Trying to create two subnets in VMware - what firewall rules?
-
You allow TCP, try ICMP (ping) and wondering why's it blocked?
-
OK, good catch, but still not working. I changed LAB2 rules to:
If I ping from LAB2 to LAB1, I get ping timeout.
-
Did you flush the states or reboot?
-
Did you flush the states or reboot?
When I added the virtual NICs in VMware, I rebooted the pfSense VM because it had two new NICs in it. When I changed the TCP rule to allow all protocols I didn't reboot or flush the states. I have now flushed the states, but I still can't ping either the LAB2 interface on pfSense, or a machine in the LAB1 subnet. I would rather not reboot the pfSense VM because people are using it.
-
You will need a rule to allow source LAB2net destination LAB2address to allow you to ping LAB2 address from a LAB2 client. You could just make that ICMP. If you make that protocol all then it will have access to pfSense webGUI also (so depends on your requirements.
But the LAB2 to LAB1 rule on LAB2 interface so be good to go - I would check the LAB1 system (is it Windows which may not reply to ping outside its own subnet), and do some packet capture to see where your ping/echo request and reply appear. -
Phil
Does it matter if the destination is address or net? I changed it to address like so:
On the machine (Windows Server 2012) in LAB2 subnet, I ran the following:
-
Yes, of course there is huge difference between "address" and "net". Otherwise:
There. Your ping problems solved. Nothing more needed and nothing useful achieved by blocking ICMP. Now, you can turn off firewall on the Windows boxes and ping again. After that, you could perhaps try some better tests than ping.
-
You want destination LAB1net (the whole of the LAB1 subnet), or do what doktornoktor illustrates and allow ICMP for anything.
Your Windows Server "ipconfig /all" has no default gateway set - that is going to really stuff you up getting anywhere outside the subnet. -
OK guys, thanks for your patience. I'm not a networking professional. I did find a clanger of a mistake. The LAB1 and LAB2 interfaces were on /32 networks. I've changed those to /24 and rebooted the pfSense box.
So, this is what my LAB2 interface looks like in pfSense.
I added the default gateway to the interface on my Windows box in LAB2 subnet to be 10.0.2.4 (is that right?). Windows firewalls off. I then try and ping the pfSense interface and the machine in LAB1:
So, success now pinging the pfSense interface on LAB2 subnet, but it can't route traffic to LAB1 subnet. Any more ideas, and thanks for the great replies!
-
Well, go to machine on LAB1 and turn off the firewall there.
-
Firewalls are off. I rebooted pfSense again and now it's all working. ;D
Thanks so much for your patience and help. Much appreciated. Let me know you bitcoin address and I'll send you a beer.