at all useful, which is
probably not surprising.
% netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 216.235.10.33 UGS 0 583 em0.69
10.0.1.0/24 link#7 U 0 60 em0.42
10.0.1.2 link#7 UHS 0 0 lo0
10.0.6.0/24 link#2 U 0 62 em1
10.0.6.3 link#2 UHS 0 0 lo0
127.0.0.1 link#6 UH 0 0 lo0
216.235.10.32/28 link#8 U 0 1299 em0.69
216.235.10.34 link#8 UHS 0 0 lo0
% ifconfig em0.42
em0.42: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=103<RXCSUM,TXCSUM,TSO4>
ether 00:80:2a:e8:37:89
inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
inet6 fe80::280:2aff:fee8:3789%em0.42 prefixlen 64 scopeid 0x7
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 42 parent interface: em0
% traceroute -i em0.42 216.235.10.37
traceroute to 216.235.10.37 (216.235.10.37), 64 hops max, 52 byte packets
1 * * *
2 * * *
3 * *^C
Any ideas what I've missed? Things I should try to troubleshoot further?
Thanks in advance,
Matt
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
