Wan - lan - opt1 and problems …
-
since two days I am trying to find an answer to my problem. basically I have wan, lan functioning perfectly, I decided to use opt1 for separate subnet.
my setup
lan 192.168.0.1/24
opt1 192.168.10.1/24I enabled opt1 set type to static/192.168.10.1
then dhcp server I enabled the dhcp server for opt1 and set as followSubnet 192.168.10.0
Subnet mask 255.255.255.0
Available range 192.168.10.0 - 192.168.10.255
Range 192.168.10.10 to 192.168.10.20and added a firewall rule under opt1 same as default lan rule which is
Proto Source Port Destination Port Gateway Schedule Description
- LAN2 net * * * *
After I rebooted pfsense (just to make sure, after reading some posts) On LAN side everything is OK, but on OPT1 side (opt1 is connected to separate switch) the client cannot get an ip address here is some more info
$ ifconfig -a
sis0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether xx:xx:xx:xx:xx
inet6 fe80::219:d1ff:fe82:5b44%sis0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::202:a5ff:fe4e:d706%em0 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx:xx
inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
inet6 fe80::202:a5ff:fe4e:d707%em1 prefixlen 64 scopeid 0x3
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=100 <promisc>metric 0 mtu 33204
ng0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
inet 206.248.XXX.XXX –> 206.248.XXX.XXX netmask 0xffffffff
inet6 fe80::219:d1ff:fe82:5b44%ng0 prefixlen 64 scopeid 0x8and some more
LAN interface (em0)
Status up
MAC address xx:xx:xx:xx:xx
IP address 192.168.0.1
Subnet mask 255.255.255.0
Media 100baseTX <full-duplex>In/out packets 80983/85428 (20.64 MB/68.10 MB)
In/out errors 0/0
Collisions 0LAN2 interface (em1)
Status up
MAC address xx:xx:xx:xx:xx
IP address 192.168.10.1
Subnet mask 255.255.255.0
Media 100baseTX <full-duplex>In/out packets 0/0 (0 bytes/292 bytes)
In/out errors 23/1
Collisions 0What I am trying to achieve,
first use properly dhcp on opt1
second opt1 cannot talk to lan subnet, can access internet
lan can talk to opt1 access internetany help on this will be highly appreciated, also thanks for the answers...</full-duplex></full-duplex></up,pointopoint,running,noarp,simplex,multicast></promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>
-
Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.
When a system initially requests an IP address by DHCP it doesn't have a "real" IP address, certainly not one on LAN2 subnet. (I think 0.0.0.0 is typically used as the source IP address in initial "cold start" DHCP requests.) Hence a DHCP request is unlikely to pass your firewall rule. Depending on your security requirements for traffic between LAN and LAN2 you might want to add a firewall rule to LAN2 along the lines of
Proto Source Port Destination Port Gateway Schedule Description
UDP * 67-68 * 67-68 Allow DHCPYou wrote LAN can talk to OPT1 but there is no sign of any received packets on OPT1. How were you attempting to talk to OPT1 and what response were you getting?
-
Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.
Yes, I did, I think it is because I unplugged couple times the eth cable from nic since dhcp was failing to assign an ip to the clients on LAN2.
If I can get some help, I want to first confirm my setup mentioned before is correct. (for the Interface assign, and dhcp setting related to it)
INTERFACES / OPT1
TYPE STATIC
192.168.10.1/24SERVICES / DHCP FOR OPT1
Subnet 192.168.10.0
Subnet mask 255.255.255.0
Available range 192.168.10.0 - 192.168.10.255
Range 192.168.10.10 - 192.168.10.20as for the rules I have only one for now
Proto Source Port Destination Port Gateway Schedule
- LAN2 net * * * *
When I create opt1 and enable dhcp on it to static with ip 192.168.10.1 I can ping that gateway from 192.168.0.0 subnet
Also some more info on dhcp logs
Jan 7 23:22:16 pfsense dhcpd: Listening on BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
Jan 7 23:22:16 pfsense dhcpd: Sending on BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
Jan 7 23:22:16 pfsense dhcpd: Listening on BPF/em0/00:02:a5:4e:XX:XX/192.168.0/24
Jan 7 23:22:16 pfsense dhcpd: Sending on BPF/em0/00:02:a5:4e:XX:0XX/192.168.0/24
Jan 7 23:22:16 pfsense dhcpd: Sending on Socket/fallback/fallback-netI think it should be VERY easy task but why? why me ???
