2 lan routing issue
-
The wan is ppoe, so dynamic. It's range is well away from anything i have.
No reason for the weird address of the router, this is temporary at this time, i will be implementing a new range at a later date. At this time it should not affect the working of the router.
I can understand the pings being blocked, but i can't access the webpage of the device on 192.168.1.232 either.
-
Typically I have seen dsl modems at like nat routers giving out private IP addresses. If you have the same network on two different interfaces then that would cause your issue. Simply changing the 192.168.1.0/24 network to 192.168.2.0/24 should fix the issue. Don't forget to adjust dhcp. Currently I don't think pfsense will warn you if you have overlapping IP ranges across interfaces but I could be wrong.
-
Yes, I am with you, but my modem is in bridge mode. PFSense handles the PPOE and is assigned an IP in the 184.13.x.x range.
I put another device on my network, for testing purposes with an IP of 192.168.1.100, it is a Cisco smart switch. Same thing, can't access the webpage or ping the device.
The ARP table in PFSense populated with the IP of the unit, also has the other device which I plugged into the back of it also.
So confused about this, I am not sure why it is acting this way…
Was there anything in the images that looked out of place? I have tried several times to make sure I followed instructions and that is what I ended up with.
-
@cmb:
No that's likely a client firewall not allowing pings sourced from off-subnet. Ping something with no local firewall on it in the same fashion, almost certainly works.
The other possibility is the devices being static IP with the wrong subnet mask, like 192.168.1.x/16 rather than /24, so they won't route back to their gateway.
Most devices I have does not have the option to change the Mask bit, but I thought most class C devices that operate in the range of 192.168.X.X only have limited Mask bits, like 24 though 30? I could be wrong, I am no network guru.. lol So please let me know if this is incorrect.
Thanks
-
Everything looks good to me. I know that your router is 192.168.0.35 but I'm seeing a 192.168.0.1 ip in your arp table as well, do you know what that device is? So from what I can tell you can ping from 192.168.1.1/24 interface to anything on your 192.168.0.0/24 network, but from any device on your network you can not ping the 192.168.0.0/24 network. In your arp table I see all your devices on the 192.168.1.0/24 devices. What type of clients are you working with? If you are using windows what does the output of the ipconfig command what does it look like? Maybe your DHCP configuration is not configured correctly and the their gateway is assigned incorrectly. Your gateway should be 192.168.0.35. Do you have anything like OpenVPN setup or IPsec tunnels configured? If so those routes may take preference may be preferred over the directly connected network. It is not clear to me the routing preference of PfSense. You would naturally think that directly connected networks would be preferred but I can remember having IPsec tunnels enabled by accident and even the tunnel was not up it was the preferred route which was causing me issues.
-
My Windows 2008 server sits on 192.168.0.1 as of right now, that is the one you are seeing. It handles my DHCP of which assigns clients on my 192.168.0.0/24 addresses, gateway information of 192.168.0.35 and DNS information.
From within PFSense, If I use the ping command or traceroute, I can select lan2 (192.168.1.0/24) and ping any device on my lan1 network (192.168.0.0/24) with successful replies. Doing it the other way around, yields failures, 100% packet loss.
So, traffic does pass 100% from Lan2 to Lan1, I can ping lan2s adapter from lan1, but no traffic passes from there on.
No, I have no VPNS set up at this time, no funky routeing is in use for VPNS at this time either. I did check to make sure, as I did at one time play with open VPN, but it is empty right now.
-
You said you vpn info is empty but is it disabled? I believe my problem at one time was that it was enabled even though I believe I felt like I removed all info. This is a really interesting problem. Like you have said before this should be a fairly straightforward setup. If you look at the arp table on your clients, do the entries for 192.168.0.35 match the actual mac address of your firewall's interface?
-
I have my laptop on the 192.168.0.0/24 network, I can ping 192.168.1.1 from here, I checked the Mac with the Physical Mac and they do match….
I can't find a way to make sure it is turned off, I checked through the 3 options under VPN and all are empty.
-
Here is something interesting, I just ran advanced IP scanner….. It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges.
ARP table shows the MAC, so it would seem something is blocking something external to the PFSense box.....
Just moved the adapter address to 192.168.2.1, same thing, no MAC shown using advanced IP scanner.
I am going to swap out the port for another one on the same card tomorrow, will try that and report back.
-
I could not wait, I moved the port over to the spare, still not working….. something has to be blocking it. I have no idea what it is.
-
Unless you added block floating rules, it's not possible for Diag>Ping traffic to be blocked, it's the device in question not replying to off-subnet traffic. Switch is probably a good one to troubleshoot with since it shouldn't have a local firewall of any sort, though verify that's the case. It's probably statically configured, make sure it has the correct 255.255.255.0 subnet mask, and has the gateway set to 192.168.1.1. And make sure you don't have anything conflicting on 192.168.1.1.
-
I did run a program to check over all networks in question, just in case something was wild on my network, i am finding no devices flaring around that is not meant to be there, so no conflicts. My switch is set for the right network, gateway is also set correctly.
I am going to try as you suggested earlier and put a laptop on that network and see what happens with it.I appreciate all the help i am getting…. Thank you all!
-
I did a factory reset on the router this evening, now traffic is passing in both directions! YAH…. Progress. Obviously, there was some issue with the config file, what I do not know.
There are hardly any rules on this fresh setup, the basic allow all to any rules on both networks are in place, as was before. I am going to start feeding my old rules back in, one at a time and see what breaks it.
Should be fun to do, seeing as I am going to read them off of the config file to put them back.. lol
The only thing I can think of, is this router has had hardware changes and upgrades, the config originally came off of another unreliable router I had, possibly the reason for this?
Anyway, got some work to do...
-
congrats, keep us updated.
-
"It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges."
Huh???
Why are we talking about this… This is 2 seconds to trouble shoot..
This is your network?? See attached.. Are you plugging em0 and em1 into the same switch? You have different switches?
Can devices on each network ping pfsense IP in that network? Is that IP of pfsense set as their default gateway? Your saying device on network A can not ping device on B, but B can ping A?
Why don't you sniff on pfsense and validate your traffic is sent to the client your trying to get to.. Does that client answer back? Your firewall rules for lan1 and lan2 look open.. So either you have client firewall blocking the traffic. Or a wrong mask, or wrong gateway, etc.. Or your your trying to run different L3 or over the same L2 and have some sort of async issue going on?
So please state how these networks are connect to pfsense, and what devices are connected to in each network. And what the clients settings are.. You mention another dhcp server - sure its handing out the right gateway??
This is quite often a local firewall issue.. Clients not allowing traffic from other than the local network.
-
Thanks for the reply, but i resolved the issues with a reload of pfsense.
