Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Multi LANs Cannot ping each other

    Firewalling
    2
    5
    1100
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pazignac last edited by

      Pfsense 3 physical ports 1 virtual (for OpenVPN bridging purposes)
      1)    172.16.0.1/16 Main LAN
      2)    172.18.0.1/16 Wireless LAN
      3)    192.168.2.1/24 Specific Server
      4)    (Virtual Device no address for VPN use only)

      I have the VPN device (virtual) bridged with the physical 192.168.2.1/24.  The trouble I have is if I ping the server on the physical 192.168.2.1/24 (the address is 192.168.2.20) from the PFSense firewall I see the connection.  If I look on my ARP table I see the servers address.  I can ping the physical port from any of the LANs (ex. ping 192.168.2.1 from the Wireless LAN address)But if I try to ping from a device on the MainLAN(172.16.0.1/16) or Wireless LAN(172.18.0.1/16) I get no response to the server 192.168.2.20.  I have rules in place at the top (PASS> IPv4>Protocal: ANY > Source: ALL > Destination: ALL) under the wireless LAN (172.18.0.1/16), Specific Server (192.168.2.1/24), and virtual Device.  I don't know what to enable or do to allow specifically my Wireless LAN to communicate with the virtual and specific server devices.  Please help!

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        And what about firewall on devices in your lan.. Windows for example out of the box is not going to allow ping from devices not on its network.

        Really a /16 mask?  So plan on having 65k some devices on these networks?

        As to some vpn device bridged??  Huh?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • P
          pazignac last edited by

          Thanks for responding johnpoz I have enabled the firewall rule for incoming ICMP (IPv4 and IPv6) on another computer on the Server LAN (192.168.2.1/24 specifically 192.168.2.131).  I can ping this device from PFSense if I set the Source Address to the Server LAN.  Otherwise I cannot ping this computer from the Main LAN or Wireless LAN.

          Secondly yes I know /16 address is overkill :D.  It is for a small business that wants to divide hundreds of devices (wired/wireless) to different subnets for organization (ex. wireless guest 172.18.1.X and wireless domain users 172.18.2.X).

          Thirdly I have a OpenVPN TAP connection to a virtual device that is bridged to the physical Server LAN.  This ensures if I connect a person via VPN I can have an IP address on the Server LAN.  This provides the server to directly reply to the device.  This is a special old network server.

          I hope this helps key you into my config.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            So you have some sort of bridge and your trying to ping from other opt networks to this bridge network?  What firewall rules do you have on this bridge interface?  How exactly did you setup the bridge?

            What sort of virtual device??  can wireless 172.18.0.?  Ping something on 172.16.0.?

            How exactly are they going to subnet these networks down.. What does that have to do with pfsense having a /16 mask on its actual interface???  That makes no sense at all..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • P
              pazignac last edited by

              Sorry for the confusion.  I have 3 physical ports configured to 3 interfaces.

              Main LAN(172.16.0.1) DHCP
              Wireless LAN(172.18.0.1) DHCP
              Specific Server LAN(192.168.2.1) no DHCP 
              I also have an OPT interface with no address for the VPN to use.  *I followed the OpenVPN TAP how to.  Which said to create a OPT interface and bridge it with the interface you want the IP addresses to show up on.

              I then under the interfaces tab bridged the Specific Server LAN and the OPT interface.  Now to the rules…. I have rules on each interface Main LAN, Wireless LAN, Specific Server LAN, and OPT interface as the TOP rule to: PASS> IPv4>Protocal: ANY > Source: ALL > Destination: ALL.  Now with that there is no other interface(s) listed under the rules tab except WAN and OpenVPN.  Now I can ping any address from Main LAN to Wireless LAN and vice versa (172.16.0.X ping 172.18.0.X and 172.18.0.X ping 172.16.0.X) with no issues.  The only issue I have is if I try to ping the Server LAN from either the Main LAN or Wireless LAN. I have 2 devices currently on the Server LAN address 192.168.2.20 and 172.168.2.131, both are configured to allow incoming pings.  Now if I go under the diagnostics page on PFSense and use the PING tool I can ping the two devices on the Server LAN IF I set the source address to the Server LAN.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post