Adding addtional interface
-
Way too many redundant rules. Set up only one rule on your OPT interface
* OPT Net * * * * OPT -> Any
Leave the default LAN -> Any rule as is.
This should allow pings to go from LAN to OPT and from OPT to LAN.
If the pings are not getting through then check both firewalls on both laptops are disabled (you mentioned OPT's laptop firewall to be off but not the LAN laptop's firewall–double check)
Your initial post suggested setting up a DMZ so ultimately you dont want your DMZ/OPT to have LAN access so you will have to edit your OPT -> Any rule to look like this
* OPT Net * ! LAN Net * * OPT -> Any But LAN
Once this is done create your block rules one at a time and place them above your OPT -> Any But LAN rule, testing to make sure they are working properly.
-
Thanks for your help, I will revise my rules and cut them down.
with the DMZ network I need to block all traffic to the lan bar a few ports for our remote access solution so it's not 100% seperated.
The LAN machines I'm attempting to ping from OPT have the firewall disabled, have just double checked (rule 1, never assume :))
So once I am able to ping through to prove connectivity I will be adding additional rules for particular traffic.
Will post back when I can access the OPT1 laptop
-
Can you ping LAN machines from the firewall itself?
-
I'd not actually thought of that, just tried now form the ping tool on the web gui
when the interface is set to the LAN I can ping the server on the LAN, when it's set to OPT1 I cannot ping the LAN server
Thanks fo ryoru input, I feel like I'm geting somewhere with everyones help, I fear it may have driven me to an early grave otherwise.
-
Does the server on LAN have default gateway as pfSense's LAN address?
-
hmmm, it would appear I've overlooked something fairly major here - I've changed a few non priority servers to use the PFsense default gateway rather then the other FW and it works fine!
Thanks for all your help everyone that would have taken me the rest of my life to find!
-
so your issue is not firewalling but routing.
You not necesseraly need to change default gateway but you have to tell your server on LAN that it has to route network 192.168.10.0/24 to your pfSense.
You can add just one route on your server, from Windows cmd-window it would look like
route -p add 192.168.10.0 mask 255.255.255.0 10.1.1.1
… and leave your default non-changed. -
I know it's not ideal but if I were to add the route to the other firewall during the migration period would that route the traffic properly
so the servers currently pointed at the 10.1.1.1 gateway (old firewall) would forward 192.168.10 traffic onto PFSense?
-
I know it's not ideal but if I were to add the route to the other firewall during the migration period would that route the traffic properly
so the servers currently pointed at the 10.1.1.1 gateway (old firewall) would forward 192.168.10 traffic onto PFSense?
Should work fine that way.
-
Not sure if this is acceptable but:
You basically want to access stuff on the LAN from the OPT.
The problem is, that the server on the LAN doesnt know where to send the answer to.
If you enable NAT from OPT to LAN, then the requests appear as if from the IP of the pfSense on the LAN side.Like this you dont need to change anything on the existing stuff.
howto: enable advanced outbound NAT under "firewall" –> "NAT".
there will be an autocreated rule for LAN-->WAN
copy this rule and change it to OPT-->LAN