[Solved] Cannot access from WLAN to PC in LAN but internet works
-
Hi,
I use pfsense 1.2.3 and my wife reported me today that she cannot access to the NAS from her desktop. I just implemented pfsense this week-end and thought I tested such a thing but looks it does not work.
Configuration is :
- LAN : 192.168.1.0/24
- WLAN : 192.168.3.0/24
I set up Squid, Squidguard and HAVP but it should not have impacts on that. I also set-up a remote VPN and a site to site VPN (192.168.5.0/24 routing towards 192.168.4.0/24) with my house.
When I look at the routes table, is there something I should declare ?
IPv4 Destination Gateway Flags Refs Use Mtu Netif Expire default 84.99.65.1 UGS 0 511913 1492 ng0 10.0.8.0/24 10.0.8.2 UGS 0 0 1500 tun1 10.0.8.2 10.0.8.1 UH 1 0 1500 tun1 84.99.65.1 84.99.65.73 UH 1 13720 1492 ng0 84.99.65.73 lo0 UHS 0 0 16384 lo0 127.0.0.1 127.0.0.1 UH 0 480715 16384 lo0 192.168.1.0/24 link#1 UC 0 106 1500 vr0 192.168.1.1 192.168.1.2 UH 1 3696 1500 tun0 192.168.3.0/24 link#3 UC 0 0 1500 ath0 192.168.4.0/24 192.168.1.1 UGS 0 3020 1500 tun0
Any clue ?
Thanks,
-
I'm guessing NAS on LAN and desktop on WLAN.
Default firewall configuration blocks access from OPTx interfaces to LAN. Did you add an appropriate firewall rule to allow the access you are looking for?
Depending on the protocols and usage patterns involved it might be more effective to bridge LAN and WLAN.
-
Indeed, NAS is in LAN and Laptop in WLAN.
For both LAN & WLAN, I have only the default rule "(W)Lan to any". Shoud I explicitely add some routes or rules ?
I cannot bridge both as for transparent proxy & HAVP, it's not supported according to the tutorial.
-
It would be helpful to have more detail on "not work" - timeout? connection immediately refused? no route? etc etc
Having a look at the firewall log might suggest what the problem is.
The default (pre configured) rule on non-LAN interfaces is NOT pass all but block all. Is that the default rule you mean?
-
The default (pre configured) rule on non-LAN interfaces is NOT pass all but block all. Is that the default rule you mean?
Sorry, the default rule I set up is that I duplicated the LAN to any rule in the WLAN. That the only rule I have for LAN & WLAN.
I will try to have more details from my wife to define what does "not work".
-
A strict duplication of the default LAN rule on WLAN won't work.
The default LAN rule says allow from LAN subnet to any. This rule duplicated to WLAN interface won't allow traffic from the WLAN subnet because an IP address on the WLAN subnet won't match the LAN subnet in the rule.
-
So if I understand well, I have to set a route from 192.168.1.0/24 to 192.168.3.0/24 & vice versa + set a rule in the firewall to allow communications between from LAN to WLAN and vice versa ?
-
So if I understand well, I have to set a route from 192.168.1.0/24 to 192.168.3.0/24 & vice versa
Not normally. Normally systems on 192.168.1.0/24 and 192.168.3.0/24 will have a default route to the pfSense
box and the pfSense box knows how to route between between 192.168.1.0/24 and 192.168.3.0/24.So if I understand well, I have to . . . set a rule in the firewall to allow communications between from LAN to WLAN and vice versa ?
Not quite. The standard LAN rule allows traffic from the LAN subnet to anywhere (including WLAN). As soon as something makes a connection from the LAN interface the firewall effectively creates a temporary rule that allows traffic for that connection in the reverse direction (e.g. from WLAN to LAN). This temporary rule is deleted when the connection closes.
The standard rule for OPTx interfaces doesn't allow anything. Hence if you want to (for example) ssh from WLAN to LAN you will need to add a rule to allow it.
In pfSense firewall rules apply on the input side of an interface. Packets are checked against rules in order until a packet matches a rule the the action specified in the rule is taken.
Suppose the firewall rules on WLAN are:
1: If source IP is LAN subnet (192.168.1.0/24) ALLOW
2: If source IP is anything BLOCKI have chosen these rules because you said you duplicated the LAN rule (no mention of any changes to the rule). I have assumed this ordering.
On WLAN a packet arrives with a source IP address of something in WLAN subnet (192.168.3.0/24). This doesn't match rule 1 so processing continues to rule 2 where there is a match so the firewall blocks this packet.
Suppose you change the rules on WLAN to:
1. If source IP is WLAN subnet (192.168.3.0/24) ALLOW
2. If source IP is anything BLOCK
Then if a packet arrives on WLAN with a source address in WLAN subnet (192.168.3.0/24) it will match rule 1 so it allowed and no further rule processing takes place.I have no idea what security policy you want. Perhaps the rule on WLAN should be at least a little more strict
than If source IP is WLAN subnet ALLOW. -
I just want that WLAN and LAN see each other. I would have bridged them only if the transparent proxy would allow it but it does not.
I should have feedback from my wife tomorrow as she was not at her office today.
Thanks for your explaination. Indeed, I set up a rule that is If WLAN subnet, Allow.
-
My wife just reported me that ping is OK from its laptop to the NAS.
Yesterday I added two rules :
- in the LAN section to allow all the LAN subnet traffic to the WLAN subnet
- in the LAN section to allow all the WLAN subnet traffic to the LAN subnetAnything else missing ?
For the WLAN configuration, I did not add 192.168.1.1 as gateway. Shoud I add it ?
-
Ok, it was a Windows Explorer issue with something I do not understand.
If she tries \server_name, she access it but with only one folder, not all of the folders. That's why she thought she did not have access to it.
If she tries \IP.of.the.server, she access the whole content.
Looks that the NAS did not appear also in the "Network" tab but as I set up a shortcut to \IP.of.the.server, it works well.
Sorry for the noise :-[