I am not able ping or do tracert between LANS



  • I have setup the following LANs and what to do communication between them as below, can you pls give me a sample rule that i need to setup on each LAN for Y and N. do I need to setup any thing for internet access?

    Lan1 Lan2 Lan3 Lan4 Internet
    Lan1 Y Y N N Y
    Lan2 Y Y Y N Y
    Lan3 N Y Y N Y
    Lan4 N N N Y Y

    LAN1 – 198.162.2.X, LAN2 - 198.162.3.X, Lan3- 198.162.4.X, Lan4 - 198.162.5.X

    I am not able to ping/tracert between LANs even after setting up rules to allow between LANs example – LAN1 and LAN2.
    I am not able to ping or tracert even to 198.162.1.1 from any LAN interface.



  • 198.162.X.X? That's a public IP range. Should obviously be 192.168.X.X

    Traffic between clients on the same subnet is not routed over the firewall, so it cannot control it.
    So your access diagram looks like this:

    Lan1  Lan2  Lan3  Lan4  Internet
    Lan1    -      Y      N      N        Y
    Lan2    Y      -      Y      N        Y
    Lan3    N      Y      -      N        Y
    Lan4    N      N      N      -        Y

    Any access has to be allowed explicitly by a filter rule. By default there is an allow any-to-any rule on the LAN interface. If this still exists on on of your interfaces you have to delete or modify it.

    Best practice for blocking traffic between internal network segments is to add an alias containing all private networks (RFC 1918, https://en.wikipedia.org/wiki/Private_network) in Firewall > Aliases > IP, give it a name, e.g. RFC1918.

    Now you need 3 filter rules on each of your LAN interfaces.
    For instance on LAN1:

    • Acion = pass, Protocol = any, Destination =  LAN2 net

    • Acion = block, Protocol = any, Destination = RFC1918 (the alias name you've set)

    • Acion = pass, Protocol = any, Destination =  any

    The source can be any in each rule.
    Ensure that the rule have the order as shown above.

    You can copy the rules to other interfaces by hitting the copy button at the right and select an other interface in the rule. Part from that you've only to change the destination in the first rule to fit for the other interface.

    Of course you can more restrict the access by only allowing a specific protocol and destination ports in the rules.



  • Thanks for your help. However please find the setup I have done so far. However I am still not able to do the ping between VLANS. I haven't setup any Block rules yet just to make sure pass works find.

    ManagementVLAN – 192.168.1.0/24
    ServerFarmVLAN – 172.16.1.0/24 - this is an optional interface

    Have setup the following rules:

    Management Interface:

    Allow any port ->  ManagementVLAN(source) -> ServerFarmVLAN(Destination)
    Allow any port ->  ServerfacrmVLAN(source) -> ManagementVLAN(Destination)

    ServerFarm Interface:
    Allow any port ->  ServerfacrmVLAN(source) -> ManagementVLAN(Destination)
    Allow any port ->  ManagementVLAN(source) -> ServerFarmVLAN(Destination)

    Have connected 2 laptops on both the interfaces Ip addresses assigned are 192.168.1.101 & 172.16.1.101.

    Ping Test:
    192.168.1.101 to 172.16.1.101 - Successful
    172.16.1.101 to 192.168.1.1 – Successful
    172.16.1.101 to 192.168.1.101 – Request timed out
    What am I doing wrong?



  • Obviously 192.168.1.101 blocks the access from 172.16.1.101. Turn off the system firewall for testing.


Log in to reply