CG keeps blocking incoming traffic on the external interface

Discuss and get help to configure the firewall
Post Reply
marcdeb
Posts: 1
Joined: 06 Jun 2018 13:56

CG keeps blocking incoming traffic on the external interface

Post by marcdeb »

Lo,

First post. :lol:

I'm testing CG in a setup where CG would be in between clients and a pfSense based router.

The clients' LAN is 192.168.100.0/24. In this LAN, CG has IP 192.168.100.2 (internal interface) and will be the default gateway for these clients.
CG's external interface is 192.168.110.2 and is connected to pfSense with address 192.168.110.1.
CG has 192.168.110.1 as its default gateway.

CG's SNAT is turned off. Also the IP firewall is turned off.

On pfSense, there is a static route: 192.168.100.0/24 via 192.168.110.2.

But from pfSense, I cannot ping 192.168.100.2 or any other client in 192.168.100.0/24. Using tcpdump, I can tell that pfSense did put it on the right interface, aiming at 192.168.110.2, but there is no response.

CG log tells me it is blocking it (Internal rule "Policy"). The firewall is off. I tried to add "allow any any" rules to no effect. Should not matter because firewall is off but nevertheless...

Any thoughts? I just want CG to be a router. No NATting, no firewalling.

Thanks,
Marc.
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: CG keeps blocking incoming traffic on the external interface

Post by david »

Hi,

Thank you for this first post.

You must be aware that any attempt to ping CG's internal interface form the external zone is denied by CG so it's normal if you can't ping the 192.168.100.2 from the pfSense. However you should be able to ping other machines in your configuration (mode firewall off).

I just reproduced your configuration in our lab, tested the whole and have been able to ping a PC on the the internal zone (192.168.100.0/24) from the pfSense. Did you also activate the router mode on your CG (mode router on) ? Can you ping a public IP address from a machine on your LAN?

I would also suggest that you verify the following:

- There no local firewall rules on the machines that you try to ping from the pfSense.
- There are no asymmetric routing in your environment.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Post Reply