2 networks seeing eachother
-
Hi guys,
I have my pfSense inside my home network, and I would like to be able to access the pfSense network from my home network, of which the IP range starts at .1.64 (my pfSense starts at a much lower range) so yeah, how do I go about getting the two to talk, please?
Thank in advance,
Ross
-
Not much to go on, a picture of your network or screenshot of interface and rules would help.
Is your WAN port of the pfSense box connected to a switch connected to your .1.64 network?
What tests have you done, "home network" to "pfSense network", "pfsense to home network", what works, what doesn't?
NAT enabled, disabled?
You've verified physical connectivity? Can you ping from the pfSense box to anything on your home network?
Can you ping from the pfSense box to something on the pfSense network?
By default, the WAN port of the pfSense box is block all inbound traffic, so anything coming into the WAN gets dropped.
By default anything the LAN port is pass all so anything coming into the LAN port will get forwarded out the WAN. -
@mer:
Not much to go on, a picture of your network or screenshot of interface and rules would help.
–---------------------------------------------------------------------------
Is your WAN port of the pfSense box connected to a switch connected to your .1.64 network?
Yes.
–---------------------------------------------------------------------------
What tests have you done, "home network" to "pfSense network", "pfsense to home network", what works, what doesn't?
"home network" to "pfSense network" - Home network CANNOT get to the pfSense network. However it can obviously get to it with ethernet connected to my laptop's ethernet port coming out the LAN port of the NIC.
"pfsense to home network" - pfSense CAN get to home network. Tested with ping on Ubuntu VM inside ESXi.
–---------------------------------------------------------------------------
NAT enabled, disabled?
These are the only NAT rules I currently have in place which are auto-rules anyway.
–---------------------------------------------------------------------------
You've verified physical connectivity? Can you ping from the pfSense box to anything on your home network?
Yep. See above.
–---------------------------------------------------------------------------
Can you ping from the pfSense box to something on the pfSense network?
Yes. Tested with two Ubuntu VM's.
-
You are intending to NAT your 192.168.2.0/24 network behind the pfSense box, yes? Just double checking.
What rules are on your WAN interface? Are you port forwarding anything? Do you intend to?
Basically you are seeing the default behaviour of pfSense: allow anything on LAN to pass out WAN, block everything trying to come in WAN UNLESS it's a response to outbound traffic.
If you want to originate traffic from 192.168.1.0/24 destined for 192.168.2.0/24 you have to add to your WAN rules. As a test you could add a pass from any to any rule on WAN that would let you get to 192.168.2.0/24 to verify connectivity, but if you actually want to use the pfSense box to do NAT and firewall you will have to make a decision on what you want to allow originating from 192.168.1.0/24.
-
@mer:
You are intending to NAT your 192.168.2.0/24 network behind the pfSense box, yes? Just double checking.
What rules are on your WAN interface? Are you port forwarding anything? Do you intend to?
Basically you are seeing the default behaviour of pfSense: allow anything on LAN to pass out WAN, block everything trying to come in WAN UNLESS it's a response to outbound traffic.
If you want to originate traffic from 192.168.1.0/24 destined for 192.168.2.0/24 you have to add to your WAN rules. As a test you could add a pass from any to any rule on WAN that would let you get to 192.168.2.0/24 to verify connectivity, but if you actually want to use the pfSense box to do NAT and firewall you will have to make a decision on what you want to allow originating from 192.168.1.0/24.
Ok, I've just added this rule to the WAN interface, but I'm still unable to ping between two VM's on the different networks?
-
Ping is not TCP; ping is ICMP protocol. Simply for testing see what happens if you change the proto column from IPV4 TCP to any; you wouldn't want to leave it like that but it proves out connectivity.
One thing I like to do with a network is take a blank sheet of paper and a pencil and start drawing things out. Draw a box for your pfSense, label one side WAN the other LAN. Draw in switches and other machines, lines to draw connectivity. Write down addresses on each interface. Now "walk" through the network: pretend you are standing on an interface, looking into the box or out of the box. Start with a default block everything, then think about what you want to allow, write it down. That helps formulate the rules.
