Multiple interfaces and PING issues



  • Pfsense got 2 LAN interfaces,
    Interfaces 1 - 192.168.10.1
    Interfaces 2 - 192.168.20.1

    PC1 - 192.168.10.11 linked to Interfaces 1
    PC2 - 192.168.10.12 linked to Interfaces 1

    PC3 - 192.168.20.111 linked to Interfaces 2

    PC1 and PC2 can PING each others, but PC3 unable to PING PC1 and PC2, only when PC1 or PC2 disable it's Windows's firewall, then just can PING it success.

    How can I PING or access PC1 or PC2 without turn off it's Windows's firewall?

    Thank you for who can help me.



  • @eelaideee:

    only when PC1 or PC2 disable it's Windows's firewall, then just can PING it success.

    So obviously it's an issue of Windows firewall.

    @eelaideee:

    How can I PING or access PC1 or PC2 without turn off it's Windows's firewall?

    Allow access from 192.168.20.1/? in the Windows firewall.



  • I think the default for Windows is to block nearly all incoming traffic from outside of the local subnet.



  • @viragomann:

    @eelaideee:

    only when PC1 or PC2 disable it's Windows's firewall, then just can PING it success.

    So obviously it's an issue of Windows firewall.

    @eelaideee:

    How can I PING or access PC1 or PC2 without turn off it's Windows's firewall?

    Allow access from 192.168.20.1/? in the Windows firewall.

    It is because of the some devices such as printer, door access controller plugged to different subnet, PC unable to access it through different subnet, and the devices also can't change any setting like Windows firewall, so I looking is it got any solution on that.



  • Aside from the sysem firewall only the missing of gateway setting on a device can cause that it isn't possible to access from other subnets.

    The Windows firewall can be modified to allow access from other subnets if needed. Firewall > Advanced Settings > Inbound rules. You can add rules there and set the remote IP ranges which it should match to.

    For devices without the ability to set a gateway (also to outfox Windows firewalls ;)) you can set an outbound NAT rule to masquerade the original source address as a workaround. Firewall > NAT > Outbound
    The outbound NAT has to be switched to hybrid or manual mode.
    Then add a new rule, set the interface to that one the concerned device is attached to, at source enter the other subnet, at translation select "interface address".
    If that rule should only match to a couple of devices you can put these in an alias and use that one at destination instead of any.