Two subnets communication issue
-
Greetings,
It just recently I notice something odds about my network. Please have a look at diagram for better picture.
The problem is simply that any device within Internal Firewall that have 192.168.0.X could not ping any device in External Firewall.
Another ward Device B could ping Device A. However, when I try to get Device A to connect to Device B. It's not possible. Every time ping to 192.168.0.235. I keep getting Request time out.I did try creating alias and mess around with NAT. At this point I ran out of idea.
Could you please help me where should I begin next?Thank you so much for your help
-
Yeah that is going to be a routing mess.. Your going to be asymmetrical, or if you nat your going to have to port forward..
That is not how you would setup a normal network.. If your going to have a downstream router then you would have a transit network..
What exactly do you want to accomplish?
-
Hi Johnpoz,
Thank you for coming in. It's a privilege to have a replied from you. Sort of seeing your name most of the topic.
I understand it might be a mess work for this but also I want to understand more how it works.
I am trying to make a direct connection for Plex. I have Plex Media server set within internal fire wall and all devices that need access to Plex media Server are in External Firewall. I assume that it couldn't connect because it's in different subnet.So I thought if I could make device within external firewall to communicate with internal firewall that might give me direct connection for Plex server.
-
No it wouldn't be able to connect because out of the box your internal "pfsense" would be natting. So you would have to do a port forward. And to access your plex you would need to use the IP of pfsense "wan" not the IP behind pfsense.
if your not natting at pfsense then you have a asymmetrical routing issue. Does your external firewall have a route to get to the 192.168.0 network? So client on 192.168.1 says hey I want to go to 192.168.0.235 so it hits it gateway, the external firewall.. It says oh to get there have to talk to pfsense (192.168.1.156).. Which routes it to your B device but on the return traffic pfsense says oh your talking to 192.168.1 I am directly connected and would send just to device A not back to your external - that is asymmetrical and is not good..
If all your devices need to get to plex - why not just put plex in the 192.168.1 network why do you need pfsense??
-
Good afternoon JohnPoz,
Thanks again for your replied.
It was a very good advise. I am getting the picture now. To answer your question for the external Firewall does not have any route that have subnet of 192.168.0.X. I thought I could use any of the setting to make it communicate without having to set up the physical port for 192.168.0.X . If I understand you correctly, I would have to add one more port in firewall and add route of 192.168.0.X, am I right? I understood that I could port forward different IP subnet.
The reason I don't put Plex within External Firewall cause all of the teaching material is in file server within Internal Firewall and Server I use for Plex is monitoring for telephone as well. Within Internal Firewall is only use for Business computer which connect by LAN cable.
This Network was set way before. I have got another question. If I add route of 192.168.0.X in External Firewall, would have compromise the security of Internal Firewall? Cause that would mean any device within External Firewall could ping devices in Internal Firewall.
-
Please have a look at my Port Forward setting,
This Port Forward is set in Internal Firewall
 -
Yeah 32400 is the default plex port.. So yeah that is how you would set it up.. Keep in mind that your 192.168.1 devices would have to hit the pfsense WAN IP. And since they are coming from rfc1918 you would have to uncheck the default of blocking rfc1918 on wan. Or no matter how many port forwards you create anything coming from that 192.168.1 network would be blocked.
-
Hi Johnpoz,
I just want to make sure I configure in the right firewall.
The firewall I should port forward is the Internal Firewall right?Here is what did so far;
Create NAT Port Forward > Using WAN interface of Internal Firewall
Destination is 192.168.0.61 (IP address of Plex Media Server)
Port range 1234 - 32400 (Default Plex port)
Redirect target IP; 192.168.0.61
Redirect port; 32400Also I put attachment of my WAN configuration, port forward configuration and NAT overview
Thank ever so much for your help
 -
Not sure why your trying to do a range.. plex only using the 1 port, and the way your range is setup you would have to hit the 1234 port to get sent to the 32400 port.. I wouldn't do it that way..
Just forward your 32400 port, and then hit your internal pfsense WAN IP either by IP or by some fqdn you resolve to it.
-
I made changes still no improvement. Plex couldn't get direct connect still.
Please see attachments
 -
While it shouldn't matter.. why are you not on p1? Looks like you have not updated your pfsense.
So what is plex running on.. is it running a firewall?
So your hitting 192.168.1.132 from your client on 192.168.1.0/24 and your saying you can not hit the plex gui?
http://192.168.1.132:32400/web/index.html
Are you forcing https on your plex??
-
Hi johnpoz,
Yes I haven't update my Pfsense yet.
My Plex Server is running on Windows 7 Professional. I have allow port 32400 in my Anti-Virus and Firewall rule already.I update my network map for you. Please have a look in attachment.
I create Port Forward in NAT in Internal Firewall
Selected Interface WAN (192.168.1.132)
Destination; Single Host IP 192.168.0.61 (Plex Server)
Port range is 32400Redirect target IP is Single Host IP 192.168.0.61
Redirect target Port is 32400Am I doing it wrong here?
I understand that any incoming device from External Firewall that using port 34200 (Plex Device) Will be direct to Internal Firewall WAN (192.168.0.132) -> 192.168.061 (Plex Server)
However after all these configuration I keep getting indirect connection instead of Nearby
 -
If you want the plex device on the middle LAN, put it on another interface on the outside router.
If you want the plex device to be on the inside LAN, put it on another interface on the inside firewall.
There should not be hosts on the transit network between two routers unless you want to maintain a complete routing table on that host too.
-
Hi Derelict,
Thanks for your replied.
I use external Firewall to as Multiwan between External firewall and internal firewall. There is where I set Wifi. Because Internal Firewall are use for Work network. Plex Server are set within Internal Firewall so that it has access to teaching audio file and also Plex server is running on Windows 7 which use for something else as well. That's why I would like Device from External Firewall to access Plex Server in Internal Firewall
-
Your design is broken.
Put "Plex Devices" on another interface so your routers can route properly or maintain all the necessary gateways and routes on them.
