Subnets can't communicate
-
small changes made. Went from /24 to /30 in the transit network. Also added some IP information.
Right now PC 1 can ping 192.168.2.1
PC 2 can ping 192.168.1.2PC 1 can't ping PC 2 and vice versa
-
Anyone know what could be preventing the PCs from pinging each other? They can ping the interfaces of both pfSense boxes, so maybe it's a firewall issue or something on windows?
-
To pass ping traffic, you need specific rules - not TCP, not UDP, but it's specifically ICMP traffic. Over a transit network, like you've got setup, I'm pretty sure you still need the rules for the interfaces. Maybe one of the pros can comment on that for sure.
Also, since these are "different" subnets, and you said "Windows", you need to open the internal firewall rules on the computers to allow this traffic from the other subnets. Windows considers traffic from machines NOT on the same subnet to be hostile. I know in your situation they aren't hostile, but Windows is programmed that way.
Jeff
-
@WisceBIat said in Subnets can't communicate:
Anyone know what could be preventing the PCs from pinging each other?
The firewalls on the devices themselves.. If you can ping pfsense interface in the network ie your 2.1 and 1.2 address it screams your PCs firewalls.
Can tell you for sure that windows out of the box firewall does not allow pings from remote networks..
Simple way to validate that.. While your pinging pc2 from pc1, sniff on pfsense2 interface 2.1 - do you see it sending the pings on to pc2?
This is a very common mistake users make when they start to segment.. They forget about host firewalls and security software they are running, which might allow traffic of xyz type from the same network the device is on, but blocks when its not a local network.. Like what your doing pc1 is a different network than pc2.. Its not going to allow pinging unless you tell its firewall to allow it, or turn it off, etc.
-
Ughh it was the firewalls on windows 10 the entire time!!! I had allowed ipv4 echo requests, but it looks like that wasn't enough because I just fully disabled it and now it works
-
Great now that you have connectivity working between your 2 networks via your transit network.
I assume pc2 has internet access as well?
Now you can start playing with vpn stuff if you so desire. You have disabled nat I take it on pfs2 I take it..
If you need help with the vpn stuff just ask.. happy to help.
I really do not see the point of pfs2 in your setup to be honest, other than a learning experience it serves no real purpose that I can see.
-
Internet is working as well! I will now try to re-connect the VPN and re-enable the NAT. Technically all I need is port 22/SSH open because that's the only way I'll be communicating between both LANs. I will see if I can just do port forwarding SSH and that will be good enough. Thanks for all your help so far
-
@WisceBIat said in Subnets can't communicate:
VPN and re-enable the NAT.
You do not need any nat on pfs2, the nat will happen at your edge router.. It already is if your pfs2 clients have internet.
Again other than a learning experience of setting up a downstream router, for what your wanting to accomplish there is no need for pfs2.. Your segment that is behind pfs2, could just be a segment right off pfs1..
-
This is what I'm trying to do. Only difference is I want to do it with Proxmox
-
Utter waste of time, the 2nd pfsense is pointless... It provides you nothing but causing your vm host to run resources for nothing and complexes up the setup..
