Firewall Blocking Traffic between the LAN interfaces
-
basically I want to reach to Guest Network Router for ICMP and Port 161 from LAN, i have been playing with the rules and I tried both with specific gateway and default it doesn't work.
Firewall rules on prod lan and guest lan are per the attached screenshots.I have ran the tracert it passes out from prod gateway but then RTO.
Tracing route to 172.19.x.x over a maximum of 30 hops
1 2 ms 1 ms 1 ms gateway.domain.com [172.17.17.1]
2 * * * Request timed out. [ I expect to see gateway for guest here]
3 * * * Request timed out. [and guest router here]I have no issues reaching to the guest router from guest network.
:-\
-
Post up your rules!! And post up your routing table from pfsense..
You do not have gateways set on your lan interfaces do you??
"Guest Network Router"
So you have downstream L3 networks?? Behind a nat or not? at that this guest network router?
Draw up this network would be the very simple thing to do..
-
I have attached the network diagram and pm you the rules and state table
-
what is the mask on the lan and guestlan? And there is no routers only AP..
Don't see any PM? And don't really need to see the state table..
-
I saw your emails and answered.. .You can not route to networks, that are your local network.. And AP don't route - if that is a wifi router, are you doing natting on it? if your connecting to downstream networks you really need to use a transit network.. Are these other networks 172.17.23/24 and 172.18.23/24 wifi networks??
You have a 172.17/16 and your trying to route to a 172.17.23.0/24 network???
Just so your clear - there is no reason ever to hide rfc1918 address space.. So not sure why you can not post up those routes here? And your rules, was not able to download it - there is no .ext on the file.. Its not a jpg.. So what type of file is it? Oh its just a text… Dude just post up your rules like the attached are some rules from some my different segments
You will notice for example I let my wlan talk to 1 IP on my lan for madsonic, and also allow it to talk to my ntp servers that are my my lan via ipv4 and ipv6.
-
Thanks mate, i will try to update the guest network to a different network and hopefully that will resolve the issue. btw, can you provide me some docs on pfsense rule understanding when multiple gateway or gateway groups are in use.
Thanks
Nav -
Hi John,
I am routing from 172.17.17.x/16 to 172.19.23.x/24. These are 2 different networks. So … why would pfsense won't route between these 2 different network.
Regards,
Nav -
Dude where are these networks you think you have?? An Access Point does not route…. AP are Layer 2 devices! They bridge 802.11 to 802.3 What device is that AP you list in your drawing??
I also have to question why you would think you need a /16 network in the first place?? Do you have some 65 thousands devices that are going to be on this same layer 2 network??
If your going to route to these remote networks, you really should use a transit network - or you going to have a asynchronous routing problem.
So is it a AP, and these networks on are SSIDs and should be vlans?? Or is that some actual wifi router that you turned off its nat?? If your going to nat, you have no need to route. How exactly do you have it connected to your network if it is some wifi router, did you try and turn it into an AP??
If your going to have downstream networks attached to a different router then you need a transit network, if your going to have hosts on your opt network talking to these other networks?? Or your going to run into asynchronous routing issues..
Here see some examples - this would be with a downstream wifi router providing other networks.. You would want NAT off if going to be setup like this.. 2nd pic is how you would do it with AP and vlans for wifi networks on different ssids. Normally your AP in the 2nd pic would have an IP in that management or native network.. In my example say 172.17.18.2 or .3 like you want to use.
So which is it do you actually have a downstream router, with wifi?? Or are you wanting to have multiple wifi networks that would be vlans??
-
Hi mate,
There are no downstream routers on guest network but we do have access points. It's (172.19.23.3) a dd-wrt router which is configured in bridged Access point mode with wan/router function disabled. Pfsense is handing out DHCP addresses to guest clients/devices which connects via wifi AP (the dd-wrt router). It doesn't do any nat or routing stuff just provides wireless access while acting as dhcp relay. The dhcp address range excludes access points ip addresses. The access points are turned on and servicing the clients.
