Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No access to device on separate LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DaHai8
      last edited by

      I'm a pfSense NOOB, sorry.
      I'm connected on my Laptop to my pfSense router on 192.168.2.185 on LAN2 - internet access and all.
      I have a device (Raspberry Pi) on 192.168.1.4 on LAN1 - it has internet access as it is sending me emails and stuff and is in the ARP table.
      But I can't Ping or SSH, or anything to my Pi from my Laptop.
      I know I've screwed up something simple, just can't figure out where.
      Any/all help, suggestions, etc. are greatly appreciated!!

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        What are your LAN2 firewall rules?  Post a screenshot.  Do you know for sure that your Pi responds to ping and SSH?

        1 Reply Last reply Reply Quote 0
        • D Offline
          DaHai8
          last edited by

          This is my Second LAN (Loki) that I'm connected on with my Laptop:

          This is my First LAN (Sif) that has the Pi on:

          Before installing pfSense, I was able to Ping and SSH into it from my laptop - of course it was on the same LAN (I only had one then). Now I need it on a separate LAN, but I thought I would be able to access any device regardless of the source and destination LAN.

          Thanks for your help!

          1 Reply Last reply Reply Quote 0
          • D Offline
            DaHai8
            last edited by

            P.S. I can Ping my Pi from the pfSense Diagnostics / Ping utility, but not from my laptop on the separate LAN (Timeout)

            If I select the Source Address in Diagnostics / Ping as LOKI, then Pings fail as well (timeout)

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Probably a local firewall on the Pi, which is a very common user configuration error when you can connect from the local subnet but not from others.

              Or the default gateway on the Pi is wrong, which is a second almost equal user error when you can connect from the local subnet but not from others.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • D Offline
                DaHai8
                last edited by

                Derelict: Thank for the suggestion!
                I think I input the iptables properly and my eth0 interface in dhcpcd.conf looks correct, but I still can't ping it from another subnet:
                iptables-save shows:

                
                -A INPUT -m iprange --src-range 192.168.3.0-192.168.3.255 -j ACCEPT
                -A INPUT -m iprange --src-range 192.168.2.0-192.168.2.255 -j ACCEPT
                -A INPUT -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
                
                

                And dhcpcd.conf shows:

                
                interface eth0
                static ip_address=192.168.1.4/24
                static routers=192.168.1.1
                static domain_servers=192.168.1.1 8.8.8.8
                
                
                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Diagnostics > Packet Capture on that pfSense interface. If you see the pings leaving and nothing coming back, you have it configured wrong.

                  You are passing any any any on that interface. It's almost certainly something on the pi. Packet Capture will tell exactly what's happening.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    DaHai8
                    last edited by

                    Thanks!
                    I'll take a look at Packet Capture.
                    I also posted a message about this on the Raspberry Pi forum since it is look like a Pi issue and not pfSense configuration.
                    When resolved, I'll post the fix here in case anyone else runs into this.

                    Thanks again for everyone's help!

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      DaHai8
                      last edited by

                      I THINK I found the problem, but I have NO idea what happened!
                      Here's my Interfaces in pfSense (note 'Sif' IP address):

                      And here's my DHCP Configuration in Sif:

                      So, I plugged my Laptop into Sif with DHCP enabled and this is what I got!!!

                      Sif used to be 192.168.4.x, but I changed it yesterday back to its original 192.168.1.x. And I updated DHCP. And I applied all the changes. And I did that all again just now after it assigned me .4.x address.

                      What the HECK have I screwed up?!?!?!

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        did you delete any old leases..  If that box use to have a 192.168.4 it will ask for it again, if there is still a lease its possible that it could say sure go ahead even if the current pool is something else..  That would be my guess from the info you have given.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07 | Lab VMs 2.8, 25.07

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          DaHai8
                          last edited by

                          The old leases have no expired. Once I stopped and started the DHCP Service (thanks, Derelict!), it's now giving me IP Addresses and from the correct Pool.
                          I'm rebuilding the Pi with a clean Raspbian Lite image and going to test that out (I've probably mucked something up Royal on the old Pi).
                          I'll post back with the results (good or bad)…
                          Thanks again!
                          Can't say that enough here. This is a really awesome forum filled with great people!

