Allowing traffic from a different subnet interface

ivanjrx

Hi Guys,

I have the below flow chart
alt text

teminterface A -> subnet 10.10.10.17/24 is coming from pfsense and its providing the DHCP, the DNS is coming from my
piHole (10.10.10.2) on that network
teminterface B -> subnet 172.168.2.2/24 has its own Windows Server which has the DHCP and DNS , pfsense is only providing 172.168.2.1 as a router

Q;, I have an app on IP 10.10.10.3 But I cannot access it from subnet 172.168.2.2/24 , what can I do to allow that traffic?
oddly enough I do have access to my Pihole 10.10.10.2

viragomann

@ivanjrx said in Allowing traffic from a different subnet interface:

Q;, I have an app on IP 10.10.10.3 But I cannot access it from subnet 172.168.2.2/24 , what can I do to allow that traffic?

Probably the host is blocking access from outside of its subnet.
Configure its firewall to allow it.

ivanjrx

@viragomann
I did these rules but still same issue, Am I not doing it wrong?
alt text

ps. I did one per the interface

SteveITS

@ivanjrx Firewall rules apply on inbound packets. In your rules if the rule is on Management the source can never be External.

Also as @viragomann mentioned ensure the server 10.10.10.3 allows access from other subnets.

ivanjrx

@SteveITS
Thank you for your reply.

They all internal,
Other subnets for WIFI have access to 10.10.10.3

The only difference is that Interface B -> subnet 172.168.2.2/24 is behind its own dhcp server and shooting for its own dns from the windows side.

Oddly enough I have access to my pihole which is on the same subnet that I'm trying to reach. which is sitting on 10.10.10.2

chpalmer

@ivanjrx

While it shouldn't matter for this.. 172.168.2.2 is not "private addressing" and really should not be used unless you are the owner of that address space..

As mentioned.. are you shure your Windows machines firewalls are configured correctly? Windows by default will block anything outside its own subnet..

ivanjrx

@chpalmer for the sake of the testing the firewall on the Domain controller and the client are off where I conduct the test, followed by a
ipconfig /release & ipconfig /renew

also the firewall in pfsense
for 10.10.10.3 is only 3 rules:

default block out
ipv4
ipv6 -- although I'm only using IPv4

As for 172.168.2.1

default to allow traffic on ipv4

ivanjrx

@ivanjrx
OMG! Oh You guys!
I just answered my silly question, in the last comment
on the pFsense its only running on the IPv4 But Windows is using both IPv4 + IPv6 ,
I'm sure it was coming in as IPV6 and therefore it was getting blocked, I just allowed both protocols in the Rules and I can now Hit that app. duh!

The only explanation i have on how I was hitting the traffic for 10.10.10.2 before is cause is a DNS server, other than I can live with that mystery...

Modedators can now Mark this as Solved