Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 lan routing issue

    Scheduled Pinned Locked Moved Routing and Multi WAN
    22 Posts 4 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deanot
      last edited by

      Uploaded some screen shots.

      PFSense System Specs.
      –---------------
      Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
      4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        No that's likely a client firewall not allowing pings sourced from off-subnet. Ping something with no local firewall on it in the same fashion, almost certainly works.

        The other possibility is the devices being static IP with the wrong subnet mask, like 192.168.1.x/16 rather than /24, so they won't route back to their gateway.

        1 Reply Last reply Reply Quote 0
        • M
          mikeisfly
          last edited by

          What is the IP on your wan interface? Is it a private IP? Does it overlap your LAN IP? Why is your firewall's IP in the middle of your IP range?

          1 Reply Last reply Reply Quote 0
          • D
            deanot
            last edited by

            The wan is ppoe, so dynamic.  It's range is well away from anything i have.

            No reason for the weird address of the router, this is temporary at this time, i will be implementing a new range at a later date.  At this time it should not affect the working of the router.

            I can understand the pings being blocked, but i can't access the webpage of the device on 192.168.1.232 either.

            PFSense System Specs.
            –---------------
            Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
            4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

            1 Reply Last reply Reply Quote 0
            • M
              mikeisfly
              last edited by

              Typically I have seen dsl modems at like nat routers giving out private IP addresses. If you have the same network on two different interfaces then that would cause your issue. Simply changing the 192.168.1.0/24 network to 192.168.2.0/24 should fix the issue. Don't forget to adjust dhcp. Currently I don't think pfsense will warn you if you have overlapping IP ranges across interfaces but I could be wrong.

              1 Reply Last reply Reply Quote 0
              • D
                deanot
                last edited by

                Yes, I am with you, but my modem is in bridge mode.  PFSense handles the PPOE and is assigned an IP in the 184.13.x.x range.

                I put another device on my network, for testing purposes with an IP of 192.168.1.100, it is a Cisco smart switch.  Same thing, can't access the webpage or ping the device.

                The ARP table in PFSense populated with the IP of the unit, also has the other device which I plugged into the back of it also.

                So confused about this, I am not sure why it is acting this way…

                Was there anything in the images that looked out of place?  I have tried several times to make sure I followed instructions and that is what I ended up with.

                PFSense System Specs.
                –---------------
                Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                1 Reply Last reply Reply Quote 0
                • D
                  deanot
                  last edited by

                  @cmb:

                  No that's likely a client firewall not allowing pings sourced from off-subnet. Ping something with no local firewall on it in the same fashion, almost certainly works.

                  The other possibility is the devices being static IP with the wrong subnet mask, like 192.168.1.x/16 rather than /24, so they won't route back to their gateway.

                  Most devices I have does not have the option to change the Mask bit, but I thought most class C devices that operate in the range of 192.168.X.X only have limited Mask bits, like 24 though 30?  I could be wrong, I am no network guru.. lol  So please let me know if this is incorrect.

                  Thanks

                  PFSense System Specs.
                  –---------------
                  Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                  4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                  1 Reply Last reply Reply Quote 0
                  • M
                    mikeisfly
                    last edited by

                    Everything looks good to me. I know that your router is 192.168.0.35 but I'm seeing a 192.168.0.1 ip in your arp table as well, do you know what that device is? So from what I can tell you can ping from 192.168.1.1/24 interface to anything on your 192.168.0.0/24 network, but from any device on your network you can not ping the 192.168.0.0/24 network. In your arp table I see all your devices on the 192.168.1.0/24 devices. What type of clients are you working with? If you are using windows what does the output of the ipconfig command what does it look like? Maybe your DHCP configuration is not configured correctly and the their gateway is assigned incorrectly. Your gateway should be 192.168.0.35. Do you have anything like OpenVPN setup or IPsec tunnels configured? If so those routes may take preference may be preferred over the directly connected network. It is not clear to me the routing preference of PfSense. You would naturally think that directly connected networks would be preferred but I can remember having IPsec tunnels enabled by accident and even the tunnel was not up it was the preferred route which was causing me issues.

                    1 Reply Last reply Reply Quote 0
                    • D
                      deanot
                      last edited by

                      My Windows 2008 server sits on 192.168.0.1 as of right now, that is the one you are seeing.  It handles my DHCP of which assigns clients on my 192.168.0.0/24 addresses, gateway information of 192.168.0.35 and DNS information.

                      From within PFSense, If I use the ping command or traceroute, I can select lan2 (192.168.1.0/24) and ping any device on my lan1 network (192.168.0.0/24) with successful replies.  Doing it the other way around, yields failures, 100% packet loss.

                      So, traffic does pass 100% from Lan2 to Lan1, I can ping lan2s adapter from lan1, but no traffic passes from there on.

