Communicating between subnets fails

johnpoz

No problem - other scenario where you might "need" to source nat... But again its a "hack"!! is when the dest device uses a different gateway than pfsense.. Your setup in such a scenario is already borked to be honest ;)

If your source natting - your working around some sort of problem to be sure... Would/Should always be the last possible method used to work around the issue.. But it can be used if there is no other way to correctly route the traffic.

Example you nat to the internet.. This not actually the correct solution to the problem of not enough IPs.. The correct solution is have an IP for each device - nat is not a solution its a hack to get around a problem.

edit: Yet another example of where nat is used where its a "hack" ;) Company A with IP range X, buys company B that also uses IP range X... Now as a hack to get them talking to each other you could nat.. The correct solution is to change either A or B ip scheme to not overlap the other company..

techtester-m

@johnpoz I understand about NAT and all the devices on the network use the default gateway which is their net's interface address of course.

johnpoz

Then yeah your good to go.. Either just turn off the host firewall... I find them to be more pain then they are worth on a local secure network that I control and firewall at the edge of the network.. The only time they make any sense is if the local network they are on is hostile.. Or your not actually in control of the network be it hostile or not and want to be able to control what can talk to your device.

My local devices do not run their host firewalls. Since I control the whole network, and all the applications that get installed and run on all the devices. And firewall at the edge - devices in vlan X can not talk to vlan Y except for the ports I allow and need. What would be the point of also having to manage that traffic at the device?

techtester-m

@johnpoz Some devices are not used by me or controlled by me and other family members don't understand computers/IT as I do and so they can download malware, click on ads, spam emails etc. I don't wanna mess with their hosts' firewall or antivirus. They also use Windows while I use Mac OS which is more secure.

Anyway, do you know where on the Windows firewall I allow other subnets to connect? Is it exactly like "remote desktop"? I'm searching the web for the solution anyway....

johnpoz

Do want to allow ping only?

Its listed under file and print sharing for some crazy reason - icmpv4 in, echo request.. Allow the ip ranges you want, ie your lan network under scope, or just say any..

As to messing with family computers.. That some "user" manages and runs shit on... Oh look I won an IPad if I click here because Im the millionth vistor ;)

Yeah put that at on their own isolated vlan that can not talk your stuff, simple solution there for sure ;) Treat that whole segment as just plain hostile..

techtester-m

@johnpoz said in Communicating between subnets fails:

Do want to allow ping only?

Not just ping but any access (TCP/UDP), accessing shared folders etc.

@johnpoz said in Communicating between subnets fails:

Yeah put that at on their own isolated vlan that can not talk your stuff, simple solution there for sure ;) Treat that whole segment as just plain hostile..

That's what I do anyway. I isolate the 'core' of the network and the important stuff including my network but still don't want their computers to be completely vulnerable even at the local level where an antivirus might stop some malware.

johnpoz

@techtester-m said in Communicating between subnets fails:

Not just ping but any access (TCP/UDP), accessing shared folders etc.

Well then either turn if off.. Or you have to allow every specific protocol you want to allow ;) Or create an any rule, which if you have a any rule - why is it even on ;)

If your going to allow access to every service that box is running, why would you need to run firewall on the host sucking up resources, slowing down the connections.

You need to run a firewall when you want to say allow IP X, but block IP Y from talking to Z service. If your going to allow everything to talk to whatever service is running - what is the point of the firewall?

techtester-m

@johnpoz Sorry but please bare with me I f*ing hate Windows. The PC is running Windows 10 and I can't find it lol
How do I get to these properties? Every thing I click keeps sending me to this window or a similar irrelevant one...

johnpoz

go to your control panel and firewall - advanced.

techtester-m

@johnpoz Sorry again...I need to mess with firewall inbound/outbound rules again? WTH?! What am I freaking missing here and why is it so different than your screenshot? Is your screenshot from a different version of Windows?