192.168.0.0 not working..



  • hi!!
    Sorry for posting it here but i don't know which is the best place for this question !!

    I have a PfSense 1.2release with 4 Nics:
    WAN
    LAN is 172.16.11.21/24
    DMZ0 is 192.168.0.112/24
    and DMZ1 is 192.168.1.112/24
    Everything is working since late 2005..

    From PCs in my LAN i can ping any interface (and networks) on the PFSense except those on DMZ0.
    It's not an hardware problem because i tried changing the NIC card.
    Is there some kind of problem for PFSense to manage 192.168.0.0 class networks?

    I tried with static routes, Firewall rules, disabling bogon and private networks check box… but nothing..

    Thanks in advance for any help.
    AS



  • You have DMZ0 defined as a /24.



  • @submicron:

    You have DMZ0 defined as a /24.

    Thanks for your help but i can't understand..
    I know 192.168.0.0/16 is a private address class and it is /16 …
    but i need a /24 "subnetting" because i have a DMZ1 as 192.168.1.x
    and DMZ0 as 192.168.0.x..
    So, if I put DMZ0 in /16 how can PFSense distinguish between DMZ0 and DMZ1 ??

    Thanks again.



  • On a /24 network, the host ending in .0 is the network address and cannot be assigned to any host.  Similarly anything ending in .255 would be the network broadcast address.  This means that you can't assign the IP address (in your case) 192.168.1.0 or 192.168.0.0 to any host.

    More generally, the netmask (in this case /24) defines the number of bits, out of 32, that are assigned to the network portion of the IP address.  The remaining bits are the host portion.  When those are all 1s then that is the broadcast address, when they are all zero that is the network address.  Neither can be assigned to hosts (in general use anyway, when using a /32 subnet the rules change as there is only a network address).



  • Hello,

    I thinks it's more or less simple, his box has been working for almost 3 yrs now then suddenly stops.
    @scarpy:

    Everything is working since late 2005..

    So I might ask you, what did you do exactly to the box before it stopped working? If you said "nothing", then it is not understandable at all nor can't explain logically. Any issues must have some causes. ??? ??? ???



  • @Cry:

    On a /24 network, the host ending in .0 is the network address and cannot be assigned to any host.  Similarly anything ending in .255 would be the network broadcast address.  This means that you can't assign the IP address (in your case) 192.168.1.0 or 192.168.0.0 to any host.

    More generally, the netmask (in this case /24) defines the number of bits, out of 32, that are assigned to the network portion of the IP address.  The remaining bits are the host portion.  When those are all 1s then that is the broadcast address, when they are all zero that is the network address.  Neither can be assigned to hosts (in general use anyway, when using a /32 subnet the rules change as there is only a network address).

    Thank you very much for your lesson about Networking basics..
    This let me understand that i post not enough details when i started the thread..
    I DO NOT want to assign 192.168.1.0 or 192.168.0.0 to any host…

    This is my setup:

    I have a PfSense 1.2release with 4 Nics:
    WAN with puclic IP address
    LAN is 172.16.11.21 with subnet mask 255.255.255.0
    DMZ0 is 192.168.0.112 with subnet mask 255.255.255.0
    and DMZ1 is 192.168.1.112 with subnet mask 255.255.255.0

    I have rules permitting traffic incoming into LAN interface..

    SO, why i ping ANY host in DMZ1 network and CANNOT ping any host in DMZ0 network ??

    Thanks,
    Scarpy



  • @scarpy:

    Everything is working since late 2005..

    Everything is still working.. I mean, PFSense is doing it's good work as a firewall between WAN and LAN..
    The only thing that is NOT working is the routing from LAN to DMZ0:
    in fact from LAN i can ping the DMZ1 nic address of PFSense (192.168.1.112) and all host in my DMZ1 network
    but i can't ping the address of PFSense nic of DMZ0 (192.168.0.112) …

    Thanks,
    scarpy



  • This shouldnt even be possible.
    Could you show a screenshot of
    "diagnostics"–>"routes"
    and
    "status"-->"interfaces"?

    Also what firewall-rules do you have on the interface on which the ping isnt working?



  • @GruensFroeschli:

    This shouldnt even be possible.
    Could you show a screenshot of
    "diagnostics"–>"routes"
    and
    "status"-->"interfaces"?

    Also what firewall-rules do you have on the interface on which the ping isnt working?

    I attached all as JPG files..

    1. diagnostics"–>"routes
    2. status"-->"interfaces
    3. firewall rules (172.16.11.235 is my PC on LAN)

    The strange thing is that from LAN i can reach (ping, RDP,etc.etc.) any PC in DMZ1
    but i can't reach DMZ0 lan nor DMZ_10 lan..
    NO Firewall rules are present for these three intefaces (DMZ0, DMZ1, DMZ_10 )..

    Note that today i added one more NIC card (DMZ_10) just to check if it was a problem related to 192.168.0.0 ip address class ..
    But PFSense behaviour is the same with 11.0.0.1 address of DMZ_10 nic card..

    Thanks for your help…
    AS








  • Traffic is filtered inbound on an interface.
    If you test connectivity with a ping you have to allow the ICMP protocol.
    The only reason why you're getting an answer on "some" interfaces at all, is probably because the anti-lockout-rule is enabled.
    Add a rule on the LAN on top that allows the prtocol ICMP and it should work.

    Also you should move the IP range of your DMZ_10.
    11.x.x.x isnt an allowed RFC1918 range.

    allowed ranges are:
    192.168.0.0/16  - (192.168.0.0 to 192.168.255.255)
    172.16.0.0/12    - (172.16.0.0 to 172.31.255.255)
    10.0.0.0/8        - (10.0.0.0 to 10.255.255.255)


Log in to reply