Thanks for your reply, I agree with you that the setup is kinda weird, and that connecting that subnet directly to pfSense is better, but the problem here is that this subnet is connect via a leased line. Besides, I can see that happening anywhere, a static route to some subnet that's behind its own gateway !!! it happens alot !!. And btw, I tried enabling static routing filtering, but didn't work
On Mon, Aug 25, 2008 at 5:54 PM, RB <[EMAIL PROTECTED]> wrote: > I seriously doubt this is a bug; you're doing strange, arguably wrong > things with your routing. > > IF: you want pfSense to arbitrate all the traffic between > 192.168.20.0/24 and 192.168.30.0/24, it is inadvisable to use the > setup you currently have. Instead of having the 192.168.30.0/24 > gateway on the same L2 broadcast as 192.168.20.0/24, place it on a > different interface on the pfSense box, whether by physical interface > or VLAN (if your switch supports trunking). > > IF: you just want 192.168.20.0/24 and 192.168.30.0/24 to communicate > freely w/o going through the pfSense box, the way you have things > configured now stipulates you'll have to place a static route on all > 192.168.20.0/24 boxes pointing at 192.168.20.253 for the > 192.168.30.0/24 subnet. The hosts in 192.168.30.0/24 shouldn't have > to make any changes, as their gateway should take care of the routing. > > The classical (but often ignored in SOHO setups due to cost) solution > would be to place each subnet on its own switch, each of which is > connected up to a central router, which stands between them and the > firewall (preemptive apologies to those using variable-width fonts): > > Internet > pub.??? ->| > pfSense > 192.168.XXX.1 ->| > 192.168.XXX.2 ->| > R > 192.168.20.1 ->/ \<- 192.168.30.1 > / \ > S- -S > /|\ /|\ > / | \ / | \ > .20/24 .30/24 > > The first solution just shift the router functionality up to the > pfSense box, since pfSense does work quite well as a router. > > Finally, the least advisable (in my opinion) approach would be to set > "System->Advanced->Static Route Filtering" in the pfSense web UI. It > will most likely enable you to do precisely what you are trying to do, > but given the current evidence of your network-fu will likely be the > hardest to troubleshoot should something go wrong. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Hello everyone, >> I've a problem with 1.2.1-RC1 which is very weird. >> I've a simple setup that have pfSense as an internet gateway for two >> subnets ...the setup is as follows: >> >> 192.168.10.0/24 196.168.20.0/24 >> | >> | >> | >> | >> ------------------- 192.168.20.253 --------- >> | 10.0 gateway | ----------------------| switch | >> ------------------- >> --------- >> >> | >> >> 192.168.20.1 >> >> ------------- >> | >> pfSense |-------internet >> >> ------------- >> >> Now here's the problem, obviously I need a static route entry that routes >> traffic to 192.168.10.0 network through 192.168.20.253 gateway so that >> 20.0 network connect to 10.0 network and vice versa. After configuring the >> firewall properly , 10.0 network are able to ping hosts in 20.0 network and >> vice versa....but when a host behind the gateway "in 10.0" network tries to >> connect to any host in 20.0 network, the request gets routed correctly and >> it reaches 20.0 but the reply "which should be redirected by pfsense to the >> gateway "gets blocked by pfsense and I see that in the log. >> Now, I tried everything, I added a first rule in the NAT interface to >> allow all traffic from 20.0 to 10.0 it didn't work, I tried to even remove >> ALL the rules and add a rule that allows from anyone to anyone using any >> protocl, but to veil :( ..the log shows that such packets "ex from >> 192.168.20.5 to 192.168.10.2 tcp " are dropped due to "default deny all" >> ..It only works when I disable the firewall totaly !!. >> I suspect that this is a bug, please help , it's a very basic setup where >> I need to route packets through another gateway !! >> -- >> Ahmed Abdalla >> --Systems Engineer >> Linux-Plus Information Systems L.L.C >> Tel : +20 2 2527 6616 >> EXT : 806 >> Fax : +20 2 2526 1055 >> Mobile : +20 10 688 9009 >> email : [EMAIL PROTECTED] >> website : http://www.linux-plus.com >> > -- Ahmed Abdalla --Systems Engineer Linux-Plus Information Systems L.L.C Tel : +20 2 2527 6616 EXT : 806 Fax : +20 2 2526 1055 Mobile : +20 10 688 9009 email : [EMAIL PROTECTED] website : http://www.linux-plus.com
