Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Three Interfaces, one does not behave as intended, I'm lost.

    Scheduled Pinned Locked Moved
    Firewalling
    3
    5
    282
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itsw
      last edited by itsw

      Hello Community,

      I have some knowledge about pfsense, working with the CE at work and home, now have to install a pfsense+ at a customer and run into an issue I cannot resolve.

      following setup (only relevant interfaces and rules mentioned, everything wide open to finally understand the issue):

      netgate 6100, on 23.05.1-RELEASE

      Interfaces:

      LAN1: 192.168.10.0/24 alias LAN
      LAN2: 10.0.0.0/24 alias Management
      LAN3: 192.168.11.0/24 alias DMZ

      Firewall rules set on LAN:

      Protocol 	Source 	Port 	Destination 	Port
IPv4 TCP/UDP	LAN net	*	Management net	*
IPv4 TCP/UDP	LAN net	*	DMZ net		*
IPv4 ICMP any	LAN net	*	Management net	*
IPv4 ICMP any	LAN net	*	DMZ net		*

      Problem:

      from LAN to DMZ, everything works as intended. Pings and traceroute to 192.168.11.0 can pass.
      from LAN to Management, not a single packet get's through. No ping from 192.168.10.0 to 10.0.0.0 possible.

      If I ping from the pfsense directly via diagnostics->ping via the 10.0.0.0-interface, I can ping all three hosts.
      If I ping from the pfsense directly via diagnostics->ping via the 192.168.10.0-interface, nothing get's through.

      Now up to you ;-) I'm absolutely not getting what messes with me.

      Thanks in advance!

      //edit: typo

      V JeGrJ 2 Replies Last reply Reply Quote 0
      • V
        viragomann @itsw
        last edited by

        @itsw
        Consider that the host in the MM subnet may block the access by their own firewalls.
        You probably have to allow access from outside of their subnet.

        1 Reply Last reply Reply Quote 1
        • JeGrJ
          JeGr LAYER 8 Moderator @itsw
          last edited by

          @itsw said in Three Interfaces, one does not behave as intended, I'm lost.:

          If I ping from the pfsense directly via diagnostics->ping via the 10.0.0.0-interface, I can ping all three hosts.
          If I ping from the pfsense directly via diagnostics->ping via the 192.168.10.0-interface, nothing get's through.

          As @viragomann said, that smells like Windows Servers/Clients that have their firewall up and have their setting on "Domain/Public network" where everything NOT the same subnet as the host itself is considered "external" thus blocked.

          If that's not it that could mean there are some shady routings, other gateways or very strange rulesets at work.

          As an addition: I'd have LAN1/2 switched and made the first LAN interface (the one internally configured as "lan", not "optX") the management one. Simple reason: practicality and making use of the allow all rule for management makes more sense then having it running on a LAN with servers or clients that have no dealing on the firewall itself.

          Cheers
          \jens

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 1
          • I
            itsw
            last edited by

            Thanks for your input, both of you.

            The host firewall thing would evtl. kick in on the ESXi, but not for the other two hosts, which are switches that answer on ICMP echo requests from any subnet.

            The routing is as simple as it can get, as the firewall has just been deployed and is mostly on default settings.

            @JeGr I'll get in touch with you via dm.

            I 1 Reply Last reply Reply Quote 0
            • I
              itsw @itsw
              last edited by

              @itsw I just wanted to share my.... "findings" with you ;-)

              If one takes over a project from another contractor, always make sure to get as much of documentation as possible.

              The gateway address on LAN and DMZ were on .254, the gateway address for the MANAGEMENT was on .1

              everything was working as intended from the start, but the hosts in management network did not pass the traffic bc of wrong gateway.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post