Help with Rules Setup

saikumargv

Hi,
Can you experts please help me with my firewall/rules setup issue.

Ping from 192.168.2.100 ( Wifi Notebook IP ) to 192.168.1.1 ( Router IP ) –-> OK
Ping from 192.168.2.100 ( Wifi Notebook IP ) to 192.168.1.51 ( Desktop 1 IP ) –-> NOT OK
Remote Desktop from 192.168.2.100 ( Wifi Notebook IP ) to 192.168.1.51 ( Desktop 1 IP ) –-> OK

I cannot ping to any machine from OPT1WIFI (192.168.2.) to LAN (192.168.1.)
Also I cannot resolve any hostname from OPT1WIFI (192.168.2.) in LAN (192.168.1.)
Funny thing is how is my 192.168.2.100 ( Wifi Notebook IP ) can Remote Desktop to 192.168.1.51 ( Desktop 1 IP ) even though the ping fails ???

I know I am missing something.
Please help…..

Thanks in advance for your help.

Here is my setup......

Hardware Setup
Cable Model <–-> Pfsense <---> Gigaswitch <----> Desktop 1 & 2
Also, Pfsense <---> Wifi <---> Notebook 1, 2 & 3.

LAN interface (em1)
IP address 192.168.1.1
Subnet mask 255.255.255.0

WAN interface (em0)
IP address 67.81.81.xxx
Subnet mask 255.255.254.0
Gateway GW_WAN 67.81.80.xxx
ISP DNS servers 167.206.245.xxx
167.206.245.xxx

OPT1WIFI interface (ath0)
IP address 192.168.2.1
Subnet mask 255.255.255.0

Rules
Please see attachment

Diagnostics commands from Laptop 1 (192.168.2.100 )

C:>IPCONFIG /ALL
Host Name . . . . . . . . . . . . : HP6910P
Primary Dns Suffix . . . . . . . : us.ups.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.ups.com
local

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : local
Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AG
Physical Address. . . . . . . . . : 00-21-5C-A2-7B-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::xxxx:7b1f:a379:xxxx%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, August 27, 2011 9:54:16 AM
Lease Expires . . . . . . . . . . : Saturday, August 27, 2011 11:54:15 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 218112348
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6A-7F-xx-00-23-5A-31-16-66

DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

C:>tracert 192.168.1.51

Tracing route to 192.168.1.51 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.2.1
2 * * * Request timed out.

C:>nbtstat -A 192.168.1.51

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

Wireless Network Connection:
Node IpAddress: [192.168.2.100] Scope Id: []

C:>route print 192.168.1.51

Interface List
14…00 24 7e 39 4e 2b ......Bluetooth Device (Personal Area Network)
12...00 21 5c a2 7b b1 ......Intel(R) Wireless WiFi Link 4965AG
11...00 23 5a 31 16 66 ......Intel(R) 82566MM Gigabit Network Connection
1...........................Software Loopback Interface 1
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

IPv4 Route Table

Active Routes:
None
Persistent Routes:
None

IPv6 Route Table

Active Routes:
None
Persistent Routes:
None

![pfsense rules.png](/public/imported_attachments/1/pfsense rules.png)
![pfsense rules.png_thumb](/public/imported_attachments/1/pfsense rules.png_thumb)

Metu69salemi

Are you having virus protection/software firewall on that 1.51 machine? or any else where you cant ping?

Cry Havok

Your first rules on LAN and OPT1 both allow all traffic, further rules are redundant.

Whatever your problem is, it isn't pfSense related. Can you ping Desktop1 from any system, including pfSense and other hosts on the same subnet?

saikumargv

Metu/Cry,
Thanks for the tip.
You were correct. There was Windows firewall turned on in that Desktop ( 192.168.1.51 ) which was preventing pings.
Once I turned off the Firewall it was pinging fine.

But how is that I am unable to do hostname lookups for other devices like network printers?
For example if I cannot ping BRN001BA9021E23 from the laptop ( 192.168.2.104 ).

Thanks.

dhcpleases.png_thumb

Metu69salemi

Does your another network dns server know those names?
and does it know to find it from another subnet?

saikumargv

I have seem to have two DHCP servers and I don't think it knows how to find the other one.
Can you please explain how to set this up so that I can lookup hostnames across sub domains/interfaces.

Thanks,
Sai

dhcpserver1.png_thumb

saikumargv

2nd DHCP server screen shot.

dhcpserver2.png_thumb

Metu69salemi

Because those are different networks thats why you need to have different dhcp servers.
But you can try to give dns-server entries by manual.

Somewhat like this:
Lan dhcp: first dns server pfsense interface address and secondary dns, pfsense opt1wifi interface address
and vice versa in opt1wifi

Try that

Cry Havok

DHCP is used to allocate IP addresses. DNS is used to look up addresses. If you want name lookups to work then you need to configure your a DNS domain and have your DHCP server register leases with the DNS server.

saikumargv

Metu/Cry,
Once I turned on the "Register DHCP leases in DNS forwarder" and "Register DHCP static mappings in DNS forwarder", the hostname lookup started working. I am now able to ping through hostname across the subdomains.
Thanks a lot for your help guys.

Regards,
Sai