VLAN IP to LAN IP - Not pinging

slkamath

Hi

Myself Lokesh Kamath.

I recently installed PFSENSE 2.4.3.
System Configuration:
10 - 1000mbps LAN Cards
1 - WAN
2 - LAN
6 - VLANs
2 - Blank

**Pfsense IP: 192.192.xxx.3

WAN IP - 180.xxx.xxx.xxx/29 (ISP Provides) (Gateway 180.xxx.xxx.xxx/29)
LAN IP - 192.192.xxx.1/24 (LAN Gateway 192.xxx.xxx.1)**
VLAN 1 - 192.xxx.20.1/24
VLAN 2 - 192.xxx.30.1/24
VLAN 3 - 192.xxx.40.1/24
VLAN 4 - 192.xxx.50.1/24
VLAN 5 - 192.xxx.60.1/24

All VLAN's have DHCP - working fine (Gateway - 192.192.xxx.1)
All VLAN's have internet - working fine (Gateway - 192.192.xxx.1)

I can ping from any VLAN to Pfsense IP.
From LAN I can ping any VLAN IP's.

From VLAN - I can't ping LAN Gateway IP & other LAN IP's

Please help me to resolve this issue.

Thanks & Regards
Lokesh Kamath

NogBadTheBad

Post your firewall rules on the LAN and a VLAN.

Also shouldn't you using 192.168.x.x ?

johnpoz

192.192 is public space..

So unless your these guys
remarks: inetnum: 192.192.0.0 - 192.192.255.255
remarks: netname: TANET-C
remarks: org-id: MOEC
remarks: status: allocation
remarks: rev-srv: MOEVAX.EDU.TW

You shouldn't be using it on your network.

lan default rules are any any... When you bring up a new interface vlan/optx there are no rules so yeah everything would be blocked. Until you create rules on that interface allowing what you want.

slkamath

@nogbadthebad

Thanks for your reply.

Please find the screenshot for your understanding.
alt text LAN Firewall Ruleslink text
VLAN - Finance Firewall Ruleslink text

I am using 192.168.xxx.xxx / 24 for VLAN only
I am using 192.192.xxx.xxx / 24 for LAN (Subnet - 255.255.255.0)

Lokesh Kamath

slkamath

@johnpoz

Thanks for your reply.

I can understand it is public IP.

I am using 192.192.xxx.xxx / 24 (subnet - 255.255.255.0)

I created LAN & VLAN rules. Still it is not pinging other LAN IP's except PFSENSE IP. 0_1535517552366_LAN FW Rules.png
0_1535517563933_VLAN Finance Rules.png

Lokesh Kamath

NogBadTheBad

Whats the 3rd rule doing traffic will never hit it !

Also remove the Gateway entries, should be *.

johnpoz

@slkamath said in VLAN IP to LAN IP - Not pinging:

I can understand it is public IP.

And its yours? If its not yours why are you using it... Why would you not just use rfc1918 space?

What are any of the rules below the any any doing? They are all pointless..

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

Your first rule shoves stuff out your gateway - how you going to get to vlans? You have to allow access to your vlans above where you shove traffic out a gateway via policy routing.

slkamath

@johnpoz & @nogbadthebad

Thank you so much for your help.

I am sorry one of my friend told 192.192.xxx.xxx /24, was also like 192.168.0.1 /24 (when subnet is 255.255.255.0). So we used it.

As per both of your suggestion i did few changes (except 192.192.xxx.xxx series IP, will change once all the issue will sort out). Still it is not pinging the LAN IP's.

Please find the screenshot for your reference.

0_1535542073460_LAN FW Rules.png

0_1535542087044_VLAN Finance Rules.png

Thank you so much once again.

Lokesh Kamath

johnpoz

Your friend is an idiot ;) 192.192 is not like rfc1918 space its public space and owned by the who I posted up earlier.

Maybe he mean the 192.0.2/24 network which is designated for documentation use per rfc 5737

Documentation Address Blocks

The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
and 203.0.113.0/24 (TEST-NET-3) are provided for use in
documentation.

