Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues with Subnet behind UDM Pro

    Scheduled Pinned Locked Moved OpenVPN
    57 Posts 5 Posters 14.6k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @Misinthe
      last edited by

      @misinthe said in Issues with Subnet behind UDM Pro:

      but I've added a rule on Internet In, Internet Local, LAN In and LAN Local to allow traffic coming from 10.20.50.0 and it still won't work

      Not even from 10.20.50.0/24 like ping from pfSense?

      Consider that access from the VPN client has an IP out of its tunnel network pool as source, so it's from outside of 10.20.50.0/24 and won't be covered by this rule.

      However, I'm still suspecting that the LAN PC is blocking access from outside. To check this out, allow another subnet behind the UDM to access the LAN and try to access from a device within this subnet.

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        Misinthe @viragomann
        last edited by

        @viragomann, I can't even ping the 10.10.0.0/24 from the pfSense LAN.
        e126bbc8-1754-402b-86da-ef54d8477493-image.png

        Everything within the UDM works fine, I have 4 different subnets and they work, I also had an L2TP VPN set on it before I added the pfSense to my setup and it worked fine.

        V 1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann @Misinthe
          last edited by

          @misinthe said in Issues with Subnet behind UDM Pro:

          Everything within the UDM works fine, I have 4 different subnets and they work,

          You want to say, all subnets have internet access, I guess.
          But can you access the main LAN from any other subnet across the UDM?

          M 1 Reply Last reply Reply Quote 0
          • M Offline
            Misinthe @viragomann
            last edited by Misinthe

            @viragomann Well, I have rules to block my IoT and NoT from my main LAN, to be a bit safer.

            0d3e9901-a633-42b2-8ae0-8bba3aa30335-image.png

            I've also added this to static routes.
            130dfd4f-a7d9-4bf2-903a-ee1b9b70141e-image.png

            And this rule
            67999c5d-103d-4c62-b882-30b7f78fd153-image.png

            And this
            189a805b-09f2-421d-af99-b0c4a58ad700-image.png

            I'm not sure what else I can try.

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @Misinthe
              last edited by

              @misinthe
              You must not state a source port in the rule!
              The port has to be "any". It can be any from 1024 to 65535.

              BTW: a route for the pfLAN might be useless, since the network is attached to the UDM directly.

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                Misinthe @viragomann
                last edited by

                @viragomann Okay, I changed the rule to this, and removed the pfLAN route. (I just added it to see if it would work).

                0f2ffd3e-fffe-4c49-9129-06ae1e023fdf-image.png
                5faf28ca-44ad-490f-b4fc-c5c363e3088d-image.png

                It still won't allow traffic through though.
                52037252-7dea-43fb-a6d7-c7fd6c7cc66a-image.png

                V 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @Misinthe
                  last edited by

                  @misinthe
                  Okay. Now you should do some investigations by testing access from another network on the UDM as I suggested already. You can add a temporary rule to allow access from a specific device or better allow any and remove other devices temporarly.

                  Alternatively you can sniff the traffic on the UDM main LAN and WAN interface while you ping the LAN from a VPN IP to see where it stucks.
                  As the UDM Pro is a router it should offer you this option, but I don't know.
                  Otherwise you won't get any further here, I'm afraid.

                  1 Reply Last reply Reply Quote 0
                  • ? Offline
                    A Former User @Misinthe
                    last edited by

                    @misinthe said in Issues with Subnet behind UDM Pro:

                    I am not sure about this one, how can I verify this?

                    If your 2 Router are connected in the same Lan Then, your problem is that it does not allow access between pfsense wan and UDM PRO.

                    That is why I ask you what is the wan IP of your pfsense and your UDM Pro, so it is seen in this publication that your Pfsense and UDM use IP RFC IN WAN.

                    -IF I'M RIGHT, THEN UNTIL NOW EVERYTHING @viragomann SUGGESTS IS WRONG.

                    M 1 Reply Last reply Reply Quote 0
                    • M Offline
                      Misinthe @Guest
                      last edited by

                      @silence @viragomann
                      This might help you understand my network.
                      6741f78c-16b4-4084-b9ad-1fbfdb4e3e54-image.png

                      V ? 2 Replies Last reply Reply Quote 0
                      • V Offline
                        viragomann @Misinthe
                        last edited by

                        @misinthe
                        Yes, that's what I got from your description.

