No routing between local networks

gueaje

@nogbadthebad said in No routing between local networks:

@gueaje said in No routing between local networks:

@nogbadthebad no packet flowing from LAN1 to LAN2 or the other way round

@bob-dig said in No routing between local networks:

@gueaje This is typical for OSes like Windows with their firewall.

Just tested between TrueNAS and Ubuntu, the same blockage is there.

Do a packet capture on LAN2, do you see packets from LAN1 ?

packet capture run on LAN2, no packet from LAN1
packet capture run on LAN1, no packet from LAN2

NogBadTheBad

@gueaje Firewall rules on the interface or incorrect subnet mask on the clients if I had to guess.

Drag a screenshot of your firewall rules, into your post.

gueaje

@nogbadthebad
here you go, WireGuard, DMZ, LANCGUEST and LANSEVER has no rule setup.
LAN1 is LANCLIENT
LAN2 is LANSEVER

NogBadTheBad

@gueaje I'd be tempted to remove the floating rule and interface group, then add any any rules on LANCLIENT & LANSEVER.

Firewall rules are generally processed as follows:-

Floating Rules
Interface Group rules
Interface tab rules

gueaje

@nogbadthebad
Removed floating rule and interface group, and recreate the same rule under LANCLIENT and LANSEVER, still no luck.

Tried to reboot the pfsense machine as well.

NogBadTheBad

@gueaje The subnet mask and gateway is correct on each box, that you're trying to ping from & to ?

The interfaces are directly attached so it should work.

gueaje

@nogbadthebad said in No routing between local networks:

interfaces are directly attached so it should work.

Yes, I have checked and rechecked that since you pointed out earlier.
Also I tried to use ping tool from diagnostic menu in pfsense.
I can ping the hosts from respective pfsense interface (i.e. ping using LANSERVER to ping host in the same network), but it's not reachable if I change source address to LANCLIENT.

BTW, if it helps, hosts from both networks are able to access internet.
Can this configuration cause the issue? i.e. instead routing the traffic directly from LANSERVER to LANCLIENT, this setup cause the traffic directed to internet?

NogBadTheBad

@gueaje Is your default route your WAN gateway and are you using any sort of PIA ?

Diagnostics -> Routes

Gertjan

@nogbadthebad said in No routing between local networks:

@gueaje I'd be tempted to remove the floating

Tempted ? ;)
What about this one :

@gueaje
re create the firewall rule you've removed on the LAN interface when you installed pfSense.
By pure magic, things start to work.

If these are the rules on the LAN interface :

then, yeah, all traffic (except destination port 22 80 443 TC pfSense itself) goes into the default, last, hidden "black hole" rule. That included 'ping'.

Why did you remove the pass rule that was present in the beginning ? That comes with some punishment ;)

Btw : my advise : stay away from floating rules (leave them as you've found them : none).

gueaje

@nogbadthebad

I don't have PIA. (yet, still considering it. based on your question, looks like I have to put aside that consideration :) )

In the setup, I leave it as Automatic. Under Diagnostic route, it point to WAN1 right now.
Should I change it to LANCLIENT or LANSEVER?

gueaje

@gertjan
From fresh install, it was not working with default setup (no rule except "Anti-Lockout Rule).
Hence, I added floating rule to allow all for LAN networks, and it still not working.

Bob.Dig

@gueaje Just start over freshly.

NogBadTheBad

@gueaje Leave it as is.

I only asked about PIA as everything would route via your OpenVPN interface unless you has don't pull routes.

As you're not using PIA it should be fine.

Gertjan

@gueaje said in No routing between local networks:

@gertjan
From fresh install, it was not working with default setup (no rule except "Anti-Lockout Rule).

Read pfSense manual : Firewall Rule Best Practices

In a default two-interface LAN and WAN configuration, pfSense utilizes default deny on the WAN and default allow on the LAN.

This means you find the anti lockout rule and a pass rule on the LAN interface.

So, again, on a default pfSense you will find this pass rule on the interface called LAN (other interface are not assigned yet).
It is presumed that when you create other (more) LAN type interface, you copy this rule to your new LAN interfaces also. You have to change the "Source" while coping, of course.

gueaje

@bob-dig said in No routing between local networks:

@gueaje Just start over freshly.

Will need to find time later, probably over long weekend.
Currently can't afford downtime due to work from home.