2 lan routing issue
-
Everything looks good to me. I know that your router is 192.168.0.35 but I'm seeing a 192.168.0.1 ip in your arp table as well, do you know what that device is? So from what I can tell you can ping from 192.168.1.1/24 interface to anything on your 192.168.0.0/24 network, but from any device on your network you can not ping the 192.168.0.0/24 network. In your arp table I see all your devices on the 192.168.1.0/24 devices. What type of clients are you working with? If you are using windows what does the output of the ipconfig command what does it look like? Maybe your DHCP configuration is not configured correctly and the their gateway is assigned incorrectly. Your gateway should be 192.168.0.35. Do you have anything like OpenVPN setup or IPsec tunnels configured? If so those routes may take preference may be preferred over the directly connected network. It is not clear to me the routing preference of PfSense. You would naturally think that directly connected networks would be preferred but I can remember having IPsec tunnels enabled by accident and even the tunnel was not up it was the preferred route which was causing me issues.
-
My Windows 2008 server sits on 192.168.0.1 as of right now, that is the one you are seeing. It handles my DHCP of which assigns clients on my 192.168.0.0/24 addresses, gateway information of 192.168.0.35 and DNS information.
From within PFSense, If I use the ping command or traceroute, I can select lan2 (192.168.1.0/24) and ping any device on my lan1 network (192.168.0.0/24) with successful replies. Doing it the other way around, yields failures, 100% packet loss.
So, traffic does pass 100% from Lan2 to Lan1, I can ping lan2s adapter from lan1, but no traffic passes from there on.
No, I have no VPNS set up at this time, no funky routeing is in use for VPNS at this time either. I did check to make sure, as I did at one time play with open VPN, but it is empty right now.
-
You said you vpn info is empty but is it disabled? I believe my problem at one time was that it was enabled even though I believe I felt like I removed all info. This is a really interesting problem. Like you have said before this should be a fairly straightforward setup. If you look at the arp table on your clients, do the entries for 192.168.0.35 match the actual mac address of your firewall's interface?
-
I have my laptop on the 192.168.0.0/24 network, I can ping 192.168.1.1 from here, I checked the Mac with the Physical Mac and they do match….
I can't find a way to make sure it is turned off, I checked through the 3 options under VPN and all are empty.
-
Here is something interesting, I just ran advanced IP scanner….. It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges.
ARP table shows the MAC, so it would seem something is blocking something external to the PFSense box.....
Just moved the adapter address to 192.168.2.1, same thing, no MAC shown using advanced IP scanner.
I am going to swap out the port for another one on the same card tomorrow, will try that and report back.
-
I could not wait, I moved the port over to the spare, still not working….. something has to be blocking it. I have no idea what it is.
-
Unless you added block floating rules, it's not possible for Diag>Ping traffic to be blocked, it's the device in question not replying to off-subnet traffic. Switch is probably a good one to troubleshoot with since it shouldn't have a local firewall of any sort, though verify that's the case. It's probably statically configured, make sure it has the correct 255.255.255.0 subnet mask, and has the gateway set to 192.168.1.1. And make sure you don't have anything conflicting on 192.168.1.1.
-
I did run a program to check over all networks in question, just in case something was wild on my network, i am finding no devices flaring around that is not meant to be there, so no conflicts. My switch is set for the right network, gateway is also set correctly.
I am going to try as you suggested earlier and put a laptop on that network and see what happens with it.I appreciate all the help i am getting…. Thank you all!
-
I did a factory reset on the router this evening, now traffic is passing in both directions! YAH…. Progress. Obviously, there was some issue with the config file, what I do not know.
There are hardly any rules on this fresh setup, the basic allow all to any rules on both networks are in place, as was before. I am going to start feeding my old rules back in, one at a time and see what breaks it.
Should be fun to do, seeing as I am going to read them off of the config file to put them back.. lol
The only thing I can think of, is this router has had hardware changes and upgrades, the config originally came off of another unreliable router I had, possibly the reason for this?
Anyway, got some work to do...
-
congrats, keep us updated.
-
"It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges."
Huh???
Why are we talking about this… This is 2 seconds to trouble shoot..
This is your network?? See attached.. Are you plugging em0 and em1 into the same switch? You have different switches?
Can devices on each network ping pfsense IP in that network? Is that IP of pfsense set as their default gateway? Your saying device on network A can not ping device on B, but B can ping A?
Why don't you sniff on pfsense and validate your traffic is sent to the client your trying to get to.. Does that client answer back? Your firewall rules for lan1 and lan2 look open.. So either you have client firewall blocking the traffic. Or a wrong mask, or wrong gateway, etc.. Or your your trying to run different L3 or over the same L2 and have some sort of async issue going on?
So please state how these networks are connect to pfsense, and what devices are connected to in each network. And what the clients settings are.. You mention another dhcp server - sure its handing out the right gateway??
This is quite often a local firewall issue.. Clients not allowing traffic from other than the local network.
-
Thanks for the reply, but i resolved the issues with a reload of pfsense.
