Communication between machines on 2 different subnets
-
Hi forum! I've recently joined the club and built my own pfSense firewall and got it to work quite well. One of the challenges that I've been facing is getting two machines connected to different subnets to talk to each other. Here's a diagram of my current network setup:
What I am trying to do is to be able to access MICHAELMAINPC from MICHAELAPTOP and vice versa. More specifically, I would like to access shared folders of these 2 machines
I have the following rules set for LAN_1
and for LAN_2
With these rules, I know for a fact that this allows LAN_1 and LAN_2 to access any machine (which is how I also have internet connectivity with these ports), but since they have a different subnet they are not able to access machines outside their subnet.
On MICHAELMAINPC I am able to see the following in the Network And Sharing explorer:
and on MICHAELAPTOP:
When I try to access MICHAELAPTOP from MICHAELMAINPC:
When I ping from MICHAELMAINPC:
From MICHAELMAINPC I am able to ping the LAN port that it is connected to, the LAN port that is connected to MICHAELAPTOP and another LAN port (192.168.3.1) that is not connected to anything.
Now from what I read, I am aware of 3 options that I can use to allow MICHAELMAINPC and MICHAELAPTOP to communicate:1.) Static routing
2.) VLANs
3.) Connecting MICHAELAPTOP to a switch, and the switch is connected to LAN_1I usually go with option 3 for simplicity, however I would like to know how to configure my setup if I were to go with either option 1 or 2. I have a general idea of static routing and VLANs, but I have been unable to apply them to my network. I would like to go with options 1 or 2 as in the future I would like to have a NAS attached to the firewall that is isolated from the other ports, so as to have the NAS isolated from interfaces with connection to the Internet.
-
You have to open up Windows firewall to allow the access. By default it blocks access from other subnets.
-
You have to open up Windows firewall to allow the access. By default it blocks access from other subnets.
In that case I would need to create an inbound rule I presume? I'd disable windows firewall entirely but I'm not too comfortable with doing that.
Would I need to adjust Windows Firewall only, or is there another setting that I need to tweak on the pfSense firewall? -
On the pfSense you need rules which allow the access on the particular incoming interface, of course. But you have already set that rules as your screenshot shows. You may restrict the access to the particular source and destination addresses (and ports).
It's also a requirement that pfSense is the default gateway on both machines. Your network map let me assume it is. Otherwise you would need routes on the machines.
-
On the pfSense you need rules which allow the access on the particular incoming interface, of course. But you have already set that rules as your screenshot shows. You may restrict the access to the particular source and destination addresses (and ports).
It's also a requirement that pfSense is the default gateway on both machines. Your network map let me assume it is. Otherwise you would need routes on the machines.
The IPv4 default gateway for both machines is equal to the LAN address of the interface that the machine is connected to. I'm not sure if the IPv6 gateway is also required:
On MICHAELMAINPC:
On MICHAELAPTOP:
Regarding the rules, I also plan to have a network port that is only used internally and will have restrictions based on particular sources and destinations.
I've also went ahead and created a rule in Windows firewall to allow for multiple subnets:
On MICHAELMAINPC:
and on MICHAELAPTOP:
Both of those rules were created in the Inbound and Outbound tabs. Unfortunately this didn't do anything and the machines still cannot see each other.
-
You try to access the other PC by host name. Do you run DNS on pfSense and are the names registered there? Otherwise that wont work.
NetBIOS cannot communicate over a router.Have you also tried access by IP addresses?
-
You try to access the other PC by host name. Do you run DNS on pfSense and are the names registered there? Otherwise that wont work.
NetBIOS cannot communicate over a router.Have you also tried access by IP addresses?
I do not have any DNS server setup for local machines:
However, I have been able to access via IP address, so the Windows firewall rules set seem to be working:
With all the rules required set correctly, how do I go about creating the DNS server required for local machines?
-
This only works if your host are configured to use pfSense as name server.
If they do just add a "Host override" for each host you want to resolve.
-
This only works if your host are configured to use pfSense as name server.
If they do just add a "Host override" for each host you want to resolve.
I ran ipconfig on both machines
MICHAELMAINPC:
MICHAELAPTOP:
Judging by the fact that the both of them point to FDNC (the pfSense firewall) as the router (DNS Suffix and connection-specific DNS Suffix) I think that implies they use the pfSense firewall as the name server.
The host override option didn't work however. I went on both DNS Forwarder and DNS resolver and added the host override
I still need to put the IP address in the Run command to see the other machine. I think I've incorrectly configured the host override but I'm not sure what I did wrong.
-
MICHAELMAINPC uses 8.8.8.8 as Primary DNS. The secondary will be only requested if the primary is not reachable, not if he can't resolve the name!
Remove the host names from the domains in the overrides, the domain is only "fdnc.com".
And ensure that the pfSense domain is set equally, otherwise you have to type the full FQDN to get the name resolved. -
"MICHAELMAINPC uses 8.8.8.8 as Primary DNS. The secondary will be only requested if the primary is not reachable,"
I want to clarify this with some more info, since it comes up ALL THE TIME!!! It is NEVER a good idea to set different ns on a client. You can set multiple dns sure.. But they all need to be able to resolve the same info.. So if your going to use public fine - use public.. Google and Open for example… But you should never set a public and a local dns.. Since public is not going to be able to resolve your local stuff.
If you want failover and redundancy then point to multiple local dns that can all resolve your local stuff, let them forward or resolve for all public stuff.
You really can never be sure when a client will query the NS listed.. And as mentioned if you ask google for say www.somelocaldomain.tld its going to send back NX.. Client will cache that that domain is not valid, its not going to ask any other ns it has listed for that.. Until such time that neg cache expires, etc.
You will only be asking for problems trying to use different NS that can not resolve the same stuff.. Point your local clients to local dns, let the local dns go find the public info..
