I can't ping my OPT1 interface

calibra

Hi All,

I have a very simple situation:
pfSense-1.2-RC2-LiveCD
3 physical interface:

1 WAN interface (to dsl modem/dhcp)
1 LAN interface (192.168.1.1) to the switch
1 OPT1 interface (192.168.60.1) to the same switch

So I have 2 subnets and I'd like to nat to 192.168.1.* and to 192.168.60.* . The nat to the first (LAN) subnet works fine, but the second don't working :(

I make "extra" firewall rules to 192.168.60.* : any packets to anywhere is enabled with OPT1 interface, and PT1 interface ENABLED!

But I want to ping from a laptop(192.168.60.3) the 192.168.60.1 (OPT1 IP), but don't working:(

Form pFsense (from OPT1 interface) I can ping the laptop (192.168.60.3).

The route to OPT1 subnet automatically created by pfsense: I checked this.

What is the problem? What else need I set up to the nat to OPT1 subnet work?

Please help me!
Thanks a lot…

GruensFroeschli

plugging multiple interfaces with different subnets into the same switch is a bad idea. it "can" cause problems.

your description is not very clear where you put what firewall rule.
do you have a rule on LAN that allows traffic to your OPT1?
do you have a rule on OPT1 that allows traffic to your LAN?

i don't understand from where to where you want to NAT but it sounds like you need to creat rules under "advanced outbound NAT".

calibra

Hi!

Thanks the reply!

My main aim:
I'd like to separate the clients. So in each subnet there is max. 1-2-3 clients…

So I'd like to NAT from the WAN to all subnets. Nothing else.

But why I need a rule "on LAN that allows traffic to your OPT1" ?
and
why I need a rule "on OPT1 that allows traffic to your LAN" ?

I don't want to LAN subnet reach the OPT1 subnet and vice versa.

My existing rule:
OPT1: any packets ACCEPTED forom anywhere to anywhere.

But if I have a physical interface with 192.168.60.1/24 IP: why I can't ping this from a laptop with 192.168.60.3/24 IP ? But from pFsense I can ping the laptop(192.168.60.3) from the OPT1 (192.168.60.1) interface! I think this is the main problem, and when I'll ping the OPT1 form the laptop, the NAT will be OK.

Thanks

ps:sorry for my bad english...

GruensFroeschli

Ok i think i understand now what you want.
You want to NAT your private subnets to WAN.
If you want the subnets separated you need rules like:

LAN-rules:
rule#1: action:block ; "source: LAN-subnet" ; "destination: OPT-subnet" ; gateway: *
rule#2: action:allow ; "source: LAN-subnet" ; "destination: any" ; gateway: *

OPT1-rules:
rule#1: action:block ; "source: OPT1-subnet" ; "destination: LAN-subnet" ; gateway: *
rule#2: action:allow ; "source: OPT1-subnet" ; "destination: any" ; gateway: *

But as said before: mixing subnets on the same switch is a bad idea.
I cannot say why you can't ping your OPT1-interface from your Laptop but it might well be because you plugged multiple interfaces from your pfSense into the same Switch.

calibra

OK! THX!

The rules are clear!

But I don't understand why I can't ping the OPT1 interface form laptop :(
I tried this:

WAN > DSL modem (or nowhere)
LAN > nowhere
OPT1 > directly to the laptop (without switch: single UTP cable)

I changed the physical nic's to avoid hardware problems, but the situation is the same:
from OPT1 > laptop : ping OK
from laptop > OPT1 : ping not OK

But when I ping the LAN form laptop everything is OK! (I changed the IP to the LAN's subnet).

THX

calibra

I don't know exactly why but everything is ok:)

Now I can ping the OPT1 interface from the laptop and the nat working too.

I think a reboot needed. First I didn't reboot the pFsense. But when I turn on the pFsense the existing config everithing is works fine!

Thanks your help!