LAN <-> WLAN communication fail

capsfs

Hi!

I am aware that what I want to achive is rather simple and should just work from it's own … but somehow it isn't.
I am running pfSense
Version 1.2.3-RELEASE
built on Mon Dec 7 20:21:30 EST 2009
Platform nanobsd

Situation is

                                                  -------------pfSense-------------------
------------          ------------------          | WAN (PPPoE)                     LAN |
| INTERNET | -------- | external Modem | -------- | dynamic IP           192.168.37.100 | -------- Switch - some PCs
------------          ------------------          |                                     |
                                                  |                                WLAN |
                                                  |                      192.168.38.100 | -------- some Clients
                                                  |                                     |
                                                  |                                 DMZ |
                                                  |                      192.168.40.100 | -------- Switch - some PCs
                                                  ---------------------------------------

The interfaces LAN, WLAN and DMZ have their IPs static.
On the LAN and WLAN interfaces, a DHCP is giving out IPs from 192.168.xxx.60 to 192.168.xxx.90.
All the other fields in DHCP-configuration are empty.

On firewall rules, LAN and WLAN have rules like:
pass * LAN net * * * *
pass * WLAN net * * * *
There are no more firewall rules.

There are no static routes defined.
Nat Outbound is set to automatic.

Now machines get IPs in LAN net and have access to Internet and machines in WLAN get IPs in their Subnet (x.x.38.x) too and have Internet access as well, which is great.

If this is relevant; DNS is served by 192.168.37.40. This IP is listed as DNS server on System -> General Setup Tab. The Option "Allow DNS server list to be overridden by DHCP/PPP on WAN" is disabled.

Problem:
Machines in WLAN cannot access PCs in LAN and vice versa. Get timeouts at pings. I'd rather like them to talk to each other what should be default as I have read - so I am unsure why it's not working.

Is there more configuration needed to make this happen?

Note
I found out, that i can ping from WLAN to DMZ PCs, but not from WLAN to LAN. But there are exactly the same rules in the firewall. Is there by default a difference between a LAN and an opt1 (my DMZ) interface?
Also i tried to play with different roules, after i read this: http://forum.pfsense.org/index.php/topic,30697.0.html but there is no effect.

xtropx

I am having the same problem.
I have two networks off my pfsense box other then my WAN
192.168.0.0/26 and 192.168.0.64/26
I managed to get them to communicate by the appropriate firewall rules:

The above rules, although probably excessive (I never really know what you NEED as a bare minimum to make things work), allow communication (ping, etc.) to and from my LAN and DMZ (opt) interfaces. However, something is wrong with DNS. The "DNS" rule I created was supposed to fix it, but as of now the DMZ can not connect to the internet.

I took a look at this: http://forum.pfsense.org/index.php/topic,11965.msg65545.html#msg65545
It helped, but some things are not clear, such as the last image. What interface is he on, and what is the 192.168.144.1 address? It does not show up anywhere in the discussion. Perhaps my firewall rules will help you and someone with more knowledge can assist with the DNS problem.

Cry Havok

When you say that something is wrong with DNS, what exactly do you mean? What is the actual problem?

xtropx

Apologies for the lack of specification. No name resolution. No internet access on the servers on the "ServerDMZ" or the .64/26 subnet.

Cry Havok

Those are possibly 2 unrelated things.

First of all, are you NATing from the LAN to the DMZ and vice-versa?

Secondly, from the pfSense host can you ping (by IP) the DNS server? If so can you ping it (by IP) from the LAN?

xtropx

No, there is no NAT between LAN and DMZ or vice-versa. The only NAT is that of WAN to LAN.
I am unsure what you mean when you ask if I can ping the DNS server. Are you talking about my ISP's DNS servers? There is no DNS server on this network.
I also failed to specify that the gateway IP addresses of my interfaces are 192.168.0.1/26 LAN & 192.168.0.65/26. Unsure if that is relevant.
Anything else I can provide that might assist in the troubleshooting?

Cry Havok

So, what have you configured as the DNS server for each network? It looks like you think it should be 192.168.0.1 - is that your pfSense box? Have you configured it to function as a DNS server/relay?

xtropx

On the hosts for each network, the DNS server is the same as their gateway.
On the LAN this is 192.168.0.1 or the LAN interface's IP address.
On the "DMZ" this is 192.168.0.65 or OPT1 interface's IP address.

"Have you configured it to function as a DNS server/relay?"
How do I do this? If you mean DNS forwarder, then yes. If you mean packages, then no. Is that where I should be looking to?

I have tried  multiple firewall rules, and variations of the following. This is the way I have things currently:
LAN:
UDP LAN net * 192.168.0.1 53 (DNS) *

DMZ:
UDP ServerDMZ net * 192.168.0.65 53 (DNS) *

Cry Havok

Let's start with the simple. On the LAN and DMZ remove all the rules except one that allows all traffic from that network.

Then check that all clients have /26 as their netmask and try simple things like:

nslookup www.google.com 192.168.0.1

Let us know whether that works from only the LAN or from both networks.

xtropx

This is what I have now:

WORKING

Correct me if I am wrong but what these rules basically state is allow all traffic to pass from ServerDMZ and LAN and vice versa."

It should be noted that I re-installed the OS on the server sitting on the DMZ last night.

Thank you for your time and patience Havok, it is truly appreciated.

Cry Havok

What those say is effectively:

• Allow all traffic out of the LAN

• Allow all traffic out of the DMZ

The first rule in each screenshot will never work since rules apply inbound on an interface.

On a host on the LAN, what does ipconfig (Windows, use ifconfig for Linux) show for the IPv4 Address and Subnet Mask? What about on the DMZ?

xtropx

Well it is strange because it is working now.  ???
What would you suggest I put in for rules?

LAN

DMZ

Cry Havok

I'd suggest you create a rule on the LAN interface allowing the DMZ subnet as a destination. Then you have to decide what on the LAN the DMZ is allowed to access (if it is any host then I'd question why you have a DMZ) - that's entirely your call.

You also need to work out what the underlying problem is/has been. Problems mysteriously coming and going make life difficult.

xtropx

This was originally a kind of "crawl before you walk" sort of thing. Trying to get used to the way pfsense does firewall rules. I was simply trying to allow local connectivity between the LAN and "DMZ" (as you pointed out, it really isn't a DMZ). This is the only thing that has kept me from using pfsense in anything but my home network.

Messing around in the DMZ interface trying to get certain things to pass I thought maybe I am going about this all wrong. All this time I have been relying on the LAN for connecting the DMZ to the Internet. Should I simply be NATing the DMZ interface and then allowing selective traffic back and forth from the DMZ and LAN? I know from a security standpoint this is how a real DMZ works, but I have little to no experience setting this up.

Cry Havok

pfSense rules apply to traffic arriving on an interface.

For the simplest start, create rules on the LAN and DMZ allowing access everywhere (see the Default rule for the LAN interface in your second post). If at that point you still have problems communicating between the LAN and the DMZ it is probably because of the computer's you're using. Start by giving each their own /24 (say put the DMZ on 172.30.11.0/24 and give the LAN 192.168.0.0/24).