• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problems accessing certain hosts on lan interface

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 3 Posters 6.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    PfSenseTimeout
    last edited by Nov 10, 2016, 12:45 AM Nov 10, 2016, 12:32 AM

    I recently set up some VLANs on my pfsense router and have problems accessing certain hosts on lan interface. Do you have any suggestions for me?

    Firewall/Rules/ACCESS_VLAN
    Protocol Source Port Destination  Port Gateway Queue Schedule Description
    IPv4* * * * * * none Default allow ACCESS_VLAN to any rule

    Internet access works
    PING pfsense.org (208.123.73.69) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
    64 bytes from 208.123.73.69: icmp_seq=0 ttl=42 time=120.707 ms
    64 bytes from 208.123.73.69: icmp_seq=1 ttl=42 time=120.226 ms
    64 bytes from 208.123.73.69: icmp_seq=2 ttl=42 time=120.164 ms

    –- pfsense.org ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 120.164/120.366/120.707/0.243 ms

    Pfsense web interface access works, too
    PING 192.168.178.1 (192.168.178.1) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes
    64 bytes from 192.168.178.1: icmp_seq=0 ttl=64 time=0.086 ms
    64 bytes from 192.168.178.1: icmp_seq=1 ttl=64 time=0.038 ms
    64 bytes from 192.168.178.1: icmp_seq=2 ttl=64 time=0.038 ms

    –- 192.168.178.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.038/0.054/0.086/0.023 ms

    AP is inaccessible from VLAN
    PING 192.168.178.22 (192.168.178.22) from 192.168.188.1 [ACCESS_VLAN]: 56 data bytes

    –- 192.168.178.22 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    PING 192.168.178.22 (192.168.178.22) from 192.168.178.1 [LAN]: 56 data bytes
    64 bytes from 192.168.178.22: icmp_seq=0 ttl=64 time=0.293 ms
    64 bytes from 192.168.178.22: icmp_seq=1 ttl=64 time=0.231 ms
    64 bytes from 192.168.178.22: icmp_seq=2 ttl=64 time=0.216 ms

    –- 192.168.178.22 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.216/0.247/0.293/0.033 ms

    1 Reply Last reply Reply Quote 0
    • M
      muswellhillbilly
      last edited by Nov 10, 2016, 9:02 AM

      Post screen-shots of your firewall rules (external, internal including any/all DMZs and VLANs). A diagram of your network setup would help too - including all netmasks and gateway info. It may be age-related, but my mind-reading capabilities aren't what they used to be.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Nov 10, 2016, 9:09 AM

        Is it actually an AP or is it some repurposed consumer wireless router?

        Does that AP have the concept of a default gateway on it's LAN interface?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          PfSenseTimeout
          last edited by Nov 10, 2016, 10:27 AM

          It is a repurposed TP-Link consumer router. Interestingly accessing an enterprise-grade AP works well.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Nov 10, 2016, 10:43 AM

            See if has the ability to set static routes. You might be able to set a route for 0.0.0.0 to pfsense or something.

            Else you can set outbound NAT on LAN so that device sees connections to it coming from the same subnet so reply traffic doesn't need to be routed.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              PfSenseTimeout
              last edited by Nov 17, 2016, 10:26 AM

              The problem doesn't seem to be related to a missing default gateway. I'm unable to access the enterprise-grade AP via SSH, unlike HTTPS.

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Nov 17, 2016, 6:40 PM

                SSH from where?

                Do a packet capture and see what's going on.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  PfSenseTimeout
                  last edited by Nov 18, 2016, 2:06 PM

                  From my new VLAN.

                  30 33.040356821 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959130 TSecr=0 WS=128
                  31 34.037486469 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959380 TSecr=0 WS=128
                  34 36.041733916 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294959881 TSecr=0 WS=128
                  37 40.053825119 192.168.188.1 [ACCESS_VLAN] 192.168.178.33 TCP 74 [TCP Retransmission] 48530 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294960884 TSecr=0 WS=128

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Nov 18, 2016, 7:00 PM

                    SYN going out and and no response. Check the layer 2 and the host.

                    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received