Routing between interfaces.



  • Hi.

    I've got a Qotom box which has 4 interfaces. 1 is used for my WAN connection, the other 3 are in different IP ranges and have various devices attached.

    Port 2 LAN - 192.168.1.x /24
    Port 3 Wifi - 10.10.10.x /24
    Port 4 OtherLan - 172.16.10.x /24

    From my PC 192.168.1.50 I can ping devices within the Wifi 10.10.10.x range. But I can't access the only device in the 172.16.10.x range.

    I have a LAN rule of:
    Protocol IPv4 * Source: 192.168.1.50 Port * Destination OtherLan net Port * Gateway *

    The states count is showing values and the byte count is increasing.

    In OtherLan rules I have:
    Protocol IPv4 * Source: 172.16.10.100 Port * Destination 192.168.1.50 Port * Gateway *
    Protocol IPv4 * Source: 192.168.1.50 Port * Destination 172.16.10.100 Port * Gateway *

    The states and the byte count other show 0

    I also have a rule at the botton of the list on OtherLan of:
    Protocol IPv4 * Source: 172.16.10.100 Port * Destination * Port * Gateway WAN

    If I do a trace route from 192.168.1.50 to 172.16.10.100 I can see if hit my pfSense box, but then nothing.. In an SSH session on the pfSense box I can ping 172.16.10.100

    Can some one advise what I need to do..
    Thanks



  • possibly that device needs some configuration

    • check if its gateway is pointing towards pfsense
    • disable+modify its own firewall to allow connections from outside it's own subnet

  • LAYER 8 Global Moderator

    "In OtherLan rules I have:
    Protocol IPv4 * Source: 192.168.1.50 Port * Destination 172.16.10.100 Port * Gateway *

    This is not how rules work..

    Traffic is evaluated inbound into an interface, first rule to trigger wins, no other rules are evaluated.

    When would there ever be inbound traffic into your lan with source of 192.168?

    What are the rules you have on your other interfaces?  Order matters - pushing to a gateway matters for intervlan traffic, etc.

    "Protocol IPv4 * Source: 172.16.10.100 Port * Destination * Port * Gateway WAN"

    Post up pictures of your rules - all of the on your interfaces.



  • Thanks for the replies.

    This is not how rules work..
    Traffic is evaluated inbound into an interface, first rule to trigger wins, no other rules are evaluated.
    When would there ever be inbound traffic into your lan with source of 192.168?

    This is a valid point and I never considered that..

    Images attached of my LAN (192.1681.x) and OtherLan (172.16.10.x)

    Thanks for you help with this.





  • LAYER 8 Global Moderator

    is otherlan opt2?

    Where is wifi opt1 rules?  Why are you forcing stuff out a gateway?  Unless you have multiple gateways or using a vpn there is no reason you should set a gateway like your setting.  Unless you don't want to go anywhere.

    So your forcing 172.16.10.100 if that is your opt2 network to go out your wan.. So it would never be able to get to lan.



  • Again thanks for the reply.

    OPT2 is OtherLAN - sorry I should have made that clear.
    OPT1Wifi rules attached.

    I have an OpenVPN connection, this is set as interface OPT3 and is a Gateway.
    All traffic via OPT1Wifi routes out over the OpenVPN connection, except anything in the 'VPNByPass' alias list. (that goes via the WAN)
    Wifi to LAN traffic is blocked except the 'AllowedList'

    All OPT1 (LAN) and OPT2 (OtherLAN) should be using my WAN Gateway and presenting my public IP Address.

    In NAT Outbound I only have the OPT3 VPN interface against OPT1Wifi Addresses 10.10.10.0/24
    All other addressing has WAN as the interface

    In my LAN rules I have to have my Gateway set as WAN_PPPOE, if I set it to default I don't get a connection out.
    I was expecting 'default' to use the WAN Interface.. not sure why it isn't.

    If you can advise how this needs to be configured to allow 192.168.1.50 to access 172.16.10.100 I'd appreciate it.
    And any advise on why 'default' isn't the default WAN interface..

    Thanks



  • LAYER 8 Global Moderator

    VPN bypass - so your grabbing routes from your vpn and forcing all traffic out your vpn then?

    You have a ! allowlist, so anything NOT in that alias would be blocked from going to lan.

    What exactly is the point of blocking 5353 udp??



  • Hi johnpoz

    The VPNByPass in my OPT1Wifi rules is to ensure those devices DON'T go out via the VPN, but use the WAN.
    The list is for TV's and Set Top boxes which get upset when I route their traffic out via the VPN so I force it via the WAN and that allows them to work correctly.

    The !AllowedList is a list of my devices which connect to the WiFi which are also allowed into the LAN. This stops the kids and visitors from accessing the LAN but allows them out to the Internet.
    That seems to work correctly.

    I block 5353 UDP as a couple of users have MAC Laptops and they are constantly spewing this out. There is no real reason to block it.

    How do I allow access from LAN 192.168.1.50 to OPT2 (otherLan) 172.16.10.100 ?

    Thanks


  • LAYER 8 Global Moderator

    you already have the rule there where you allow 192.168.1.50 to opt2 net..  That is all you would need to do.

    If your un able to access something on opt2 net, make sure its not running some firewall or using some other gateway other than pfsense opt2 IP.



  • Hi.

    This is sorted.. it appears my son had a route in his NAS that was sending all traffic mouth over his PIA VPN..

    He's now added a route for 192.168.1.0/24 back to the pfSense box and I can now access it fine from my LOAN PC.

    Thanks for your help.


Log in to reply