Rules that allowing LAN and OPT1 can access eachother



  • Hi!

    I am running pfsense 1.2 with three interfaces, WAN(public ip), LAN (10.0.0.0/24) and OPT1 (10.0.1.0/24)

    Besides default rules, in the firewall rules of LAN, I allow any proto, any source and any port to and from OPT1 and did that vise versa in OPT1

    I was assuming the above setting can allow the PCs connected to two interfaces can ping each other, however, it seems that something is missing.

    I can't say I am totally new to networking but without touching it for several years, I would say I am going back to the fresh start!

    Please, anyone give me a hint!

    Many thanks!

    Aldo



  • Can you show a screenshot of your firewall rules?

    Did you make sure that the firewall on the computer to be pinged is disabled?



  • Ohh thanks!

    Here is the firewall rules for OPT1

    And for LAN

    As well as for WAN

    I also double checked the firewall setting on local PCs, they are not blocking the traffic I desire, I even turned them off to test.

    Wishes,
    Aldo



  • I think I solved this problem but I am still quite not understand why.

    I created another firewall rule under WAN interface to allow ICMP proto from any source to LAN subnet (I am testing on a LAN PC), then I can ping from LAN to OPT1 without any problem.

    Thinking I should need to put another rule to allow ICMP proto from any source to OPT1 subnet in order to let OPT1 PCs can ping to LAN PCs?

    So, is it mean the ICMP packets are going through WAN interface at all times even at my situation that pinging from LAN to OPT1?



  • Your rules are kind of messy.

    http://forum.pfsense.org/index.php/topic,7001.0.html
    The part about rules.

    You should start on all interfaces with a * * * * * * rule (anything from anywhere to anywhere) and then see if it works.
    Then start making the rules more restrictive.

    Rules on the WAN do not affect traffic from LAN to OPTx in any way.



  • Yeah your rules are messy. You have to remember the first rule on each interface that gets a hit will, be ran and everything after that will be ignored. In your lan rules you have any protocol on the Lan subnet can go anywhere with any protocol so all the other rules on that interface are pointless. The same for OPT1. If you get rid of the rest you should be good. Make sure the rest of the computers don't have a personal firewalls blocking ICMP packets.

    Good Luck.


Locked