Problems accessing certain hosts on lan interface



  • I recently set up some VLANs on my pfsense router and have problems accessing certain hosts on lan interface. Do you have any suggestions for me?

    Firewall/Rules/ACCESS_VLAN
    Protocol Source Port Destination  Port Gateway Queue Schedule Description
    IPv4* * * * * * none Default allow ACCESS_VLAN to any rule

    Internet access works
    PING pfsense.org (208.123.73.69) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
    64 bytes from 208.123.73.69: icmp_seq=0 ttl=42 time=120.707 ms
    64 bytes from 208.123.73.69: icmp_seq=1 ttl=42 time=120.226 ms
    64 bytes from 208.123.73.69: icmp_seq=2 ttl=42 time=120.164 ms

    –- pfsense.org ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 120.164/120.366/120.707/0.243 ms

    Pfsense web interface access works, too
    PING 192.168.178.1 (192.168.178.1) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
    64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=0.086 ms
    64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=0.038 ms
    64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=0.038 ms

    –- 192.168.178.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.038/0.054/0.086/0.023 ms

    AP is inaccessible from VLAN
    PING 192.168.178.22 (192.168.178.22) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes

    –- 192.168.178.22 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    PING 192.168.178.22 (192.168.178.22) from 192.168.178.1 [LAN]: 56 data bytes
    64 bytes from 192.168.178.22: icmp_seq=0 ttl=64 time=0.293 ms
    64 bytes from 192.168.178.22: icmp_seq=1 ttl=64 time=0.231 ms
    64 bytes from 192.168.178.22: icmp_seq=2 ttl=64 time=0.216 ms

    –- 192.168.178.22 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.216/0.247/0.293/0.033 ms



  • Post screen-shots of your firewall rules (external, internal including any/all DMZs and VLANs). A diagram of your network setup would help too - including all netmasks and gateway info. It may be age-related, but my mind-reading capabilities aren't what they used to be.


  • Netgate

    Is it actually an AP or is it some repurposed consumer wireless router?

    Does that AP have the concept of a default gateway on it's LAN interface?



  • It is a repurposed TP-Link consumer router. Interestingly accessing an enterprise-grade AP works well.


  • Netgate

    See if has the ability to set static routes. You might be able to set a route for 0.0.0.0 to pfsense or something.

    Else you can set outbound NAT on LAN so that device sees connections to it coming from the same subnet so reply traffic doesn't need to be routed.



  • The problem doesn't seem to be related to a missing default gateway. I'm unable to access the enterprise-grade AP via SSH, unlike HTTPS.


  • Netgate

    SSH from where?

    Do a packet capture and see what's going on.



  • From my new VLAN.

    30 33.040356821 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959130 TSecr=0 WS=128
    31 34.037486469 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959380 TSecr=0 WS=128
    34 36.041733916 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959881 TSecr=0 WS=128
    37 40.053825119 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294960884 TSecr=0 WS=128


  • Netgate

    SYN going out and and no response. Check the layer 2 and the host.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting