Routing Across Subnets Question



  • I have 3 subnets on my pfSense Router network.
    I've set 192.168.1.x to be for guests and blocked all access to the other networks (192.168.2.x and 192.168.3.x). This seems to work fine.
    However, I have some Raspberry Pi's on 192.168.2.x that I can only access (via SSH) while on that sub-net.
    If I'm on 192.168.3.x, then my SSH session times out trying to connect.
    I didn't think there was anything in pfSense to block access across sub-nets.
    What am I missing?
    Thanks!


  • Rebel Alliance Global Moderator

    Without seeing the rules you created its impossible for us to see if those are the issue.. Please post up rules you created on these other networks firewall interfaces and your lan rules.

    Lan out of the box would be any any, but any other networks you bring up you would have to put in rules, or all traffic from that network would be blocked, etc.



  • Ah, Ok. I think I got it backward then.
    There are no rules between 2.x and 3.x - its just stock pfSense rules. So it would be blocked. I think I understand now.
    I really didn't need blocking rules between 1.x and 2.x/3.x, but put those in 'cause I thought I did need them.
    So I need to put in some rules between 2.x and 3.x in order to get access across those  subnets.
    I'll dig around and learn/figure out how to do that.
    Thanks for pointing me in the right direction…I was confused.


  • Rebel Alliance Global Moderator

    You do have interfaces or vlans for these other networks right… Your just not running multiple layer 3 on the same layer 2 network right??

    Rules are evaluated as traffic enters and interface from the network its attached too.
    Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated
    If no rules trigger then default deny is always there..

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order



  • I have a 4 lan interface box very similar to this one:
    https://www.amazon.com/Qotom-Q190G4-S01-celeron-Pfsense-firewall-router/dp/B01AAKGH88/ref=sr_1_5?ie=UTF8&qid=1525656793&sr=8-5&keywords=pfsense+network+box&dpID=51RsQ8C3R5L&preST=SY300_QL70&dpSrc=srch
    I bought it just before pfSense announce the requirement for Hardware Encryption (AES-NI) in later releases :( … we'll see how long I can run with this one.
    Thank you for the additional info and documentation! Helps a lot!!