Unable to SSH from LAN to LAN



  • Hi,

    I have created a 10.x.x.x/8 subnet and within it I have a webserver and many computers I need to SSH into from within the subnet.
    However, despite configuring the firewall as attached, allowing LAN to LAN access in the required ports for SSH (set to port 4422) and other tools, I cannot SSH to computers in my subnet and the internal site doesn't load to other computers in the LAN.

    If I am on a different subnet, then I am able to SSH in.  I am really confused and could do with some assistance.  Do my rules look OK, and is there something else I need to do?  Currently my intranet is not working.

    Many thanks,

    Euan

    ![Screen Shot 2017-08-23 at 17.01.29.png](/public/imported_attachments/1/Screen Shot 2017-08-23 at 17.01.29.png)
    ![Screen Shot 2017-08-23 at 17.01.29.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-23 at 17.01.29.png_thumb)


  • Netgate

    The firewall is not involved in LAN to LAN traffic.

    10.x.x.x/8 is a huge subnet. Not advised.

    Be sure all of the local LAN hosts have a /8 (255.0.0.0) netmask on their LAN interfaces if that is really what you want to do.


  • Galactic Empire

    Also shouldn't the L2TP Clients rule be on the L2TP interface


  • Rebel Alliance Global Moderator

    All of your rules that are lan net to lan net completely useless.  As stated pfsense has zero to do with lan to lan traffic.  Also your rules that list some other source network into the lan net makes zero sense until its an alias for some downstream network.  If that was such a case you should be using a transit network not a "lan" with other devices on it to get to this downstream network.

    Also your lan net to your wan net rule also pointless.  Unless you actually have devices that you need to talk to your actual wan net (this is not the internet - this just the network on the wan - which is a transit network).  And that rule because pointless with the any any rule you have at the bottom.

    Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.  The only reason to put a rule above the any any rule would be to block something specific or allow traffic you want to LOG vs the any any not logging, etc.  Or to send specific source out a specific gateway, etc. with policy routing.



  • Thanks very much for your help and opinions. I guess these are useless and there must be some other issue.

    I cannot understand why I can't SSH from a 10.x.x.x LAN address to another, nor load the webserver.
    In order to be sure I removed the firewall completely from the webserver, and still cannot access.
    None of the other devices are accessible either

    If I attach a router downstream to create a small internal network with 192.168 x.x IPs, then I can SSH upstream to the 10.x.x.x LAN and all the devices on it.

    I notice that the L2TP rule is in the wrong place, thank you.


  • Galactic Empire

    Are the subnet masks correct on the lan clients?


  • Rebel Alliance Global Moderator

    "Are the subnet masks correct on the lan clients?"

    This is quite possible reason.. And is a good guess as to the problem with the info given.

    Anyone using a /8 on a lan doesn't understand masking at all - so makes more likely to have a mask problem when machines can not talk to each other when its suppose to be the same local network.

    /8 is not a mask that you would ever expect to see on an interface.  This is a mask that would be used in a summary route, or a firewall rule - not something that would be on an actual interface.

    "I have a webserver and many computers"

    When you say many with a /8 so in the neighborhood of 16 million of them? ;)  All on the same broadcast domain..



  • 10.x.x.x/8 is a huge subnet. Not advised.

    Wait 'till you're on IPv6, where every network is at least a /64.  A /8 is nothing in comparison.

    Subnet size is irrelevant, so long as everything is properly configured for it.


  • Rebel Alliance Global Moderator

    Yeah that is apples and oranges.. /64 is the smallest net to use in ipv6… While /8 in ipv4 is like the largest!!

    "Subnet size is irrelevant, so long as everything is properly configured for it."

    While this is technically true.. There are many technical reasons why you would not use a /8.. Have seen this cause problems with dhcp because of such a large scope.  You run into issues with talking to other networks when your local segment owns the whole 10 space.

    There is NO reason why you should ever use /8 on a local network... Other than just not knowing any better!!  All it will cause you is grief going forward trying to do anything.  Using such logic you limit yourself to 3 segments 10/8 192.168/16 and 172.16/12 -- now what do you do for segment 4?

    Here is what I can tell you when I see someone that states they are using /8.. They do not understand networking.. That is just my honest opinion -- not meant to hurt any feelings or anything.. Just the way it is.. Like going to a craft beer show and guy drinking a bud light - dude what the fuck are you here for comes to mind doesn't it!!  That is exactly what comes to mind when someone states they are using a /8 as their local segment... ;)


  • Netgate

    Yeah, pretty sure ISC dhcpd allocates RAM for the entire pool in IPv4. Even if you only lease a few out of it.

    Not to mention conflicting with pretty much every site you might want to connect to or from via VPN in some capacity.


  • Galactic Empire

    A /8 points to poor network design.

    The largest mask ive ever seen is a /16 15 years ago and that was a major pain in the butt, the Cabletron switches didn’t help either:)



  • While this is technically true.. There are many technical reasons why you would not use a /8.. Have seen this cause problems with dhcp because of such a large scope.  You run into issues with talking to other networks when your local segment owns the whole 10 space.

    There is NO reason why you should ever use /8 on a local network… Other than just not knowing any better!!  All it will cause you is grief going forward trying to do anything.  Using such logic you limit yourself to 3 segments 10/8 192.168/16 and 172.16/12 -- now what do you do for segment 4?

    I have seen equipment complain about smaller prefixes on IPv4.  It seems to think 10.0.0.0 should always be /8.  While it may complain, it won't prevent it.  Also, I didn't say you couldn't split up the 172 & 192.168  blocks.  They're intended to be used with /16 & /24 prefixes, just like in the old classfull days.

    That said, my own home network is 172.16.0.0 /24, with most IPv4 addres static, either as configured or via DHCP with mapped addresses.

