Can’t ping across sub-nets
-
@davidylau Reposting with more info..
I have two subnets on my Netgate/Pfsense firewall – LAN_net for my computers and IOT_net for devices like security cameras.
When a Win11 PC is on LAN_net (with my other computers), I can ping it from LAN_net.
Once I place the Win11 PC on IOT_net (for testing), I can no longer ping it from LAN_net(with Win11PC’s new IOT_net IP address).
No change on the MS defender firewall settings. OS says it’s on a private network and discoverable when on IOT_net.
There are no firewall rules restricting LAN_net devices. So a device on LAN_net should be able to send any type of packet to IOT_net.
What’s even more weird is that I can ping a printer that I have on IOT_net. But there are no ICMP rules pertaining to the printer. There are only rules that allow SNMP and NetBIOS-NS from the printer.
Any help appreciated.
-
@jarhead I reposted in the same thread showing the interfaces.
-
@dma_pf I reposted in the same thread.
The computer that I'm typing on is on LAN_net. I'm trying to ping another computer on IOT_Device_Net and that ping is what is not working.
-
@davidylau Here are the LAN_net rules. These were auto-generated by the firewall. I didn't add any rules here.
-
@davidylau said in Can’t ping across sub-nets:
When a Win11 PC is on LAN_net (with my other computers), I can ping it from LAN_net.
Once I place the Win11 PC on IOT_net (for testing), I can no longer ping it from LAN_net(with Win11PC’s new IOT_net IP address).This is most likely due to Windows default firewall rules settings. It allows access from inside its own subnet, but not from outside.
-
@davidylau said in Can’t ping across sub-nets:
@davidylau Reposting with more info..
No change on the MS defender firewall settings. OS says it’s on a private network and discoverable when on IOT_net.
This is your culprit.
You would have to change it since it's now a different subnet than the LAN. Windows firewall sees the new subnet and will block all others.
Just turn it off to test.Also, the default allow any rule on the LAN is what's allowing you to ping the printer. It allows anything from LAN to anywhere.
-
@viragomann Yes, that worked. Thanks.
Would you know if TrueNAS Scale has the same behavior? I plan to move one of my TNS systems (which is only running Plex) to IOT_net. TrueNAS Scale is based on Debian.
-
@jarhead Yes, that worked. Thanks.
Would you know if TrueNAS Scale has the same behavior? I plan to move one of my TNS systems (which is only running Plex) to IOT_net. TrueNAS Scale is based on Debian.
-
@davidylau
Quite sure, it has a firewall running. And this setting is widely common on OS firewalls.To circumvent this you can also masquerade traffic destined to the device on pfSense. But the recommended way is to configure the devices firewall accordingly.
-
@viragomann completely agree, you might source nat to allow conversations with something that uses a different gateway than pfsense, or doesn't have a gateway (camera as example).. Or if it was some iot devices that prevented access with no way to allow for it.
But if its a device running its own firewall - it would be better to correctly set this devices firewall to allow the traffic, or just disable it if you feel that is appropriate for your network. Secured, you mange all the devices, nothing hostile on the devices own network, etc.
