Cannot ping from OPT1 to OPT2 but can the other way…?

burnsl

Yes they have the same ip topology and they are direct replacements for each other.

Is what you're suggesting going to reset something or clear the problem?
Why would it NAT communication from and OPT"A" to OPT"B" interface?!

podilarius

pfSense does not. It does not normally make sense to do so since they are local. What I am suggesting is that IPCop NATed and that is why it worked.
You will have to switch to manual outbound NAT so that you can add the rule to NAT traffic to the specific WAP GUI address. The traffic would "look" like it is coming from the pfSense machine and allow GUI access.
You could also power up IPCop and check the rules for NATing out (while not connected to a network).

burnsl

No NATting happens on ipcop either.

I also Know that I had access to it a few months ago with the same firewall rules.

podilarius

Then something must have changed on the WAP. Perhaps the default gateway, route, or subnet mask. If it worked with pfSense before and nothing changed, then it would work now.

burnsl

Agreed, but I have reset it and verified the right information in he setup.
Nada

podilarius

Are there any tools on the WAP that you can use? Like traceroute, ping, or anything? Have you recently upgraded the firmware or something? id you upgrade pfsense recently? Can you post your LAN, OPT1, and OPT2 rules?

burnsl

No tools on the wap.
I'll post my rules in a few moments.
Stand by…

burnsl

@podilarius:

Are there any tools on the WAP that you can use? Like traceroute, ping, or anything? Have you recently upgraded the firmware or something? id you upgrade pfsense recently? Can you post your LAN, OPT1, and OPT2 rules?

Here they are, the two nets. all rules but (* ANY) disabled.

FW_RULES_2_NET.JPG_thumb

FW_RULES_5_NET.JPG_thumb

podilarius

So the rules are strait forward, okay … enable ssh on pfsense. using ssh login several times to pfsense. The purpose is to run tcpdump on each interface involved.
Using tcpdump watch for the originating traffic from the client, then see if it makes it to the other side of pfsense (which according to the rules should work with no problem). The watch to see if you see any traffic returned from the WAP. You can setup 4 ssh sessions, two for each interface watching in and out on each.

burnsl

Interesting idea.

Will do.