LAN to OPT1 Network (and vice-versa)



  • WAN1 - Public IP
    LAN - 192.168.90.0/24
    OPT1 - 172.168.89.0/30

    There is a server on LAN1 (192.168.90.30) that I want a proxy server (172.168.89.5) on OPT1 LAN to communicate with. I am not an advanced pfSense user, but I have used it here and there from time to time.

    In a nutshell (even at the simplest) –- How do I get machines on LAN1 to talk with machines on OPT1? or how do I get OPT1 proxy to talk with LAN server? --- if I can get this I can get them to communicate with each other I can it to just so that the two IPs are able to talk to each other.

    FYI - This is a pfSense that is virtualized on vmware

    To get things going I just enabled everything on LAN can talk with everything on OPT1 –- can't get them to communicate

    The firewall rules I had on LAN were
    Interface: LAN
    Address Family: IP4
    protocol: any
    source: LAN net
    destination: OPT1 net

    The firewall rules I had on OPT1 were
    Interface: OPT1
    Address Family: IP4
    protocol: any
    source: OPT1 net
    destination: LAN net

    Am I missing a step?


  • Rebel Alliance Global Moderator

    what I would start with is any any on both interfaces.

    Get them talking and then you can lock down the rules as you want.  But if those where you only rules, what were they using for dns?

    You also have to take into account any firewalls running on the devices - they tend to block traffic from other networks, ie if on opt1 network, then that lan network would normally be blocked by windows firewall for anything..



  • @johnpoz:

    what I would start with is any any on both interfaces.

    Get them talking and then you can lock down the rules as you want.  But if those where you only rules, what were they using for dns?

    You also have to take into account any firewalls running on the devices - they tend to block traffic from other networks, ie if on opt1 network, then that lan network would normally be blocked by windows firewall for anything..

    The other firewall rule on their is the default auto-created one that allow communication within its subnet (eg. Source: LAN-net Dest: *). I temporarily disabled firewall on both the two machines I am trying to even ping, but still nothing.

    Is there anything special on vmware that needs to be configured?



  • No.  Post screenshots of your LAN and OPT1 rules please.  By default, LAN gets an Allow Any rule while all subsequent LAN-interfaces (OPT1, OPT2 etc) get nothing.  You should be able to talk to anything from LAN unless you have fiddled with your LAN rules.  For talk out from OPT1, you need at least one rule, and John recommended an Allow Any rule just to get them going.


  • Rebel Alliance Global Moderator

    how do you have your vmware setup?  My guess would be your problem is there - do you clients get IP via dhcp from pfsense?  If so then should work since they clearly can talk to pfsense, and that would be there gateway to get to other networks.  Can the clients talk to the internet?



  • @KOM:

    No.  Post screenshots of your LAN and OPT1 rules please.  By default, LAN gets an Allow Any rule while all subsequent LAN-interfaces (OPT1, OPT2 etc) get nothing.  You should be able to talk to anything from LAN unless you have fiddled with your LAN rules.  For talk out from OPT1, you need at least one rule, and John recommended an Allow Any rule just to get them going.

    I have attached screenshots of my firewall rules for each interface

    ![pfSenseLAN fwlRules.png](/public/imported_attachments/1/pfSenseLAN fwlRules.png)
    ![pfSenseLAN fwlRules.png_thumb](/public/imported_attachments/1/pfSenseLAN fwlRules.png_thumb)
    ![pfSenseOPT1 fwlRules.png](/public/imported_attachments/1/pfSenseOPT1 fwlRules.png)
    ![pfSenseOPT1 fwlRules.png_thumb](/public/imported_attachments/1/pfSenseOPT1 fwlRules.png_thumb)



  • @johnpoz:

    how do you have your vmware setup?  My guess would be your problem is there - do you clients get IP via dhcp from pfsense?  If so then should work since they clearly can talk to pfsense, and that would be there gateway to get to other networks.  Can the clients talk to the internet?

    Each network can get internet access



  • Hi,

    Your first images : LAN Firewall rules : the first rule is fine - and used as you can see. IPv4* to everywhere.
    The second rule will never apply (DMZ net is not LAN net) anyway.

    The other image : the second rule is fine (anything from DMZ Net IPV4 will pass)
    The first rule will even accept more then that : even non-DMZ Net IP's will pass
    The third rule will normally never apply.

    Seeing the image, you should be able to 'ping' from "LAN Net" and IP on "DMZ net" - and the other way around.
    I use these kind of rules to "admin" some AP's on a OPTx interface from a PC connected to the LAN interface (LAN net).

    I guess your problem is else where.



  • Look at local firewalls next.


  • Rebel Alliance Global Moderator

    If your saying you can get to internet through pfsense.. And your rules are correct.  Then yeah you need to look to your clients.

    You say you can not ping..  So question for you.. Sniff on your interfaces in pfsense, diag packet capture..

    For example if you sniff on your lan interface, then from your opt1 interface do a ping – do you see in the packet capture?  If you see it go out to your machine and you get no answer.. Then the box is not answering and pfsense is doing exactly what it is suppose to do..

    And yeah those rules are pointless.. Rules are evaluated as traffic enters an interface, top down, first rule to trigger wins no other rules are looked at.

    In what scenario would traffic from lan net inter the lan net interface from the lan net with a source of dmznet??  And same on the other interface..