Routing between interfaces

Gertjan

To be honoust : beats me….  ;)

But: I have a LAN network card (192.168.1.1/24) and a OPT1 card (192.168.2.1/24) (Captive portal activated).

I can ping and have acces (SSH, telnet and Web) to the devices (AP's) from LAN to OPT1 without any 'routing rules or other modifications'.

GeorgeOnLine

@Gertjan:

I can ping and have acces (SSH, telnet and Web) to the devices (AP's) from LAN to OPT1 without any 'routing rules or other modifications'.

This may help.  :)

I come from M0n0wall and this was my main nightmare.
I was able to ping the OPT1 address, but not the hosts on the same subnet  :-\    …but just a reboot is sufficent to change behaviour.  :o

Thanks.

gOl

hoba

Routing between directly connected subnets works out of the box but you have to allow traffic by creating appropriate firewallrules. (firewallrules always validate incoming traffic at an interface).

GeorgeOnLine

@hoba:

Routing between directly connected subnets works out of the box but you have to allow traffic by creating appropriate firewallrules. (firewallrules always validate incoming traffic at an interface).

Don't works for me  :(  , same as with M0n0wall.

Just installed pfSense embedded on my WRAP. This is my configuration:

LAN:  192.168.1.0/24
OPT1: 192.168.2.0/24
WAN:  192.168.3.0/24

LAN to WAN is ok.

LAN to OPT1 and OPT to LAN not.
I have created a couple of firewall rules allowing all traffic from LAN subnet to OPT01 subnet (and vice versa).  No other rules.

Using the Diagnostic Ping on webConfigurator i'm able to contact hosts on OPT1 subnet, but nothing to do if i try to ping them from some host on the LAN.

I'm sure to be wrong in something, …but where?

Gertjan

A long shot:
Save your current config.
Go to Default settings.
Put your WAN device on the 10.0.0.0/8 range (i.e. 10.0.0.138), and make your pfSense WAN ip somthing like 10.0.0.1 - gateway 10.0.0.138 - dns 10.0.0.138.

hoba

@GeorgeOnLine:

@hoba:

Routing between directly connected subnets works out of the box but you have to allow traffic by creating appropriate firewallrules. (firewallrules always validate incoming traffic at an interface).

Don't works for me  :(  , same as with M0n0wall.

…

Show us your rules at all involved interfaces, they are most likely wrong.

GeorgeOnLine

@hoba:

Show us your rules at all involved interfaces, they are most likely wrong.

Thats all my filters :

LAN (default)
Proto  Source  Port  Destination  Port  Gateway  Description
*      LAN net    *      *              *      *          Default LAN -> any

WAN (default)
Proto  Source  Port  Destination  Port  Gateway  Description
*      RFC 1918    *      *              *      *          Block private networks

OPT1 (custom)
Proto  Source  Port  Destination  Port  Gateway  Description
*      OPT1 net    *      *              *      *          Pass all from OPT1 to ANY

Interfaces are now:
LAN:  192.168.20.254/24
OPT1:  192.168.200.254/24
WAN:  DHCP

LAN > WAN is OK, but LAN <-> OPT1 ->not    >:(

Only using the Diagnostics/Ping packets from 192.168.20.254 (LAN if) to 192.168.200.254 (OPT1 if) pass, but not to other hosts on OPT1 subnet.

Configuration is all here, and sincerly seems to me very simple  :-[

Gertjan

@GeorgeOnLine:

@hoba:

Show us your rules at all involved interfaces, they are most likely wrong.

Thats all my filters :
…..

That seems rather classic, I agree.
One question before my advise : nothing special in Nat->Outbound ?

Save your config locally and reset to default (bether fresh ISOI install - it only takes a couple of minutes)
Set your 3 interfaces (IP's for internal network cards and Internet access for your WAN card) and you should be up.

If not : hardware trouble is all what's left…

GeorgeOnLine

@Gertjan:

One question before my advise : nothing special in Nat->Outbound ?

Absolutely nothing!

@Gertjan:

Save your config locally and reset to default (bether fresh ISOI install - it only takes a couple of minutes)
Set your 3 interfaces (IP's for internal network cards and Internet access for your WAN card) and you should be up.

If not : hardware trouble is all what's left…

You will agree this is a very strange problem:  how can LAN if communicate with OPT1 if, but not with hosts on OPT1 subnet?
If there is an hardware trouble I should'nt see nothing also between these two interfaces!  ….or not?

And again:  hosts on OPT1 subnet may reach the internet through the WAN if, like hosts on LAN subnet, but they can't see the opposite other!    ::)

Really, really strange ...

Gertjan

Ok.
Let continue.
I presume you can ping the OPT1 interface from the SSH interface (option 7).
You should be able to ping other devices behind the OPT1 interface, also.
To be sure : give these devices a static IP (192.1968.2.x in your & my case) - check if they haven't any restrictive firewalls activated on them.
For instance, I use a couple of AP's (192.168.2.2,3,4,5,…), attachad to my OPT (Hotspot network) and they accept only (local administration) traffic comming from 192.168.2.1, my OPT1 IP.
I don't want my 'hotspot clients' to start administer my AP's  ;)

Btw: You're saying/using "OPT1 net" as an alias (see post below) - check it twice if your usage of aliases are correct. Use hardcoded adresses instead (192.168.2.0/24) to test.