Unable to ping LAN from OPT subnet
-
Just checked. Only WAN is set to block private network space but none of the interfaces are set to block private network space. Should I uncheck the WAN setting?
-
No, leave it as is. Do you have firewall rules in place that allow these subnets to talk to each other? By default, only LAN has WAN access and none of them can access each other. I assume that you added rules to allow each OPT (child1,2) interface to talk to WAN, but do you have rules so that LAN can talk to CHILDNET1 and vice versa?
-
Hmm… I thought I already did that. Isn't that what the attachments (LAN_Rules.png, CHILDNET1_Rules.png, CHILDNET2_Rules.png) show? Or am I missing something here?
-
No, I'm stupid. I forgot about them as they were above my browser window. I do this often when I'm bouncing between problems. Is it possible that software firewall on 3.2 is blocking the pings? Some of your rules are strange. I would start off by removing all rules on LAN (except the antilockout rule), CHILD1 and CHILD2. Then add an Allow All to Any on all three interfaces. See if you can ping then. Once oyu have established connectivity, then you can start applying restriction rules.
-
Ah KOM! You're not the stupid one… I am the stupid one! Windows Firewall was the cause of my problems. #facepalm
I left the rules as they are in the pictures and I enabled packet capture on all servers and was able to determine that the packets were indeed getting to the right destination, only the destination was not responding! I turned off Windows Firewall and I was able to get responses to the pings.Thank you! :)
-
You still have some funny rules there but at least your main problem is solved.
-
I want to get this right. So, you say I should remove all rules eh?
-
KOM, I just did what you said. I deleted all rules on LAN (except for anti-lockout rule), CHILDNET1 and CHILDNET2. Then I added an Allow Any to Any on all three interfaces. I am able to ping all servers and everything works just well.
-
This is the key concept you need to grasp:
Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
See, for example, on CHILDNET1 where you have rules allowing traffic with sources FROM LAN net and CHILDNET2 Net? That's pretty much impossible. Rules on CHILDNET1 determine what traffic INTO the CHILDNET1 interface (from the CHILDNET1 network) is allowed. So if you want CHILDNET1 to be allowed access to the internet but not LAN or CHILDNET2 you would:
reject src CHILDNET1 net dest LAN net
reject src CHILDNET1 net dest CHILDNET2 net
pass src CHILDNET1 net dest anyIt's pretty much impossible to have the CHILDNET1 interface receive traffic with a source address FROM LAN net or CHILDNET2 net unless you do some pretty specific things, the likes of which most here would say, "that's a broken config."
You don't have to worry about return traffic for the connections once the connection is let into pfSense. The stateful firewall handles all that.
-
Oh! I see! Now it makes sense. Thanks for the clarification.