Seeing Computers between two LANs

Jharris1984

Hi there,

I've got a pfsense box with two LANs running off seperate NIC cards (LAN1 - 10.194.50.1 and LAN2 - 10.194.50.2) and each is running it's own network through my home.  I have a need to be able to move files between computers that are on the different LANs.  In searching around it sounded like I needed to setup a route between them but it's a new process to me.

Would anyone be able to explain how I would go about this?

Just in case it comes up in a question my network looks like this -

Modem
                                          PfSense with 2 NICs
                      LAN1(10.194.50.1)    LAN2(10.194.51.1)
                      Storage Server              Computer

I'd like to be able to move files back and forth between the storage server and computer.  I also don't have a managed switch - each NIC is using it's own switch and router for WIFI.

Thanks in advance.

KOM

You shouldn't have to manually create a route for this to work.  By default, the first LAN should have an Allow Any firewall rule that should allow you to talk to anywhere, including the other LAN.  All subsequent OPTx LANs must have a firewall rule manually added to allow to talk anywhere.

Jharris1984

Hi KOM, thanks for your reply.  I believe I have my rules right.  I screenshotted them and added them below.  I've also got my firewalls disabled on the computers.  When I click network it only shows computers on that specific LAN and none of the others.

I also am unable to ping the other computers on the 50 LAN from the 51 LAN and vice versa.

Derelict

You need to bypass policy routing.

I get that you are routing LAN2 out the VPN but I don't know why you're setting WAN_DHCP as a gateway on LAN.

Make WAN_DHCP gateway the default gateway and set that rule to use the default gateway. That will fix LAN to LAN2 traffic.

To fix LAN2 to LAN put a rule above the one that policy routes to the VPN that passes all traffic source LAN2 net dest LAN net gateway default.

Jharris1984

Derelict,

Thanks for your reply.  I think I've followed your instructions.  I'm able to ping from the 50 network to the 51 network without any issues now.  I am unable to ping from the 51 to the 50 network however.  I've updated the screenshots of the changes I made if you can take a look at them to see if I did it right.

Also I added the network location screenshot - ideally I'm hoping to be able to see the computers there, once I get the settings right will I be able to see them there?

Thanks again.

Derelict

Your rule on the LAN2 network is TCP-only. Change it to protocol any and you'll be able to ping.

With the rule as it is you could connect to a web server (TCP/80, TCP/443), but ping is protocol ICMP, not TCP.

Thanks for posting solid screen shots. Makes things so much easier to diagnose.

Yeah, network discovery is a more difficult task across routers, since basic discovery methods rely on broadcasts, which don't cross routers. I know the avahi package can help with zeroconf/mDNS/bonjour. Not sure about Windows sharing. Anyone?

In the meantime you can set up host overrides in DNS resolver so you can connect to \hostname\share. Your recent history might be enough to make it easy to work with. That or just \1.2.3.4\share

That should work.

Jharris1984

Ok perfect so I am now able to ping back and forth between both networks.  Thank you so much!  By any chance would you happen to know how I can get the shared file structure of each computer to show up under that network screenshot?  Or any other viable way I can get at the shared folders.

Derelict

Have to defer to windows dudes for that. Microsoft didn't make it easy if you're not running a domain controller.

johnpoz

" I can get the shared file structure of each computer to show up under that network screenshot?"

You want to have your network populated with machines in different networks?  For that to happen you need to run wins, because windows populates that browse list by broadcasting and having a network browser master that maintains the list on every subnet.

Wins has be deprecated by MS for quite some time.. Everything is dns based now with AD..  As long as your firewall rules allow the traffic you want to allow you can access any machine windows shares just fine via its fqdn that you have setup to resolve on your network or its IP address..

But since your devices are on 2 different broadcast domains, no you can not broadcast for the name of the computer or expect them to show up in windows network list.

Pippin

pfSense have Samba?

Samba can act as a WINS server:

Add under [global] in smb.conf:

wins support = yes
name resolve order = wins lmhosts hosts bcast

Note:
Can also work for OpenVPN.

johnpoz

no pfsense does not have samba ;)

Jharris1984

I ended up getting it to work… kinda.  After I was able to ping them I was able to type 10.194.50.201 into the address bar on the network screen and map static drives for the ones I needed.  Wouldn't work out in a large scenario but I just need to see the one computer.

Thanks again, I should be all done with this thread.

Derelict

In the meantime you can set up host overrides in DNS resolver so you can connect to \hostname\share. Your recent history might be enough to make it easy to work with. That or just \1.2.3.4\share

DNS resolver host overrides work great on smaller networks. MS really needs to build in AD lite for home networks. IPv6 makes it much harder to "just use IP addresses."