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            DaHai8
                            last edited by

                            Ok, I'm desperate and I know this is going to be out-of-scope for pfSense, so appologies up front.

                            My Pi is running OpenVPN Client over SSL (because it has too - it just does as required by the server. please don't even speculate)

                            When OpenVPN is running, it blocks out all other subnets on my router, except the one it is on.
                            So my options are:

                            1. Unblock the other subnets from my Pi when running OpenVPN
                            2. Figure out how to run OpenVPN over SSL within pfSense

                            On Option 1, I have a post in the OpenVPN forum, but its not as active as this forum. So any ideas here are VERY Welcome!

                            I figure for Option 2, I'm going to have to get into pfSense through SSH and manually install/configure stunnel - much like I did on the Pi.
                            Problem there is, while I have SSH enabled in pfSense, when I try to connect to 192.168.1.1 with PuTTY I get:

                            Couldn't agree on a key exchange algorithm (available: curve25519-sha256@libssh.org)

                            So I'm stuck there even before I get started.

                            Any ideas/suggestions/pointers are, as always, greatly appreciated.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Online
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "2) Figure out how to run OpenVPN over SSL within pfSense"

                              You mean run it over tcp port 443??  Or you mean run some vpn connection inside a stunnel?

                              "while I have SSH enabled in pfSense, when I try to connect to 192.168.1.1 with PuTTY I get:"

                              What version of putty are you using?  Pfsense did lock down their sshd awhile back to use current ciphers and algo's  The old version of putty does not support chacha20 or ed25519 for kex.  Use the dev version of putty..  It has support for new stuff for well over a year now.

                              On the putty download page go to the http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
                              The latest development snapshot

                              section..

                              The only reason you would have to run openvpn through a stunnel or ssh tunnel is there was DPI being used and they were blocking openvpn.. Which is kind of odd if they would allow a ssh connection, since you can for sure tunnel traffic through a ssh tunnel.

                              As stated in your other thread - it would be much easier to help you if you just gave us the whole picture of what your trying to accomplish exactly.  We can then discuss all the different ways to skin that particular cat..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07 | Lab VMs 2.8, 25.07

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                DaHai8
                                last edited by

                                I should have thought of upgrading PuTTY, my bad. I'm running around in circles trying to get everything working.
                                I am running OpenVPN through stunnel (SSL encapsulated VPN) TCP only (UDP doesn't work that way). Yes, its slooooow, but at least it works.
                                So, yes, I would need to install my multi-server client certificate in pfSense and install stunnel on pfSense as well and then have only the Loki Interface run through that service.
                                My original setup was:

                                Internet <--> Modem/Router combo <--> Pi (VPN/SSL) <--> Wifi Router <-> Me
                                

                                Since it was a dual-NAT'd/Router setup, it was easy to just place the Pi between the two and make it the Gateway for the Wifi Router with the Modem/Router combo as the Gateway for the Pi.
                                Now I have a single Router/Nat (pfSense) and a simple Modem.

                                
                                Internet <--> Modem <--> pfSense <--> Loki <--> Wifi AP <--> Me
                                                                  \-> Sif <--> Pi
                                
                                

                                I need the data from the WiFi AP on Loki to go to the Pi. Problem is, once OpenVPN is started on the Pi, it only accepts traffic from its own interface (subnet), Sif
                                I don't think I can put the Pi on Loki and direct the WiFi AP traffic to it, or maybe that is possible?
                                With my talent for mucking things up, I'm reluctant to install OpenVPN and stunnel on pfSense…
                                And that's my current conundrum...

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  DaHai8
                                  last edited by

                                  See:```
                                  https://forum.pfsense.org/index.php?topic=121732.0

                                  
                                  This thread is done for me.
                                  
                                  Thanks everyone!
                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.