Unable to Ping Between VLANs
-
Hello, all!
So, I've been working on getting VLANs set up here at a mission school for different access for students and teachers.
I have been trying to figure out how to make it so that two VLANs can have complete access to one another (appearing to be part of the same VLAN, but with different IP address ranges), and have been having trouble getting it working… Or so I thought.
My test was to ping a host on the opposite VLAN to see if there was a response. Unfortunately, I couldn't get one. I was able to get a response pinging the same host while on the same VLAN, but when I would move one of the computers to a different VLAN, I was unable to ping it. I checked the Packet Capture, and it looked like it was routing the packet (it logged it, whereas if I blocked it with firewall rules, it didn't log it).
Anyway, finally I tried using TightVNC Viewer to VNC into the other computer... Low-and-behold, it worked! I've been beating my head up against a wall for nothing...
So, to my question... How can I make it so that I can ping from one VLAN to another? This is first test for pretty much any problem, and it would be a shame if I couldn't use it. I'm hoping it isn't an issue with the computer being on a different /24 network, and Windows not knowing how to reply to it...
Thanks!
ElectroPulse -
Hi!
Can you post screenshot of your firewall rules between VLANs?
You probably allowed TCP and UDP, you also have to allow ICPM to be able to ping anything… -
So normally windows firewalls block ping.. So could be the local firewalls on the machines.
Could be as suggested your firewall rules between your segments on pfsense.
I am curious are you actually running vlans - or do you have 2 physical segments in pfsense with a physical interface of pfsense in each network segment?
-
Sure, here's the screenshot of the Firewall Rules page for one of the two VLANs I am trying to ping between.
And yes, all of the rules are "All" rather than "TCP" or any of the other specific options. At the bottom is a default allow outbound to all, and above those are the rules that block traffic between the VLANs that I want blocked (notice, there are no block rules for "TeacherWirelessOPT1").
As for the theory of Windows Firewall blocking pings, why then am I able to ping when on the same VLAN, as per the original post?
And again, as per the original post, if I specifically add a rule blocking all traffic between the two VLANs, the Packet Capture does not log any packets when I ping. However, when I remove those specific block rules, it does log them. So, pfSense firewall rules should not be the issue.
And yes, I am running VLANs. They are all running off of one physical interface, with different logical interfaces (VLANs 20, 21, 30, 40 and 50 (20 and 21 are the two I want to behave like they are under one VLAN… The only reason I am running two seperate ones is the need for an active portal on the second one (due to wireless access, as opposed to strictly wired))).
 -
Is the gateway set correctly on all machines?
-
As for the theory of Windows Firewall blocking pings, why then am I able to ping when on the same VLAN, as per the original post?
Possibly because when both hosts are in the same VLAN they are in the same subnet which would be seen by the windows firewall as a local machine and allowed.
Easy to test just disable the Windows firewall temporarily.Steve
-
As for the theory of Windows Firewall blocking pings, why then am I able to ping when on the same VLAN, as per the original post?
Possibly because when both hosts are in the same VLAN they are in the same subnet which would be seen by the windows firewall as a local machine and allowed.
Easy to test just disable the Windows firewall temporarily.Steve
And the prize goes to Steve!
Yup, that was it… Hmm... So apparently Windows Firewall blocks pings from different subnets? Strange. This is my first time screwing around with VLANs, so I had never encountered that before.
I just set a "ping 192.168.2.XXX -t" running, then went into the advanced settings for Windows Firewall on the computer that was the target, changed the ICMP setting to "Any IP address", and the other computer started receiving replies. I changed it back to "Local Subnet" and it started timing out again... That's definitely it.
So... is there any security issue with allowing ICMP from any IP?
Also, is there a way to make pfSense make it appear that the ICMP packets are coming from the local subnet?
-
I would say the security risk of allowing pings from any network is minimal. All those machines are behind your pfSense firewall so only pings that you had forwarded deliberately could ever get through from the public internet. I'm not too familiar with the Windows firewall but could you not just add a rule to allow pings from the other local subnet? Or add that subnet as a local network?
You could set pfSense to NAT between the two VLANs, that would make everything appear local. However it would probably introduce far more problems than it solved, I wouldn't do that.
Steve
-
So how does the prize go to steve? ;)
I was the one that said it prob the local firewall
"So could be the local firewalls on the machines." Steve just explained to you why..
You do know you can setup the local firewall to allow ping just from its local and that other vlan you don't have to allow it for anything. If that makes you feel more secure..
-
Thanks for the replies!
Ok, was just curious if there was any sort of security issue with it. In that case, I may just allow from any IP so that in the future if I am running some tests from another VLAN I don't have to change the firewall settings again (or choose the range 192.168.0.0-192.168.255.254 or something like that).
@Johnpoz: Fine then, you both get the prize ;) Previously I hadn't realized Windows Firewall was allow it JUST from the local network, and thought you meant blocking ICMP entirely.
-
Well now I feel as your just throwing me a bone ;) with that fine statement – hehehe
As to security -- I personally have no issue with ping being allowed, and even it allow my public ip to answer ping.. Allowing it on your internal network should not be an issue at all.
