Can't get additional interface to work
-
Ok, I have been using pfSense for my normal routing duties for a while, with good success. In addition to my "normal" LAN, I have a completely segregated network that is specifically for IP security cameras and the computer that handles the video footage. I added an extra network card to my pfSense box for the sole purpose of running an NTP server to keep the cameras time synced. I added a rule to allow traffic, but the NTP has never really worked. As I've investigated, I've realized that I can't ping the security LAN interface in the router and get a response, and that's probably the problem.
I know it's probably something stupid, but I've not been able to locate the source of my stupidity yet. Any help would be appreciated!
-
Is the rule you added to pass traffic from the new subnet limited to TCP-only? Try protocol any there.
-
The rule is set to allow any, not just TCP.
-
Post a network map that includes the subnets in use along with the firewall rules on both interfaces.
-
It's a pretty simple setup. All of the normal devices are on 192.168.1.xxx, and pfSense is set to 192.168.1.1 for that interface. DHCP is used, with most devices having static mappings. No issues on this interface.
All of the security devices are on 10.10.10.xxx, with the pfSense interface on that network segment at 10.10.10.100, and all of the devices have IPs statically assigned.
The only firewall rule on the security interface is a rule to pass all traffic (any protocol). There's also a rule to block any traffic from that interface to WAN, but I've had it disabled while I troubleshoot.
The computer the footage goes to has network cards for both LANs, but they aren't bridged.
There's a 24 port managed switch with separate port based VLANs to segment the traffic between the two networks.
That's all there is to it.
-
The computer the footage goes to has network cards for both LANs, but they aren't bridged.
That can easily create asymmetric routing situations you will need to understand and account for.
You will probably have to draw up what you have there, and where all the hosts and servers in play are in relation to the firewall.
-
I guess I don't understand…..pfSense isn't really doing any "routing tasks" on the Security LAN. All of this was up and running fine before I installed pfSense, and I added the network card to the pfSense box for the specific purpose of having the cameras hit it to sync the time.
-
List your interfaces, addresses, subnets and their default gateways of clients and servers. at least one example on each interface. include both interfaces on the server.
Some routers allow bad network design by default.
Not going to be able to help without a better picture of your network.
-
List your interfaces, addresses, subnets and their default gateways of clients and servers. at least one example on each interface. include both interfaces on the server.
Some routers allow bad network design by default.
Not going to be able to help without a better picture of your network.
WAN address public or private IP space?
Doesn't conflict does it?
-
Much depends on the default gateway of the system with 2 NICs in it and whether that system is talking through the router, on a local subnet, or both.
Some routers will allow hairpinning of traffic in and out the same interface by default. pfSense does not allow it by default.
Need more information.
-
Attached are the ipconfig output of the computer with the dual interfaces, the capture of the interfaces on pfSense, and a crude network map.
EDIT: Where the network map says that "various" clients are connected, each client is of course plugged into the switch with its own cable…there aren't switches downstream or anything.
-
"The computer the footage goes to has network cards for both LANs, but they aren't bridged."
Why???
Why do you have your PC with 2 default gateways?
And where exactly can you not ping 10.10.10.100? From your pc?? And what are the rules on your security interface on pfsense? You mention any any.. but is it for only tcp or something?
Can your PC see mac of pfsense lan interface? If not then you got some sort of connectivity issue. Wrong setup on your switch would be first guess.
-
Can maybe fix your problem if the actual, specific issue you are really seeing is communicated.
Only one of your interfaces should have a default gateway, as has been noticed by @johnpoz.
If it were me I would take one of those interfaces out of the server and route traffic through the firewall from one interface or the other to the server. Doesn't really matter which way. Probably the one that involves the least traffic. Like if the cameras are constantly streaming to the server and PCs only connect once in a while to view footage, I would remove the 192.168.1.10 interface.
-
"The computer the footage goes to has network cards for both LANs, but they aren't bridged."
Why???
Because I want to keep the networks entirely segregated.
Why do you have your PC with 2 default gateways?
I don't actually want the Security LAN to be able to get to WAN….so the Security LAN is just routed to pfSense for the default gateway on that interface. I'll remove the gateway from that interface and see if that makes a difference.....
And where exactly can you not ping 10.10.10.100? From your pc??