    While it might not be good practice, I don't see it causing a problem with decent equipment.



  • @Derelict:

    Yeah, pretty sure ISC dhcpd allocates RAM for the entire pool in IPv4. Even if you only lease a few out of it.

    Not to mention conflicting with pretty much every site you might want to connect to or from via VPN in some capacity.

    I can't say about ISC memory pools, but with a VPN, it's still routing as usual.  That address is out that way –->.  Also, with a VPN, you typically use only a /30 or /31 for the connection.  In fact, it's possible to not even use an IP address & prefix for point to point links.  You just have to specify the interface.  This could be done with serial connections, such as frame relay or DS1 (T1), but also works with PPP and other tunnel methods.



  • One other thing about that ISC memory pool.  Subnet size does not necessarily translate to dhcp pool size.  You could easily have a /8 prefix and only 100 available addresses in the pool.  May not be the best design, but certainly doable.

    There are networks where you might need a lot of addresses but not many dhcp addresses.  I while ago, I was working with security cameras. Each camera had a static address and couldn't even be used with dhcp.  It was fun configuring them as, unless you used their configuration app, you had to manually create an arp cache entry, for a specific IP address.  Then use that address to get into the camera to configure the IP address and go from there.  The networks where I installed those cameras were 10.0.0.0, but I've forgotten the prefix.  This was on a project for the Toronto District Housing Corp, which provides low cost housing.  They were getting new cameras into all the properties (IIRC, there were well over 2000 buildings), with the cameras connecting to a recorder and all the recorders reachable over the network.  Bottom line, there were thousands of cameras and all configured with static addresses.  No need for dhcp.  Even my computer had to use a static address when connected to those networks.


  • Rebel Alliance Global Moderator

    "but with a VPN, it's still routing as usual"

    No its not…  So Your on a 10/8 network and you need to have vpn to another network that is say 10.0.0/24  How do you route that?  Why would a client talk to the gateway to get to a network that is local to it.  Even if the vpn client is on this device... Why should it send traffic down the tunnel for an address that is on its local interface?

    This is the point Derelict trying to make..  You can not just route that - you would have to nat it..

    "I have seen equipment complain about smaller prefixes on IPv4"

    Been in the biz 30 some years working with networks - before TCP was even a thing.. Never seen such a thing.. Windows will default to 255.0.0.0 when you put start an address with 10... Pfsense drop down is /32 to start with.. Doesn't mean its complaining about anything.

    You can try and make excuses for why you might use /8 - none of them good.. Like putting a /48 on an interface in IPv6 - there would never be a valid reason for it..



  • No its not…  So Your on a 10/8 network and you need to have vpn to another network that is say 10.0.0/24  How do you route that?  Why would a client talk to the gateway to get to a network that is local to it.  Even if the vpn client is on this device... Why should it send traffic down the tunnel for an address that is on its local interface?

    I never said you could tunnel between networks with the same address.  So, if one is 10/8 then the other has to be something else.  In fact, this was why I now have my home network on 172.16.0.0.  I got fed up with trying to VPN home from hotels, where the local network address was the same as I was using at home.  I had often seen 192.167.x.y used as well as something in the 10 range, but never 172.16.  So, I picked something there and haven't had a problem since.

    "I have seen equipment complain about smaller prefixes on IPv4"

    Been in the biz 30 some years working with networks - before TCP was even a thing.. Never seen such a thing.. Windows will default to 255.0.0.0 when you put start an address with 10…

    So, Windows wants to set the old classfull prefix.  While I haven't come across anything that couldn't be set to a smaller prefix, I have seen some that wants to use the old class type prefix, just like Windows.  Some equipment is just flakey.  I've recently been working with an ADSL modem/router used by Bell Canada.  It defaults to 192.168.2.0 for the local network & DHCP.  One thing I noticed is that changing the prefix and turning off DHCP is a 3 step process, with reboots in between.  You can do it, but they don't make it simple.  This compares with the cable modems my ISP, Rogers, provides.  They are quick & easy to configure.  I see both in my work.  Rogers also provides IPv6.

    Bottom line, there's a lot of equipment that doesn't quite work as well as it should and some I have seen, though not recently, does complain about what it thinks is non standard subnet mask.

    BTW, I've been working with networks for almost 40 years, even before there was Ethernet or IPv4.  My Ethernet experience started with 10base5, connecting DEC VAX 11/780 computers.  IP, mid 90s.  In telecom, I go back 45 years.

    Also, while I wouldn't create a /8 network, my comment was in response to the claim that it would cause a problem.  Not specifying how it would cause a problem means it's an overly broad generalization.  Now the ISC DHCP pool size may be an issue, but that has nothing to do with the subnet size, only the pool size, which may or may not be related to subnet size.  I already gave 1 example where there was no DHCP and I've been around long enough to recall when static config was the norm, even on dial up access over SLIP.  I even remember my IPv4 address at IBM, from 20 years ago.  It was 9.29.146.147.  DHCP was introduced while I was there, in the late 90s.  This was in a building with over 4000 employees and over 4000 static IP addresses(there were also a similar number of SNA addresses).  So, DHCP pool size is a completely separate issue from subnet or prefix size and I maintain that a 10/8 network will work just fine.  Incidentally, take a look at the IPv4 link local networks, which are all 169.254.0.0/16.  I haven't heard of any complaints there from it being too large. even though it would typically be used to connect just 2 or a few computers.


  • Netgate

    In general, we are not dealing with those who would set a /8 on an interface and then deliberately reduce the pool size.

    I get it, you get it, johnpoz gets it, and several others here get it.

    In general, anyone who would post here with a /8 on the interface does not get it. That is the starting point.