Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Problems accessing certain hosts on lan interface

    General pfSense Questions
    3
    9
    6317
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PfSenseTimeout last edited by

      I recently set up some VLANs on my pfsense router and have problems accessing certain hosts on lan interface. Do you have any suggestions for me?

      Firewall/Rules/ACCESS_VLAN
      Protocol Source Port Destination  Port Gateway Queue Schedule Description
      IPv4* * * * * * none Default allow ACCESS_VLAN to any rule

      Internet access works
      PING pfsense.org (208.123.73.69) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
      64 bytes from 208.123.73.69: icmp_seq=0 ttl=42 time=120.707 ms
      64 bytes from 208.123.73.69: icmp_seq=1 ttl=42 time=120.226 ms
      64 bytes from 208.123.73.69: icmp_seq=2 ttl=42 time=120.164 ms

      –- pfsense.org ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 120.164/120.366/120.707/0.243 ms

      Pfsense web interface access works, too
      PING 192.168.178.1 (192.168.178.1) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
      64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=0.086 ms
      64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=0.038 ms
      64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=0.038 ms

      –- 192.168.178.1 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 0.038/0.054/0.086/0.023 ms

      AP is inaccessible from VLAN
      PING 192.168.178.22 (192.168.178.22) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes

      –- 192.168.178.22 ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss

      PING 192.168.178.22 (192.168.178.22) from 192.168.178.1 [LAN]: 56 data bytes
      64 bytes from 192.168.178.22: icmp_seq=0 ttl=64 time=0.293 ms
      64 bytes from 192.168.178.22: icmp_seq=1 ttl=64 time=0.231 ms
      64 bytes from 192.168.178.22: icmp_seq=2 ttl=64 time=0.216 ms

      –- 192.168.178.22 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 0.216/0.247/0.293/0.033 ms

      1 Reply Last reply Reply Quote 0
      • M
        muswellhillbilly last edited by

        Post screen-shots of your firewall rules (external, internal including any/all DMZs and VLANs). A diagram of your network setup would help too - including all netmasks and gateway info. It may be age-related, but my mind-reading capabilities aren't what they used to be.

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          Is it actually an AP or is it some repurposed consumer wireless router?

          Does that AP have the concept of a default gateway on it's LAN interface?

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • P
            PfSenseTimeout last edited by

            It is a repurposed TP-Link consumer router. Interestingly accessing an enterprise-grade AP works well.

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              See if has the ability to set static routes. You might be able to set a route for 0.0.0.0 to pfsense or something.

              Else you can set outbound NAT on LAN so that device sees connections to it coming from the same subnet so reply traffic doesn't need to be routed.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P
                PfSenseTimeout last edited by

                The problem doesn't seem to be related to a missing default gateway. I'm unable to access the enterprise-grade AP via SSH, unlike HTTPS.

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  SSH from where?

                  Do a packet capture and see what's going on.

                  Chattanooga, Tennessee, USA
                  The pfSense Book is free of charge!
                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • P
                    PfSenseTimeout last edited by

                    From my new VLAN.

                    30 33.040356821 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959130 TSecr=0 WS=128
                    31 34.037486469 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959380 TSecr=0 WS=128
                    34 36.041733916 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959881 TSecr=0 WS=128
                    37 40.053825119 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294960884 TSecr=0 WS=128

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      SYN going out and and no response. Check the layer 2 and the host.

                      https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                      Chattanooga, Tennessee, USA
                      The pfSense Book is free of charge!
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post