Fresh 2.0 install: DHCP on OPT1 works, but pings from the workstation don't
-
This is something I have never seen before. Maybe someone around here has some good guesses as to what the cause is.
I've got a fresh pfSense 2.0 install on a box with four GigE interfaces. WAN (192.168.48.133/25, em0) & LAN (10.0.0.1/24, em1) interfaces work great. OPT1 (10.0.1.0/24) is set up on em2 and connected to a port on a switch (D-Link DGS-1210-48) with its own VLAN (untagged). When a workstation is plugged into another port on the switch (same VLAN), it gets a DHCP address (10.0.1.33/24) and pings from the pfSense box to the workstation succeed, but pings from the workstation to the pfSense box fail. It's not just pings, either. The routes being set by DHCP on the workstation look fine.
Now that I've thought about it, I've only tried directly connecting to the LAN interface (ie. workstation <=> cable <=> pfSense LAN interface). I should try connecting the LAN interface to the switch just as I did with OPT1 to see if that works. I also haven't connected directly the workstation to the OPT1 interface. Either of these could confirm/eliminate the switch as the culprit.
I'd not only like to fix the problem, but understand what is happening. This problem is interesting enough that I'm having troubles sleeping. Of course, I ran into the problem at the end of the day on a Friday. :-[
-
you have to add an allow rule on OPT1 tab of your firewall. by default everything is blocked.
-
So obvious! Thanks man.
you have to add an allow rule on OPT1 tab of your firewall. by default everything is blocked.
-
Actually, I'm still having troubles with this. I've set up the firewall rule under OPT1 just like the LAN interface, but no go.
I have eliminated the switch as the culprit by trying it on the LAN interface. All the ports on that VLAN work as one would expect.
I've attached the firewall rules that I set up for OPT1.
-
Actually, I'm still having troubles with this. I've set up the firewall rule under OPT1 just like the LAN interface, but no go.
I have eliminated the switch as the culprit by trying it on the LAN interface. All the ports on that VLAN work as one would expect.
I've attached the firewall rules that I set up for OPT1.
Your firewall rule is completly wrong - according to the fact that you want to ping something. Ping isn't using a port on TCP or UDP. Ping is using ICMP. As you can see in the presets of the firewall protocols there is "ICMP".
The best way to make sure that the firewall and so on is working correctly you should add an allow "any to any" rule, withz any ports and any protocols. this should be the first and only rule for testing purposes and to make sure there isn't any other configuration failure on the switch and so on.
-
Two blatantly obvious mistakes in one thread. Nice.
That was the problem. Fixed that. Then moved on to LAGG, VLANs, and performance testing. (I'm actually pretty disappointed with the performance in my scenario, but that's a different thread.)
-