On Sun, 18 Mar 2007 16:24:10 -0400 "Vaughn L. Reid III" <[EMAIL PROTECTED]> wrote:
> I'll post the config file a little later today, when I get to my test > box. In the mean time, I want to make it clear that subnet 2 is not > directly connected to the pfsense box. > > Currently, the pfsense box has 4 interfaces: a Lan interface which is > connected to subnet 1, a Wan interface, and 2 Opt interfaces. Opt 1 is > called ATTDSL. This interface is the point of internet contact for a > proxy server that lives on subnet 1 and was configured for this usage > via a firewall rule as described in the policy routing tutorial on the > pfsense website. The second Opt interface is called Wireless and will > be used to test external VPN connections between offices via 802.11 > access points. Subnet 2 is not directly physically connected to the > pfsense box. An openSuse router sits between subnet 1 and subnet 2 and > handles routing between these two subnets. > > A review of the symptoms of the problem that I'm having is that when I > replace the pfsense with a linksys RV series router or Hotbrick router, > both subnet 1 and subnet 2 are able to access the internet and to ping > the router. When the pfsense box is in place, even with explicit rules > allowing all traffic to all locations from the entire 192.168.0.0/16 > network on the LAN interface, the pfsense box explicitly denies and logs > all traffic trying to pass to it or through it from subnet 2. > > Vaughn > > sai wrote: > > On 3/18/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >> I have a pfsense firewall in a test network like the one below. > >> > >> Internet > >> provider 1 | | provider 2 > >> Pfsense Firewall -- LAN > >> IP 192.168.10.1/24 > >> | > >> Subnet 1 -- > >> 192.168.10.x/24 > >> | > >> Internal Router -- > >> Subnet 1 IP 192.168.10.14 -- Subnet 2 IP 192.168.12.1 > >> | > >> Subnet 2 > >> 192.168.12.x/24 > >> > >> > >> I am having trouble getting the clients on Subnet 2 to get access to > >> either the Internet or to the interface of the pfsense box. I have the > >> following rules entered into the firewall and NAT: > >> Firewall: > >> LAN > >> Allow * from 192.168.0.0/16 to * > >> > >> NAT: > >> Do Outbound NAT on 192.168.0.0/16 > >> > >> Here are the symptoms of the problem that I'm having. > >> When I try to ping or connect to the pfsense box from subnet 1, I can > >> ping and connect to it without any problems. When I try to ping or > >> connect to it from subnet 2, the connection is refused. In addition, I > >> can connect to Internet resources normally from subnet 1, but not from > >> subnet 2. > >> > >> I thought that maybe the internal router was the problem, so I replaced > >> the pfsense box with an el-cheapo router and everything worked correctly > >> from both subnets without any changes to the internal router. I have > >> also tried specifying allow rules for each subnet in the pfsense > >> firewall rules page, but that seemed to have no effect. I am using the > >> March 18th, 2007 daily build of the pfsense stable. > >> > >> I also noticed that the firewall log on the pfsense box is logging that > >> it is dropping everything that is coming to it from subnet 2. > >> > >> If anyone can help me come up with a solution, I'd appreciate it. > >> > >> Thanks, > >> > >> Vaughn > >> > > > > > > Firewall Rules > add a rule for the subnet2 interface that allows the > > traffic. > > > > post the config for the interface and also the firewall rules for > > subnet2 > > > > sai > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > adding the rule as perviously mentioned should do the trick. the linksys routers and other such dont have the same mandatory ACL's on the internal interface like the pf routing would. i used to have the exact same setup as you are describing, and once i added a rule to allow my 10.0.0.0 network access (even tho just like yours, it didnt have phyiscal access, it had to pass thru a linux router first), everything started working. cheers, jonathan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