                      No, I have no VPNS set up at this time, no funky routeing is in use for VPNS at this time either.  I did check to make sure, as I did at one time play with open VPN, but it is empty right now.

                      PFSense System Specs.
                      –---------------
                      Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                      4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                      1 Reply Last reply Reply Quote 0
                      • M
                        mikeisfly
                        last edited by

                        You said you vpn info is empty but is it disabled? I believe my problem at one time was that it was enabled even though I believe I felt like I removed all info. This is a really interesting problem. Like you have said before this should be a fairly straightforward setup. If you look at the arp table on your clients, do the entries for 192.168.0.35 match the actual mac address of your firewall's interface?

                        1 Reply Last reply Reply Quote 0
                        • D
                          deanot
                          last edited by

                          I have my laptop on the 192.168.0.0/24 network, I can ping 192.168.1.1 from here, I checked the Mac with the Physical Mac and they do match….

                          I can't find a way to make sure it is turned off, I checked through the 3 options under VPN and all are empty.

                          PFSense System Specs.
                          –---------------
                          Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                          4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                          1 Reply Last reply Reply Quote 0
                          • D
                            deanot
                            last edited by

                            Here is something interesting, I just ran advanced IP scanner…..  It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges.

                            ARP table shows the MAC, so it would seem something is blocking something external to the PFSense box.....

                            Just moved the adapter address to 192.168.2.1, same thing, no MAC shown using advanced IP scanner.

                            I am going to swap out the port for another one on the same card tomorrow, will try that and report back.

                            PFSense System Specs.
                            –---------------
                            Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                            4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                            1 Reply Last reply Reply Quote 0
                            • D
                              deanot
                              last edited by

                              I could not wait, I moved the port over to the spare, still not working….. something has to be blocking it.  I have no idea what it is.

                              PFSense System Specs.
                              –---------------
                              Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                              4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                              1 Reply Last reply Reply Quote 0
                              • C
                                cmb
                                last edited by

                                Unless you added block floating rules, it's not possible for Diag>Ping traffic to be blocked, it's the device in question not replying to off-subnet traffic. Switch is probably a good one to troubleshoot with since it shouldn't have a local firewall of any sort, though verify that's the case. It's probably statically configured, make sure it has the correct 255.255.255.0 subnet mask, and has the gateway set to 192.168.1.1. And make sure you don't have anything conflicting on 192.168.1.1.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  deanot
                                  last edited by

                                  I did run a program to check over all networks in question, just in case something was wild on my network, i am finding no devices flaring around that is not meant to be there, so no conflicts.  My switch is set for the right network, gateway is also set correctly.
                                  I am going to try as you suggested earlier and put a laptop on that network and see what happens with it.

                                  I appreciate all the help i am getting…. Thank you all!

                                  PFSense System Specs.
                                  –---------------
                                  Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                                  4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    deanot
                                    last edited by

                                    I did a factory reset on the router this evening, now traffic is passing in both directions!  YAH…. Progress.  Obviously, there was some issue with the config file, what I do not know.

                                    There are hardly any rules on this fresh setup, the basic allow all to any rules on both networks are in place, as was before.  I am going to start feeding my old rules back in, one at a time and see what breaks it.

                                    Should be fun to do, seeing as I am going to read them off of the config file to put them back.. lol

                                    The only thing I can think of, is this router has had hardware changes and upgrades, the config originally came off of another unreliable router I had, possibly the reason for this?

                                    Anyway, got some work to do...

                                    PFSense System Specs.
                                    –---------------
                                    Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                                    4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mikeisfly
                                      last edited by

                                      congrats, keep us updated.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        "It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges."

                                        Huh???

                                        Why are we talking about this…  This is 2 seconds to trouble shoot..

                                        This is your network??  See attached..  Are you plugging em0 and em1 into the same switch?  You have different switches?

                                        Can devices on each network ping pfsense IP in that network?  Is that IP of pfsense set as their default gateway?  Your saying device on network A can not ping device on B, but B can ping A?

                                        Why don't you sniff on pfsense and validate your traffic is sent to the client your trying to get to..  Does that client answer back?  Your firewall rules for lan1 and lan2 look open..  So either you have client firewall blocking the traffic.  Or a wrong mask, or wrong gateway, etc..  Or your your trying to run different L3 or over the same L2 and have some sort of async issue going on?

                                        So please state how these networks are connect to pfsense, and what devices are connected to in each network.  And what the clients settings are.. You mention another dhcp server - sure its handing out the right gateway??

                                        This is quite often a local firewall issue.. Clients not allowing traffic from other than the local network.

                                        yournetwork.png
                                        yournetwork.png_thumb

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          deanot
                                          last edited by

                                          Thanks for the reply, but i resolved the issues with a reload of pfsense.

                                          PFSense System Specs.
                                          –---------------
                                          Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                                          4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.