LAN/OPT1 client ping through WAN -> host unreachable.

nostromo

Hello there,
I just recently found out about pfSense and it looks great to me because
of feature that it can be installed on hard disk much easier than m0n0wall.
However I have a small problem since I'm newbie with these things.
I have a WAN, LAN and OPT1 interfaces on my pfSense beta2 box.
The WAN has static IP and is connected to my friends LAN through his AP.
I have turned off 'block private networks' on WAN interface and I bridged LAN
to OPT1. What confuses me is that I can ping with WAN, LAN and OPT1 interfaces
my friends machine which is sharing the internet through proxy, but I can't ping
it as a client on OPT1 or LAN (host unreachable) and I can't have internet. ??? ???
On firewall tab I have enabled all to go through but still it doesn't work.
My friend is using rather unstandard IP range of 1.1.5.0 and on the other
side I have, on LAN and OPT1 a C range of 192.168.0.0.
You see, I want my LAN to be separated of his LAN but to be able to share
internet with him.
I don't know is there something more that should be done or what?
If there was a similar thread about this please redirect me cause I didn't
found any that could answer my question….....yet.

sullrich

I just fixed a ton of LAN bridging issues.

Do this from a shell (since you have a full installation) to update to the latest:

cvs_sync.sh releng_1 && /etc/rc.filter_configure && pfctl -f /tmp/rules.debug

Make sure that pfctl does not spit any errors out.  Now retest and report back :)

nostromo

@sullrich
Can I use downloaded update_beta3 for beta2 and how to do it?

hoba

Feed your update file at System>firmware, manual update. Wait for the firewall to reboot. then run the above posted cvs sync command on top of it after it returned.

nostromo

I did upgrade firmware and cvs. Everything went fine but I'm still having the same problem.
For:
WAN
LAN
OPT1
ping works but as a client on OPT1 I get 'host unreachable' from WAN interface. :'(
I tried to add some rules for WAN to let ICMP and TCP/UDP packets but without success.

nostromo

It seems to me that everything that comes to WAN interface is blocked even though
I made two rules for this device in Firewall tab to pass everything from WAN network and LAN/OPT1. ???
In System log/Firewall there are a lot of UDP and IGMP packets that are blocked on this device still.

hoba

Click on the small block icon in front of the line at system>systemlogs, firewall. It will tell you which rule blocked the connection. If it reads something like "block all just to make sure" your rules are not correct.

nostromo

If I connect to my ISP directly through PPPoE without any rule
in firewall except default ones, then everything works fine.
If I use static IP to connect to my friends AP and I enable these rules
for WAN:
proto Source Port Destination         Port     Gateway
TCP/UDP 192.168.0.11      *    1.1.5.0/24    808    1.1.5.10    LAN > WAN
ICMP    192.168.0.11      *    1.1.5.0/24    *            *          ICMP LAN -> WAN
ICMP    OPT1 net    *    1.1.5.0/24    *            *          ICMP OPT1 -> WAN
TCP/UDP    OPT1 net    *      1.1.5.0/24    808    1.1.5.10    OPT1 -> WAN

I cannot ping no one on 1.1.5.0 net neither to have internet.
192.168.0.11 is my machine (a client on OPT1).
I have checked on log option for each of these rules and none of them did
appear in System logs/Firewall.
Also I checked this option for LAN and OPT1 rules which are passing everything
and guess what, none of them appeared in log although they should.
All I can see is that WAN is blocking incoming packets and yes there is
"block all just to make sure" if I click on icon in log.

I must admit that I am a noob about all these things but I want to learn more.
I also didn't mention that I'm not using my original MAC on WAN with my friend
because we are using the same (my) account at ISP which is filtering MAC addresses.
So in order to connect to my friends AP I'm using different address because of
possible collisions or whatever, and he is using my when we are sharing the internet.
Perhaps this could be the problem.
My wlan is Prism2.5 based.

hoba

The rules have the wrong direction (source and destination). Also I think your whole setup is a bit wrong. Just to clarify:

internet–----your friends Accesspoint ) ) ) )    wifi      ( ( ( (wireless wan/pfsense/lan-----clients

Is it this way? What is the OPT1 for?

I suggest first setting rules at all interfaces like this: pass any protocol, any source, any destination. This way you have allowed all traffic.

nostromo

@hoba:

I suggest first setting rules at all interfaces like this: pass any protocol, any source, any destination. This way you have allowed all traffic.

Well, I did that at first and it didn't work so I tried to add some rules.
That is why am I confused. As you can see I mentioned in my first post
that I allowed everything everywhere and OPT1/LAN interfaces, which are behind
WAN can ping the outside, but the client behind OPT1 is somehow blocked.

The OPT1 I use to directly connect my machine with pfsense through switched UTP
and that is just for this time until I configure pfsense. The LAN is connected to my switch.

This is my configuration:
internet–----your friends Accesspoint ) ) ) )    wifi      ( ( ( (wireless wan/pfsense/lan-----clients
                                                                                                                    |
                                                                                                                    |
                                                                                                                  opt1-------my machine

The OPT1 and LAN are in same IP range. Could this be a problem?

hoba

Yes, OPT1 and LAN should have different ranges or you break routing. Otherwise bridge OPT1 to LAN and don't use an IP-Adress on OPT1.

nostromo

I am sorry for troubling you hoba but this just doesn't work for me.

I have reset pfsense box to the factory settings, and I connected my machine (slackware)
to the LAN.
Then I set static IP  and MAC for WAN, also I disabled 'block private networks' and set
the firewall rule for WAN to pass everything and to log its traffic.
LAN is not blocking anything.

I still can't get to remote network or to use internet.

One thing that is very interesting that I used this same wlan card on my machine (slackware)
and whenever I tried to connect to my friends AP I needed to refresh its settings because
when it associates for first time I wasn't able to use the net so I tried to connect few times
to google and the wlan card just dissassociate itself from AP. After that I just refresh it and everything
goes fine. And I need to do that everytime I reboot.

In pfsense, when I use PPPoE in Status/Wireless my ISP's AP is clearly noted but for Static IP
there is nothing noted about my friends AP.
???

This could be an hardware issue.
What drivers pfsense is using for Prism based cards?

hoba

What happens if you save the Interface settings of the wireless client again? it will reload the interface settings and reinitialize the card.

nostromo

Yes, but still there is no AP listed in Status/Wireless. :(

hoba

I'm not sure if this will show up there if you use a mode other than accesspoint.

nostromo

Well at this very moment  I'm using my PPPoE account on ISP and there IS listed the IPS's AP.
There is a SSID, BSSID, channel, everything.

nostromo

here is a snapshot

nostromo

@hoba:

I'm not sure if this will show up there if you use a mode other than accesspoint.

I assume that you didn't believe me when I said that my WISP is broadcasting it's MAC
addresses.
However you can check it here on this link www.panonnet.net/
Please click on 'MAPA' at the bottom of the page.