Unable to Ping Between VLANs

maverick_slo

Hi!

Can you post screenshot of your firewall rules between VLANs?
You probably allowed TCP and UDP, you also have to allow ICPM to be able to ping anything…

johnpoz

So normally windows firewalls block ping.. So could be the local firewalls on the machines.

Could be as suggested your firewall rules between your segments on pfsense.

I am curious are you actually running vlans - or do you have 2 physical segments in pfsense with a physical interface of pfsense in each network segment?

ElectroPulse

Sure, here's the screenshot of the Firewall Rules page for one of the two VLANs I am trying to ping between.

And yes, all of the rules are "All" rather than "TCP" or any of the other specific options. At the bottom is a default allow outbound to all, and above those are the rules that block traffic between the VLANs that I want blocked (notice, there are no block rules for "TeacherWirelessOPT1").

As for the theory of Windows Firewall blocking pings, why then am I able to ping when on the same VLAN, as per the original post?

And again, as per the original post, if I specifically add a rule blocking all traffic between the two VLANs, the Packet Capture does not log any packets when I ping. However, when I remove those specific block rules, it does log them. So, pfSense firewall rules should not be the issue.

And yes, I am running VLANs. They are all running off of one physical interface, with different logical interfaces (VLANs 20, 21, 30, 40 and 50 (20 and 21 are the two I want to behave like they are under one VLAN… The only reason I am running two seperate ones is the need for an active portal on the second one (due to wireless access, as opposed to strictly wired))).

![Firewall Rules.png](/public/imported_attachments/1/Firewall Rules.png)
![Firewall Rules.png_thumb](/public/imported_attachments/1/Firewall Rules.png_thumb)

jahonix

Is the gateway set correctly on all machines?

stephenw10

@ElectroPulse:

As for the theory of Windows Firewall blocking pings, why then am I able to ping when on the same VLAN, as per the original post?

Possibly because when both hosts are in the same VLAN they are in the same subnet which would be seen by the windows firewall as a local machine and allowed.
Easy to test just disable the Windows firewall temporarily.

Steve

ElectroPulse

@stephenw10:

@ElectroPulse:

As for the theory of Windows Firewall blocking pings, why then am I able to ping when on the same VLAN, as per the original post?

Possibly because when both hosts are in the same VLAN they are in the same subnet which would be seen by the windows firewall as a local machine and allowed.
Easy to test just disable the Windows firewall temporarily.

Steve

And the prize goes to Steve!

Yup, that was it… Hmm... So apparently Windows Firewall blocks pings from different subnets? Strange. This is my first time screwing around with VLANs, so I had never encountered that before.

I just set a "ping 192.168.2.XXX -t" running, then went into the advanced settings for Windows Firewall on the computer that was the target, changed the ICMP setting to "Any IP address", and the other computer started receiving replies. I changed it back to "Local Subnet" and it started timing out again... That's definitely it.

So... is there any security issue with allowing ICMP from any IP?

Also, is there a way to make pfSense make it appear that the ICMP packets are coming from the local subnet?

stephenw10

I would say the security risk of allowing pings from any network is minimal. All those machines are behind your pfSense firewall so only pings that you had forwarded deliberately could ever get through from the public internet. I'm not too familiar with the Windows firewall but could you not just add a rule to allow pings from the other local subnet? Or add that subnet as a local network?

You could set pfSense to NAT between the two VLANs, that would make everything appear local. However it would probably introduce far more problems than it solved, I wouldn't do that.

Steve

johnpoz

So how does the prize go to steve? ;)

I was the one that said it prob the local firewall

"So could be the local firewalls on the machines." Steve just explained to you why..

You do know you can setup the local firewall to allow ping just from its local and that other vlan you don't have to allow it for anything. If that makes you feel more secure..

firewallrule.png_thumb

ElectroPulse

Thanks for the replies!

Ok, was just curious if there was any sort of security issue with it. In that case, I may just allow from any IP so that in the future if I am running some tests from another VLAN I don't have to change the firewall settings again (or choose the range 192.168.0.0-192.168.255.254 or something like that).

@Johnpoz: Fine then, you both get the prize ;) Previously I hadn't realized Windows Firewall was allow it JUST from the local network, and thought you meant blocking ICMP entirely.

johnpoz

Well now I feel as your just throwing me a bone ;) with that fine statement – hehehe

As to security -- I personally have no issue with ping being allowed, and even it allow my public ip to answer ping.. Allowing it on your internal network should not be an issue at all.