I don't require 65k addresses but that's how I inherited the network and devices.
does this help to visualize the network?
-
Ok then… That would be a typical wifi network or even wired on a leg in pfsense.. So why are are you asking about routing to these
I am routing from 172.17.17.x/16 to 172.19.23.x/24.
If all your talking about is networks directly attached to pfsense there is NO extra routing needed. There would be no gateways... Pfsense as a router knows what networks are attached to it..
So for example see all the networks I have connected to pfsense 192.168.9/24, 192.168.2/24, 192.168.3/24 etc.. Notice there is gateways to get there!! Since they are directly connected!!! Pfsense knows how to get to these networks, since it is directly attached to it..
So just create the firewall rules you want to allow between your networks on pfsense.. Remove all your gateways and routes to anything on your local side.. But again if your going to point to a GATEWAY in your rules then the rules that allow access between your local networks has to be above any rules that point traffic out your internet gateways...
Please post up your rules... After you have removed any extra routing or gateways to get to this network that is attached to pfsense.
So 2nd pic - I added a rule that sends all my traffic out my vpngateway.. So before that you notice I can ping my wlan network on 192.168.2/11 But if I have a lan rule that says hey GO here... Then how do I get to that network... Since as you can see from trace route it sends through that gateway..
Ok now look at pic 3, I create a rule that says I can ping wlan net before I route out a gateway.. So I can ping it, but if I try to go to the internet it goes OUT that gateway (vpn in my case)
-
kindly check the attached rules on lan and guest interface. I am still not able to reach guest ap from lan but i can from guest.
-
dude where in the hell is 172.18 ???? That is out some wan network?? So your natting to this? If its directly attached to pfsense why would you have a gateway on it… Do you use this network to get to the internet or other networks? If you just use it get to the internet why would you need a specific rule for it?? I take it this is some failover wan connection.. both wan connections can get to this 172.18.23/24 network???
Where is that in your drawing????? you have 2 networks 172.19.23/24 guestwlan and 172.17/16 prodlan
Your rules make NO sense at all... How is 172.18 a source on your lan network??? When your lan network is 172.17/16?
So you can get to your AP from its own network, but not from your lan... Does your AP have a gateway setup pointing to 172.17.23.1 ?? Quite often AP do not have gateways set, especially converted wifi routers, their lan interfaces don't normally have a gateway option even. Without a gateway on the AP to tell it how to get off its own network, you can only talk to it from its own network. If you can not set a gateway on the device and you want to get to it from your lan, then you would have to nat to that network so your traffic from 172.17/16 looks like its coming from pfsense 172.19.23.1 IP..
-
i also thought about the default gateway missing on AP but i can't even ping a windows 7 pc in guest network which has the correct gateway.
-
windows 7 machines by default firewall would block ping from network that is not local.
On a side note - pointing to anything other then your local dns, even 2nd or 3rd dns is going to bring you problems in resolving local stuff. Since googledns sure and the hell does not know anything about your local network.. And you can never be sure what dns a windows machine will use or latch on too. Also if your windows machines are part of a AD, then they really should only point to your AD dns..
Seems like whoever setup this network before you, left you a real mess ;)
-
phew…. i disabled the firewall and i was able to ping. Looks like those dd-wrt devices won't be reachable via lan as they don't have a gateway. Thanks a ton mate for helping on this.
-
No problem.. pretty sure if your running dd-wrt on those APs you would be able to set a gateway. Or you could always nat to get to them from your other network.
Have not used dd-wrt in quite some time… But like 99% sure they supported putting a gateway on the lan interface..
edit: Yup found an emulator so could see the screens, yup they can set a gateway
Also still confused on your whole fowan (dual wan setup) but with the rules on your guest wlan not pointing to to your failover group, not sure what would happen if your default wan went down for their internet access
-
i followed this but still no go https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point
-
D dfinjr referenced this topic on
