My guess is 172.16.11.x isn't being nated through the firewall. Tcpdump on WAN interface should reveal if its even getting out and if so what address is it being sourced with. Not sure what could be going on with OPT1, OPT3 and OPT4. could you send the output of netstat -rn also? (route table)
Tcpdump -ni $wanif 'host $inter-router' Assuming that is what you are trace routing to. -----Original Message----- From: Ted Crow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 25, 2005 3:28 PM To: Bill Marquette Cc: support@pfsense.com Subject: RE: [pfSense Support] Running multiple routed subnets on LAN interface I'll try to bump up to the latest version tonight and see what happens. Hopefully no crash this time... Anyway, here is a rough diagram, if you *really* want a Visio drawing I can do that too: ==================================================================== +-----------------+ | Internet Router | | Public Block | +-----------------+ ^ | v <-WAN +------------------+ | pfSense Firewall |<---> OPT1 (172.16.2.1/24) | 172.16.0.1 |<---> OPT2 (Public, Bridged with WAN) | |<---> OPT3 (172.16.3.1/24) | |<---> OPT4 (172.16.4.1/24) +------------------+ ^ <-LAN | v +---------------+ +---------------+ +----------------+ | Core Switch |-----| core-side |->[T1]<-| remote-side | | 172.16.0.x/23 | | 172.16.0.2/23 | | 172.16.11.1/24 | +---------------+ +---------------+ +----------------+ | | | | | | +--------------------+ +--------------------+ | Core Network | | Remote Network | | 172.16.0.x /23 | | 172.16.11.x/24 | +--------------------+ +--------------------+ ==================================================================== The firewall has the static route: Interface: LAN, NW:172.16.11.0/24, GW:172.16.0.2 There is a pass rule on LAN: 172.16.11.0/24 -> any Core gateway of last resort is 172.16.0.1 Remote gateway of last resort is 172.16.0.1 (Also tried 172.16.0.2) The Serial (T1) interface of each router is unnumbered to Ethernet. All routers are running IOS 12.3+ Core network default gateway: 172.16.0.1 Remote network default gateway: 172.16.11.1 Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, August 25, 2005 4:06 PM To: Ted Crow Cc: support@pfsense.com Subject: Re: [pfSense Support] Running multiple routed subnets on LAN interface iy yi yi...I can't ever begin to remember what bugs lurked back that far. Any chance you can upgrade to current? We're fixing stuff left and right, I'm not going to go back through the last three months changelogs to see if we've already fixed whatever might be affecting you (if anything). If it's still affecting you on something recent (preferably .80 at a minimum) we can take a look. --Bill PS. I agree with John, we need a network diagram. If you don't have Visio, please use Dia (http://www.gnome.org/projects/dia/) On 8/25/05, Ted Crow <[EMAIL PROTECTED]> wrote: > I am (still) running pfSense 70.4 and I am in the process of adding a > routed subnet to my LAN. > > I don't have any trouble seeing the remote LAN from my core LAN, nor > any trouble seeing the core LAN from the remote LAN. But, my remote > LAN gets no responses from devices on any other interface on the firewall. > > The routing appears to be correct as far as I can tell using > traceroute/ping. I can ping machines on the remote LAN from the > firewall, and the firewall from the remote network. The firewall > appears to be black-holing the remote LAN traffic. > > -- From REMOTE LAN -- > Tracing the route to xx.xx.xx.xx (public) > > 1 1 ms 1 ms 1 ms 172.16.11.1 <--- New Remote (172.16.11/24) > 2 4 ms 4 ms 4 ms 172.16.0.2 <--- Internal Router > (172.16.0/23) > 3 5 ms 5 ms 5 ms 172.16.0.1 <--- pfSense Firewall > (172.16.0/23) > 4 * * * <--- should be Gateway Router > (public) > 5 * * * <--- should be ISP Router > (public) > ... <--- on to oblivion > > I do have a LAN rule explicitly allowing the remote subnet to have > full access to "any^3". > > Any ideas? Or do I just need to get the latest version of pfSense on > the box? > > Ted Crow > MCP/W2K > Information Technology Manager > Tuttle Services, Inc. > (419) 228-6262 x 247 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