So your rule would allow access, so problem is prob on the finance machine your trying to access - firewall most likely.. Sees traffic coming from a public IP and blocks it. Or a IP that is not local to its network - windows firewalls for example out of the box prevent access if not coming from local network.

Your lan rules would allow access to finance, and your finance rules would allow finance to create traffic to lan. Keep in mind that you do not need return rules - the states allow return traffic.

Its not only the firewall rules you have to worry about, you quite often also have to worry about software host firewalls running on the device your wanting to talk to. Also this device needs to be using pfsense IP on its network as the default gateway or traffic will not be able to get back.

slkamath

@johnpoz

Thank you very much.
I will change it to 192.168 series.

Sorry I am not getting where I am making mistakes.

WAN - 180.xxx.xxx.xxx
LAN - 192.192.0.1 (default Gateway Linux Server)
Finance VLAN - 192.168.20.1
Marketing VLAN - 192.168.30.1

Few Ping Screenshots for your reference.

Default Ping to LAN Gateway
0_1535610049693_Default to LAN ping.png

VLAN to LAN Gateway Ping
0_1535610139905_VLAN to LAN Ping.png

VLAN Self Ping
0_1535610172859_VLAN Self Ping.png

Finance VLAN 1 to Marketing VLAN2 ping
0_1535610196566_Finance VLAN 1 to Marketing VLAN2 ping.png

Marketing VLAN2 to Finance VALN1 ping
0_1535610220154_Marketing VLAN2 to Finance VALN1 ping.png

VALN to Google ping
0_1535610245786_VALN to Google ping.png

So can you please suggest where i am making mistakes?

Lokesh Kamath

johnpoz

Why do you say this??

default Gateway Linux Server)

Do you have a gateway set on the lan interface?

slkamath

@johnpoz

Thank you once again.

Default Gateway is Linux Server because if i give pfsense ip as default gateway then all users will get internet (even after proxy not enable), and they can access all the sites. few users only send mails no internet, few users mails & few internet sites like government sites.

So i given Linux Server ip as Gateway, then default internet will not work. if proxy configured then only it will work. (any better solution please let me know)

In LAN interface I have not given any Gateway info, but in Routing - Gateways - i have added this Linux Server Ip Address. Please find the below picture for your reference.

LAN Interface
0_1535689168675_LAN Config.png

Routing - Gateways

Lokesh Kamath

slkamath

@johnpoz
Thank you very much. I selected Gateway for LAN Interface and it started pinging.

IT IS WORKING.

Once again Thank you very much. Very much appreciated.

Also please let me know how to close this thread.

Lokesh Kamath

johnpoz

@slkamath said in VLAN IP to LAN IP - Not pinging:

In LAN interface I have not given any Gateway info,

YOU SHOULDN'T!!!! If you give it a gateway you just created a WAN, and would be natting too it..

Seems you got a mess.. Please draw up this network.. You have a downstream network from this LAN to get to your vlans??? What is at 192.192.0.1?? When pfsense IP address in lan is 192.192.0.3

slkamath

@johnpoz

Ohhh Ok.
Thanks.

We have upstream & downstream network from LAN to VLAN.

Initially 192.192.0.1 was Gateway with squid proxy (due to some issues squid stopped working.) If we give this IP as gateway then users can not access internet. If i give PFSENSE ip address in gateway all users can use Internet. So in pfsense box i given 192.192.0.1 a gateway.

All the users have mail access but only few have internet access. in that few have full internet access & few have restricted access.

Network diagram (very poor diagram, please excuse)
0_1535733633647_network diagram.png

Lokesh Kamath

johnpoz

Yeah that is an asymmetrical mess.. Is this 180.x.x.x actually yours, your isp gave you this address space or its it like your 192.192 where you just used public space you picked out of the blue sky?

That needs to be fixed dude... Why do you have the 2 firewalls? If you want to use 2 firewalls then you should connect them with a transit network between So that your lan and other vlans can talking to each other without being asymmetrical.

Is this 180 network routed to you? I am not quite understanding the ISP 214.x.x.x and then lan of 180.x.x.x do you have devices on this 180 network or just your firewall/routers connected to it?

Please explain this 180 network and be happy to draw up diagram of how this should be connected.

slkamath

@johnpoz
Thank you very much.