-
That "default" allow "any" rule is neither default, nor "any", as noted above, and additionally putting something like that on LAN is completely useless if the traffic comes from WAN. Read the wiki docs. Plus, if you really intend to allow all traffic from WAN (as your description implies), you can as well completely turn off the packet filter and not bother with firewall rules configuration. WTH.
-
@mer:
Ping is not TCP; ping is ICMP protocol. Simply for testing see what happens if you change the proto column from IPV4 TCP to any; you wouldn't want to leave it like that but it proves out connectivity.
One thing I like to do with a network is take a blank sheet of paper and a pencil and start drawing things out. Draw a box for your pfSense, label one side WAN the other LAN. Draw in switches and other machines, lines to draw connectivity. Write down addresses on each interface. Now "walk" through the network: pretend you are standing on an interface, looking into the box or out of the box. Start with a default block everything, then think about what you want to allow, write it down. That helps formulate the rules.
Pinging from .1.137 to .2.11 isn't getting anything with that rule altered :-\
That "default" allow "any" rule is neither default, nor "any", as noted above, and additionally putting something like that on LAN is completely useless if the traffic comes from WAN. Read the wiki docs. Plus, if you really intend to allow all traffic from WAN (as your description implies), you can as well completely turn off the packet filter and not bother with firewall rules configuration. WTH.
I'm not intending anything at the moment, I'm just trying to understand basic principles and have yet to get a rule working as I would expect it to.
I very much appreciate everyone's help so far.
-
You have 2 network segments you are trying to route between, so if you turn off NAT and filtering on the pfSense box, you need to modify route tables on your 192.168.1.0/24 machine you are sourcing ping from. If you leave filtering and NAT on, you need to start thinking about port forwarding.
You say this:
"I'm not intending anything at the moment, I'm just trying to understand basic principles and have yet to get a rule working as I would expect it to"You need to think about what you want it to do before you can starting thinking about getting rules working. (basically what I meant by drawing it out).
pfSense is a stateful packet filtering firewall. There's a lot implied by that statement. If you don't add any rules, out of the box anything sourced from the LAN port will be allowed and will go out the WAN port (NATted), but any thing sourced from the WAN side will be dropped unless it is a response to LAN sourced traffic. If you set up an HTTP server on your 192.168.1.0/24 network (WAN) and then point a browser at it from your LAN (192.168.2.0/24) it should just work. The 192.168.1.x will see packets sourced from the pfSense WAN address, so return traffic will go to that, but the pfSense box will sees it as return traffic for the original request.
-
@mer:
You have 2 network segments you are trying to route between, so if you turn off NAT and filtering on the pfSense box, you need to modify route tables on your 192.168.1.0/24 machine you are sourcing ping from. If you leave filtering and NAT on, you need to start thinking about port forwarding.
You say this:
"I'm not intending anything at the moment, I'm just trying to understand basic principles and have yet to get a rule working as I would expect it to"You need to think about what you want it to do before you can starting thinking about getting rules working. (basically what I meant by drawing it out).
pfSense is a stateful packet filtering firewall. There's a lot implied by that statement. If you don't add any rules, out of the box anything sourced from the LAN port will be allowed and will go out the WAN port (NATted), but any thing sourced from the WAN side will be dropped unless it is a response to LAN sourced traffic. If you set up an HTTP server on your 192.168.1.0/24 network (WAN) and then point a browser at it from your LAN (192.168.2.0/24) it should just work. The 192.168.1.x will see packets sourced from the pfSense WAN address, so return traffic will go to that, but the pfSense box will sees it as return traffic for the original request.
Well let's say I just wanted to be able to access samba shares between the two networks? How would I go about that?
-
You would pass the necessary traffic on the originating interface (the one initially receiving the connection request, thus allowing the traffic into the firewall) to the appropriate destinations.