-
I don't know enough details about what you have done but on the evidence I would suspect a problem with incoming frames on the OPT1 interface.
I would configure a system connected to OPT1 with a static IP address in the OPT1 subnet range and then verify that when I ping that system from the pfSense console I get a ping response and when I ping the pfSense OPT1 interface IP address from the OPT1 system with fixed IP address I get a ping response.
I can't see any problem with your OPT1 configuration other than the firewall rule issue I pointed out previously.
-
I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one
now I need help with a firewall rule, what I am trying to achieve
LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
OPT1 = cannot see LAN subnet and internet connection,Thank you in advance.,
-
I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one
You got your desired configuration working on a VM environment?
now I need help with a firewall rule, what I am trying to achieve
LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
OPT1 = cannot see LAN subnet and internet connection,Firewall rules apply on input side to the firewall. Firewall rules are processed in order until a match is seen.
Default configuration gives what you ask for LAN. I'm not sure if I should read your OPT1 requirements as "cannot access LAN and cannot access internet" or as "can access Internet and cannot access LAN". The latter is probably more useful so, Firewall rules on OPT1:
Rule 1: BLOCK anything to LAN subnet
Rule 2: Allow anything to anwhere
I'd turn on logging on Rule 1 so you can more readily verify it does what you want. -
Yes, In VM things are better than cold basement :) Ok, with those tips I almost configured my pcs in VM (but both network adapters manually configured) 192.168.10.1/192.168.20.1
I achieved almost all I wanted. Except this,
I cannot explore OPT1 from LAN in windows (network computers), but from LAN (in same machine) I can rdp and ping into OPT1 machine and ping both gateways. My firewall rules are :
LAN
default rule plus udp 67-68OPT1
the rules that you asked me to add in their orderHow can I see OPT1 machines from LAN computers' shares in windows??
Thanks
-
I suspect windows network browsing might be limited to the "local" subnet due to the protocol mechanisms involved (subnet broadcasting? or LAN multicasting by MAC address?).
However it is still possible to browse a known computer in another subnet by specifying it by name or ip address, e.g. in Windows Explorer: _\winhost_ or _\192.168.20.56_.
-
I know that, but for some reason it doesn't work, again I can ping, rdp etc but cannot browse shares. Maybe some other specific ports to open ?
-
Works for me: I have Linux system with Samba on OPT3, a few Win2k systems on LAN and all the Win2k systems can see the Samba shares on the Linux system on OPT3.
OPT3 has rule pass anything to everywhere. I expect a more restrictive rule set would suffice.
I suggest you check your firewall log. It would probably give some hints about ports to LAN that might need to be opened on your OPT1.
-
maybe the block rule towards LAN? because for me OPT1 will be one way network, I don't know how it works but we open the door to OPT1 but OPT1 has to send something back to LAN? and because of the block back to LAN I cannot see the shares but than how come ping and rdp works, on wm test systems are xps, on real network two systems are server 2003s. I really don't know what to do. Also since couple days I experience pppoe drop on wan port.
-
When the firewall allows a connect through it also constructs a temporary rule specific to that connection, to allow the back traffic.
I don't know the details of how windows explorer discovers the shares. Its possible the server attempts to create a new connection (or more) back to the client. These new connections would be blocked by the rule I suggested.
If you have logging on the OPT1 rule then any attempt by the Windows server to establish a "back connection" to the LAN should appear in the firewall log and the information logged will allow you to add firewall rules to allow these back connections.But I don't recall reading a description of the security policy for OPT1; you might want something much more relaxed.