I have a network setup with two LANs, SYS and INT, connected via a pfSense firewall.
Firewall permits SYS to access INT but blocks INT from accessing SYS.
My FreeNAS has two network interfaces, the webGUI is on SYS, from now on called ifSYS,
and the "share" interface is on INT, from now on called ifINT.
When both ifSYS and ifINT are connected and I ping ifINT from SYS I get replies but
when I disconnect ifSYS I don't get ping replies any more.
Still firewall and computers on INT get ping replies from ifINT when ifSYS is disconnected.
FreeNAS default gateway is set to firewall INT interface but I've tried without default gateway and
also default gateway set to firewall SYS interface but that doesn't make any difference.
If I do a pfSense packet capture on ifINT when pinging it from firewall I can see both requests and replies,
but when I ping ifINT from SYS I only see the requests, no replies.
That the firewall don't see the replies indicates that FreeNAS is bypassing the firewall, replying directly
from ifSYS and not from the pinged interface, ifINT.
Is that really how it should be? Shouldn't each interface be independent?
Does this mean that the FreeNAS actually has routing functionality activated?
Is there any way to modify the configuration so that packets go the right way?
I'm running FreeNAS 11.3 on a "maxed out" PowerEdge 2900 gen.III and my switches are Catalyst 2960-G
...and here's the ifconfig output:
Firewall permits SYS to access INT but blocks INT from accessing SYS.
My FreeNAS has two network interfaces, the webGUI is on SYS, from now on called ifSYS,
and the "share" interface is on INT, from now on called ifINT.
When both ifSYS and ifINT are connected and I ping ifINT from SYS I get replies but
when I disconnect ifSYS I don't get ping replies any more.
Still firewall and computers on INT get ping replies from ifINT when ifSYS is disconnected.
FreeNAS default gateway is set to firewall INT interface but I've tried without default gateway and
also default gateway set to firewall SYS interface but that doesn't make any difference.
If I do a pfSense packet capture on ifINT when pinging it from firewall I can see both requests and replies,
but when I ping ifINT from SYS I only see the requests, no replies.
That the firewall don't see the replies indicates that FreeNAS is bypassing the firewall, replying directly
from ifSYS and not from the pinged interface, ifINT.
Is that really how it should be? Shouldn't each interface be independent?
Does this mean that the FreeNAS actually has routing functionality activated?
Is there any way to modify the configuration so that packets go the right way?
I'm running FreeNAS 11.3 on a "maxed out" PowerEdge 2900 gen.III and my switches are Catalyst 2960-G
...and here's the ifconfig output:
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=c01ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1e:4f:30:47:16
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:c8
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:c9
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:cc
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:cd
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: sys
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1e:4f:30:47:14
hwaddr 00:1e:4f:30:47:14
inet 192.168.100.27 netmask 0xffffff00 broadcast 192.168.100.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: int
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
inet 192.168.101.56 netmask 0xffffff00 broadcast 192.168.101.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect
status: active
groups: lagg
laggproto lacp lagghash l2,l3,l4
laggport: bce0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
description: member of lagg0
options=c01ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1e:4f:30:47:16
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:c8
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:c9
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:cc
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: member of lagg0
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
hwaddr 00:1b:21:aa:c7:cd
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: sys
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1e:4f:30:47:14
hwaddr 00:1e:4f:30:47:14
inet 192.168.100.27 netmask 0xffffff00 broadcast 192.168.100.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: int
options=401ba<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:1b:21:aa:c7:c8
inet 192.168.101.56 netmask 0xffffff00 broadcast 192.168.101.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect
status: active
groups: lagg
laggproto lacp lagghash l2,l3,l4
laggport: bce0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: igb3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>