Correct. The PC with the two network cards cannot ping the pfSense box on the 10.10.10.100 interface.
And what are the rules on your security interface on pfsense? You mention any any.. but is it for only tcp or something?
I simply did a copy and paste of the default pfSense rule for allowing LAN traffic that is added in the default configuration for the 192.168.1.XXX interface. It's set to allow any protocol. Clearly, traffic is being allowed since the cameras are communicating fine back to the PC where the footage is stored.
Can your PC see mac of pfsense lan interface? If not then you got some sort of connectivity issue. Wrong setup on your switch would be first guess.
Yes. No problems there. The 192.168.1.1 interface works fine.
-
Can maybe fix your problem if the actual, specific issue you are really seeing is communicated.
I wish I had more information to give you. Essentially, as far as the rest of the network is concerned, the 10.10.10.100 interface on pfSense does not exist. The lone computer on that netwrok segment can't see it, and neither can any of the cameras when I try to point them to that IP as the NTP server.
If it were me I would take one of those interfaces out of the server and route traffic through the firewall from one interface or the other to the server. Doesn't really matter which way. Probably the one that involves the least traffic. Like if the cameras are constantly streaming to the server and PCs only connect once in a while to view footage, I would remove the 192.168.1.10 interface.
I need both interfaces in that machine because it handles more duties than just the cameras. That computer is, however, the only PC physically connected to the 10.10.10.XXX network segment (besides the firewall, of course). The only purpose I need pfSense to serve on that network segment is as an NTP server.
-
PC (192.168.1.100) needs to ping 10.10.10.100
PCs default gateway is 192.168.1.1 so it sends the traffic to pfSense
pfSense sends traffic to 10.10.10.100 sourced from 192.168.1.100
10.10.10.100 has a route for 192.168.1.0/24 so it sends the reply directly to 192.168.1.100, creating asymmetry. Should work fine for ping in that case.
However the problem might be that the server at 10.10.10.100 has a firewall enabled and is rejecting traffic from 192.168.1.0/24 on that interface.
If you want to segment and isolate two networks, pretty much the last thing you want to do is put a host with nics on both sides that isn't a firewall.
-
Sounds like either your layer 2 is hosed or your firewall rules are wrong. Nothing really fits what you are describing.
If you have an interface with the address 10.10.10.1 on pfSense, you need a firewall rule on the 192.168.1.1 passing traffic (including ICMP) from 192.168.1.0/24 to 10.10.10.1. It can also be an any rule as long as the traffic matches. The default LAN rules will pass it.
If that is in place and you still cannot ping 10.10.10.1 from hosts one 192.168.1.0/24 AND the default gateway of those hosts is pfSense, then traffic is not routing in a sane manner and something else is wrong somewhere.
For hosts on 10.10.10.0/24 to be able to ping that interface, the rules have to be on that interface.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
I'll willfully profess my ignorance here. I put this setup in place before pfSense was even a part of the network. The purpose in segmenting the network this way was to make absolutely certain that no one logging onto the "normal" LAN would have access to the cameras. There's probably a simpler way to accomplish this. The computer with both NICs is locked away, so there is no physical access to it. I usually get on it by remote using RealVNC.
Regardless of me being able to ping from the computer, the cameras, which have no connection to 192.168.1.XXX at all, still can't connect to the 10.10.10.100 interface for NTP. Cameras have static IPs, and mask of 255.255.255.0, and a default gateway of the 10.10.10.100, the pfSense interface.
This is the sole rule in place on the 10.10.10.100 interface:
-
I also thought I might try to change the IP of the 10.10.10.100 interface to one on the 192.168.1.XXX subnet that was free and see if I could ping that, just to make sure there's not some physical problem with the NIC, but pfSense doesn't like that…..
-
That's because it is unsound to have the same subnet on two different interfaces. Nothing about what pfSense does or doesn't like. That's basic IP networking.
The rule you posted is for connections from the 10.10.10.0/24 network and has ZERO to do with what is accessible from the 192.168.1.0/24 network. That is governed by rules on the other interface. The ones that connections go INTO. All covered in the links above.
Try to ping 10.10.10.1 from the LAN side then go to Status > System Logs, Firewall and filter on destination 10.10.10.1
Anything show up there?
Click the red x if you see blocks. That will tell you which rule blocked it.