                        M 1 Reply Last reply Reply Quote 0
                        • ? Offline
                          A Former User @Misinthe
                          last edited by

                          @misinthe, it's just as i thought.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            Misinthe @viragomann
                            last edited by Misinthe

                            @viragomann @Silence Man, doing all this testing messed my pfSense up, now it won't boot up, so I just deleted the VM, I don't know if I'll rebuild it or if I'll just remove it from the equation and just add a piHole VM to the network.

                            ? V 3 Replies Last reply Reply Quote 0
                            • ? Offline
                              A Former User @Misinthe
                              last edited by

                              @misinthe There are many ways to solve your problem here.

                              Now my suggestion is the following:

                              in my case I create the vlan in Pfsense and only use the UDM PRO FOR SWICTH

                              In this way when connecting via openvpn to your pfsense and everything will be Ok.

                              -If you decide to continue doing routing in pfsense and Routing in DM PRO then the suggestion is to start cleaning the openvpn configuration is wrong and static routes in pfsense.

                              rule in wan for your UDM PRO and with that everything should work without problem.

                              1 Reply Last reply Reply Quote 0
                              • ? Offline
                                A Former User @Misinthe
                                last edited by

                                @misinthe said in Issues with Subnet behind UDM Pro:

                                Man, doing all this testing messed my pfSense up, now it won't boot up, so I just deleted the VM, I don't know if I'll rebuild it or if I'll just remove it from the equation and just add a piHole VM to the network.

                                wtf, So if I delete his pfsense how does he have access to the internet?

                                what is the ip of your computer?

                                M 1 Reply Last reply Reply Quote 0
                                • M Offline
                                  Misinthe @Guest
                                  last edited by

                                  @silence said in Issues with Subnet behind UDM Pro:

                                  @misinthe said in Issues with Subnet behind UDM Pro:

                                  Man, doing all this testing messed my pfSense up, now it won't boot up, so I just deleted the VM, I don't know if I'll rebuild it or if I'll just remove it from the equation and just add a piHole VM to the network.

                                  wtf, So if I delete his pfsense how does he have access to the internet?

                                  what is the ip of your computer?

                                  I just connected my ISP directly to the WAN port of the UDM Pro, the pfSense was acting mainly just for pfBlocker, DHCP is controlled by the UDMP and DNS is controlled by my Domain Controller, I only had to redirect that Domain Controller to the UDMP and that's it.

                                  1 Reply Last reply Reply Quote 0
                                  • V Offline
                                    viragomann @Misinthe
                                    last edited by

                                    @misinthe
                                    I'm sorry, I have no idea what you could have done wrong here.
                                    I didn't told you to do any changes on pfSense apart from the route a week ago.
                                    But now we got news, it was a VM. Would maybe worth to mention.

                                    Anyway your setup seem quite simple. So no idea, why this should not work, just some networking. Router should be able to do this.

                                    M ? 2 Replies Last reply Reply Quote 0
                                    • M Offline
                                      Misinthe @viragomann
                                      last edited by

                                      @viragomann It's okay, I don't know why it being a VM would've changed anything? And what I did was shut it down to give it 2 more cores and 4GB more of RAM because I noticed it was about to be maxed, then it didn't come back up. Like I said, my LAN is all within the UDM Pro, so I'm not too worried about it, the only thing I really lost was pfBlockerNG and the DMZ, but I can create a DMZ network on the UDM Pro pretty easy, and like I said, I can just add a piHole VM to act as the pfBlockerNG .

                                      V 1 Reply Last reply Reply Quote 0
                                      • V Offline
                                        viragomann @Misinthe
                                        last edited by

                                        @misinthe said in Issues with Subnet behind UDM Pro:

                                        I don't know why it being a VM would've changed anything?

                                        Because the hypervisor comes into play and may take affect on the networking.

                                        But yes, there should be no need to have 2 firewalls normally, but it should be possible though.

                                        M 1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          Misinthe @viragomann
                                          last edited by

                                          @viragomann Well, my VM Host has 3 x 4Ports NIC Cards, so what I did was assign 3 physical ports to the pfSense, one for each WAN, LAN, and Opt1. That way it didn't use the virtual NIC.

                                          V 1 Reply Last reply Reply Quote 0
                                          • V Offline
                                            viragomann @Misinthe
                                            last edited by

                                            @misinthe
                                            I see. So the hypervisor should do nothing on the NICs assigned to pfSense VM.

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.