Problems accessing certain hosts on lan interface
-
I recently set up some VLANs on my pfsense router and have problems accessing certain hosts on lan interface. Do you have any suggestions for me?
Firewall/Rules/ACCESS_VLAN
Protocol Source Port Destination Port Gateway Queue Schedule Description
IPv4* * * * * * none Default allow ACCESS_VLAN to any ruleInternet access works
PING pfsense.org (208.123.73.69) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
64 bytes from 208.123.73.69: icmp_seq=0 ttl=42 time=120.707 ms
64 bytes from 208.123.73.69: icmp_seq=1 ttl=42 time=120.226 ms
64 bytes from 208.123.73.69: icmp_seq=2 ttl=42 time=120.164 ms–- pfsense.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 120.164/120.366/120.707/0.243 msPfsense web interface access works, too
PING 192.168.178.1 (192.168.178.1) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=0.086 ms
64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=0.038 ms–- 192.168.178.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.038/0.054/0.086/0.023 msAP is inaccessible from VLAN
PING 192.168.178.22 (192.168.178.22) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes–- 192.168.178.22 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossPING 192.168.178.22 (192.168.178.22) from 192.168.178.1 [LAN]: 56 data bytes
64 bytes from 192.168.178.22: icmp_seq=0 ttl=64 time=0.293 ms
64 bytes from 192.168.178.22: icmp_seq=1 ttl=64 time=0.231 ms
64 bytes from 192.168.178.22: icmp_seq=2 ttl=64 time=0.216 ms–- 192.168.178.22 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.216/0.247/0.293/0.033 ms -
Post screen-shots of your firewall rules (external, internal including any/all DMZs and VLANs). A diagram of your network setup would help too - including all netmasks and gateway info. It may be age-related, but my mind-reading capabilities aren't what they used to be.
-
Is it actually an AP or is it some repurposed consumer wireless router?
Does that AP have the concept of a default gateway on it's LAN interface?
-
It is a repurposed TP-Link consumer router. Interestingly accessing an enterprise-grade AP works well.
-
See if has the ability to set static routes. You might be able to set a route for 0.0.0.0 to pfsense or something.
Else you can set outbound NAT on LAN so that device sees connections to it coming from the same subnet so reply traffic doesn't need to be routed.
-
The problem doesn't seem to be related to a missing default gateway. I'm unable to access the enterprise-grade AP via SSH, unlike HTTPS.
-
SSH from where?
Do a packet capture and see what's going on.
-
From my new VLAN.
30 33.040356821 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959130 TSecr=0 WS=128
31 34.037486469 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959380 TSecr=0 WS=128
34 36.041733916 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959881 TSecr=0 WS=128
37 40.053825119 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294960884 TSecr=0 WS=128 -
SYN going out and and no response. Check the layer 2 and the host.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting