Inter LAN communications

FFH4500

Hi all.

We have 2 businesses operating out of a single office. Each business runs on it's own structurally seperate network with the exception of pfsense providing a single internet connection. So seperate switches, WAP's etc. This is required due to the nature of the second business.

I have pfsense setup with a Quad NIC card. Currently configured as:

WAN
TEXNET (LAN1) - 192.168.10.0/24
BHNET (LAN2) - 192.168.20.0/24
FAILOVER WAN

TEXNET has a printer on the network that we require clients on BHNET to access. I set this up by adding a Pass rule on the TEXNET interface to allow any TCP (IPV4) traffic from BHNET to the specific IP of the printer.

I also added a Pass rule on the BHNET interface to allow any TCP (IPV4) traffic from printer IP to BHNET.

This typically works to start but after a while, the printer becomes inaccessible from the BHNET network.

So where have I gone wrong?
Rules:


Interfaces:

chpalmer

@ffh4500 Truthfully you should not need the "rule on the BHNET interface to allow any TCP (IPV4) traffic from printer IP to BHNET."

On the printer do you have a gateway to 192.168.10.3?

FFH4500

@chpalmer

@chpalmer said in Inter LAN communications:

Truthfully you should not need the "rule on the BHNET interface to allow any TCP (IPV4) traffic from printer IP to BHNET.

Yeah I know, I was just removing all restrictions to and from the printer.

@chpalmer said in Inter LAN communications:

On the printer do you have a gateway to 192.168.10.3?

Yes.

johnpoz

@ffh4500 as stated you do not need a return rule. Once you allow traffic from a source network to the destination network via rule on the source network the return traffic is allowed via the state.

This typically works to start but after a while

this would have to mean the printer has a gateway, or it would never work..

Your going to have to troubleshoot why its not working.. Sniff the traffic on the printer side network interface - do you see the traffic going to the printer?

Are you saying traffic to the printer is logged as blocked, when you have rule that allows? I would say if starts to works and then fails that could point to asymmetrical flow - but you have stated that these are 2 physical separate networks.

FFH4500

@johnpoz

@johnpoz said in Inter LAN communications:

this would have to mean the printer has a gateway, or it would never work..

Just so it is clear what you're asking, when you say does the printer have a gateway do you mean does it have a print gateway or do you mean the printer has a gateway set in the NIC? Currently the printer has the gateway set in the NIC as 192.168.10.3.

@johnpoz said in Inter LAN communications:

Are you saying traffic to the printer is logged as blocked, when you have rule that allows?

No, it works fine for a period and then stops. Typically when it stops I get CLOSED:SYN_SENT in the states.

chpalmer

@johnpoz said in Inter LAN communications:

this would have to mean the printer has a gateway, or it would never work..

Yeah.. I know that but.. looking for a reason this is happening. Seems like it goes to sleep and then loses its gateway somehow. I have a Canon lazer printer right here in the house that gets printed to from multiple sources on various VPN's. Usually by me on remote sites.

FFH4500

@chpalmer

@chpalmer said in Inter LAN communications:

Seems like it goes to sleep and then loses its gateway somehow.

Yeah that was my thoughts too but wouldn't it start working again when the printer "wakes up", in this case it is not.

The printer is a Canon ir-adv c3730, the sleep option is enabled but there is an exception for the LAN to stay awake, in fact you cannot turn off the sleep option.

chpalmer

@ffh4500

Like mentioned then.. time for some packet captures. Look at both interfaces for traffic both ways.

See where the traffic is failing to flow.

FFH4500

@chpalmer

Looks like I have a solution in place. A simple 1:1 mapping using the Subline feature on the printer appears to have resolved the issue.

Still doesn't explain why I couldn't get it to work in the other configuration. I will do further investigation and report back.

Appreciate the help.

chpalmer

@ffh4500

Yeah.. that further says it is a gateway issue. I betcha Canon has some bugs in that particular model.

Absolutely keep everyone up to date on this one.. next guy that comes along will appreciate ya!

johnpoz

@ffh4500 said in Inter LAN communications:

A simple 1:1 mapping using the Subline feature on the printer

subline? huh?