Networking accross interfaces
-
Ok. I have been beating my head against the wall here.
I have two NIC's with their own subnets. Open firewall rules for both interfaces. I do deploy captive portal for both networks.
Networks:
WAN
LAN
WLAN-OPT1 interfaceI have some wireless devices that need to access a WIN Server on the LAN network for purposes of DHCP, DNS, ADDS, mappings, etc.
I can ping the gateways from a host on either network but not vice versa. At times I can't ping either way. This happens if I am logged into the portal or not so the portal is not my issue. I have tried bridging the interfaces and that has not resolved the issue.
I have tried several different firewall rules to no avail. My AP is directly connected to OPT1 interface. My LAN has a netgear hub that is basic but has some management features.
This firewall is working well but this is the one issue have not been able to resolve. Any help is appreciated thanks.
-
No idea why you would have captive portal enabled in such an environment.
You generally have to pass access to DNS in the captive portal (Allowed IP address, Allowed host names).
After that you need firewall rules passing traffic from each interface to the intended destinations.
Note that unlike normal stateful firewalls, the captive portal mechanism will not allow return traffic from hosts unless they are passed through the other portal too.
You REALLY need to get a good handle on both how pfSense rules operate and captive portal itself if you are going to have a prayer at making this work.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
-
I wished I had done this first.
I just configured my repeater and I can access it from LAN and I can access my WAP too, so obviously the two interfaces are communicating correctly. So what else am I missing? I just don't see it I guess.
-
If I were you I would turn off both captive portals.
Then get the traffic you want to pass passed, and the traffic you want blocked blocked. Then and only then would I hassle captive portal. You need to understand both the firewalling and captive portals.
-
Ok I see what you are saying. I have disabled both captive portals and now I can ping the opposite gateway from both networks. But I can't get past the gateway even applied a rule without results. Getting "Request time out". I was reading about DNS Forwarder, should I be using that instead of the resolver?
-
Are you having a name resolution problem or a traffic flow problem? If you can resolve names, why do you want to change DNS?
Are you being paid to set this up?
-
No. It is resolving so it is a traffic flow problem.
-
Then check your rules.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
I was looking at the arp table. Two of my server have not resolved to a hostname so I do have a dns issue thanks for pointing that out. Sometimes you just miss the simplest of things ya know.