Dear John,

WAN PORT of ISP is - 214.XXX.XXX.153 & Gateway - 214.XXX.XXX.154
LAN PORT of ISP is - 180.XXX.XXX.XXX - Gateway - 180.XXX.XXX.33 (only 6 IP Address included)
COMPANY LAN is - 192.192.0.1 / 24
VLAN1 - Finance - 192.168.20.1 / 24
VLAN2 - Marketing - 192.168.30.1 / 24
VLAN3 - Purchase - 192.168.40.1 / 24
VLAN4 - Moulding - 192.168.50.1 / 24
VLAN5 - Purchase - 192.168.60.1 / 24

WAN Port of ISP from L3 Switch - 214.Gateway (Configured here by ISP) in L3 Switch connected to System with 2 NW Cards (Ubuntu Server)

Ubuntu Server
1st NW Card - 214.XXX.XXX.XXX
2nd NW Card - 180.XXX.XXX.XXX - (Only IP Address & Subnet Mask Configured, NO Gateway. This is ISP LAN Gateway)

From 2nd NW Card connected to L2 Switch

From L2 Switch 2 Servers (1 Ubuntu Server, 1 PFSENSE Server)

UBUNTU Server
1st NW Card - 180.XXX.XXX.XXX & ISP LAN Gateway
2nd NW Card
IP Address -192.192.0.1
Subnet Mask - 255.255.255.0
No Gateway Configured for 2nd NW Card

PFSENSE - 10LAN Cards - 1000Mbps
1st NW Card - 180.XXX.XXX.XXX & ISP LAN Gateway
2nd NW Card - 192.192.0.3, Subnet Mask - 255.255.255.0
VLAN's
3rd NW Card - 192.168.20.1
4th NW Card - 192.168.30.1
5th NW Card - 192.168.40.1
6th NW Card - 192.168.50.1
7th NW Card - 192.168.60.1
8th NW Card - Empty
9th NW Card - Empty
10th NW Card - Empty

70 Client Systems are there and in that 20 Windows & 50 Ubuntu.

Please find the Network Diagram of the same (if anything wrong please suggest).

0_1535779747828_Network Diagram.png

Lokesh Kamath

johnpoz

So 180 is routed to you, and your using your wan for your ubuntu router your calling server.. If its routing - its routing!! If you have clients using it as gateway then you have asymmetrical problem.. When they want to talk to vlans

In your drawing What are these loops suppose to represent exactly??

So connect your 2 routers via a transit network - lets call it 172.16/30

Now you do not have asymmetrical.. Router on left says to get to that 192.192 talk to router on right 172.16.0.2... Route on right that says hey want to talk to vlans on left talk to router on left 172.16.0.1

BTW - FIX that 192.192 - that is NOT yours and PUBLIC... Use RFC1918!!!

slkamath

@johnpoz
Thanks John.

I created the drawing using jNetMap software.

when i am adding interface it shows like that. Firewall means RED right so may be it shows RED and other shows green.

I will try based on your suggestion. Will let you know by tuesday. Sure I will change the 192.192 series.

Thanks once again.

Lokesh Kamath

slkamath

@johnpoz said in VLAN IP to LAN IP - Not pinging:

So 180 is routed to you, and your using your wan for your ubuntu router your calling server.. If its routing - its routing!! If you have clients using it as gateway then you have asymmetrical problem.. When they want to talk to vlans

In your drawing What are these loops suppose to represent exactly??

So connect your 2 routers via a transit network - lets call it 172.16/30

Now you do not have asymmetrical.. Router on left says to get to that 192.192 talk to router on right 172.16.0.2... Route on right that says hey want to talk to vlans on left talk to router on left 172.16.0.1

BTW - FIX that 192.192 - that is NOT yours and PUBLIC... Use RFC1918!!!

Dear John,

How can i configure as per your diagram? Please suggest.

My Requirements

I want to place 1 Server pfsense and other I want to remove. Everything has to work through pfsense. Also I dont want to give full internet access to all. Only 5 users has to get full internet access and rest users has to get internet via SQUID. So Please guide me.

Thank you once again.

Lokesh Kamath