Can't access networks from LAN to OPT1



  • [0_1536666174532_lan](Uploading 100%) Hello,
    I have a fresh install of pfsense 2.4.3. The LAN interface is configured with a static ip 10.0.1.1/24 and the WLAN interface also with a static ip 10.0.2.1/24. The LAN interface is connected to a switch and the WLAN interface is connected to an accesspoint.

    The problem is that I cannot acces the webinterface of the accesspoint with a computer connected to the LAN network. I can ping the accesspoint successfully but the http connection is not established.

    [alex@wsalex ~]$ ping accesspoint
    PING accesspoint.bepnet.private (10.0.2.2) 56(84) bytes of data.
    64 bytes from accesspoint.bepnet.private (10.0.2.2): icmp_seq=1 ttl=63 time=0.769 ms
    64 bytes from accesspoint.bepnet.private (10.0.2.2): icmp_seq=2 ttl=63 time=0.473 ms
    
    --- accesspoint.bepnet.private ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 0.473/0.621/0.769/0.148 ms
    

    I do also have a running nextcloud installation which is connected to the LAN network. From WLAN network to LAN network (the ip of the nextcloud appliance 10.0.1.9/32) the connection via http or https is possible. If I connect the nextcloud appliance to the WLAN network the connection via http or https isn't possible anymore (LAN network to WLAN network). Ping again is still possible.

    [alex@wsalex ~]$ ping bepserv2
    PING bepserv2.bepnet.private (10.0.2.108) 56(84) bytes of data.
    64 bytes from bepserv2.bepnet.private (10.0.2.108): icmp_seq=1 ttl=63 time=0.431 ms
    64 bytes from bepserv2.bepnet.private (10.0.2.108): icmp_seq=2 ttl=63 time=0.529 ms
    
    --- bepserv2.bepnet.private ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 0.431/0.480/0.529/0.049 ms
    

    It seems to me that only ping from LAN network to WLAN network is possible. TCP/UDP from LAN network to WAN or WLAN network to WAN is always possible.

    My firewall rules are quite simple - see screenshots. I did not add standard routes.

    2_1536666219780_wlan.png 1_1536666219780_wan.png 0_1536666219780_lan.png

    I did a paket capture when trying to access the webinterface of the accesspoint. It looks like the TCP connection cannot be established.

    13:44:59.746014 IP 10.0.1.200.37296 > 10.0.2.2.80: tcp 0
    13:44:59.746320 IP 10.0.2.2.80 > 10.0.1.200.37296: tcp 0
    13:44:59.746397 IP 10.0.1.200.37296 > 10.0.2.2.80: tcp 0
    13:44:59.746474 IP 10.0.1.200.37296 > 10.0.2.2.80: tcp 325
    13:44:59.746618 IP 10.0.2.2.80 > 10.0.1.200.37296: tcp 0
    13:45:00.747641 IP 10.0.2.2.80 > 10.0.1.200.37296: tcp 0
    13:45:00.748099 IP 10.0.1.200.37296 > 10.0.2.2.80: tcp 0
    13:45:00.748296 IP 10.0.2.2.80 > 10.0.1.200.37296: tcp 0
    13:45:00.748301 IP 10.0.1.200.37298 > 10.0.2.2.80: tcp 0
    13:45:00.748561 IP 10.0.2.2.80 > 10.0.1.200.37298: tcp 0
    13:45:00.748700 IP 10.0.1.200.37298 > 10.0.2.2.80: tcp 0
    13:45:00.748931 IP 10.0.1.200.37298 > 10.0.2.2.80: tcp 325
    13:45:00.749100 IP 10.0.2.2.80 > 10.0.1.200.37298: tcp 0
    13:45:01.750442 IP 10.0.2.2.80 > 10.0.1.200.37298: tcp 0
    13:45:01.750964 IP 10.0.1.200.37298 > 10.0.2.2.80: tcp 0
    13:45:01.751170 IP 10.0.2.2.80 > 10.0.1.200.37298: tcp 0
    13:45:01.751283 IP 10.0.1.200.37300 > 10.0.2.2.80: tcp 0
    13:45:01.751469 IP 10.0.2.2.80 > 10.0.1.200.37300: tcp 0
    13:45:01.751606 IP 10.0.1.200.37300 > 10.0.2.2.80: tcp 0
    13:45:01.751900 IP 10.0.1.200.37300 > 10.0.2.2.80: tcp 325
    13:45:01.752059 IP 10.0.2.2.80 > 10.0.1.200.37300: tcp 0
    13:45:02.753030 IP 10.0.2.2.80 > 10.0.1.200.37300: tcp 0
    13:45:02.753571 IP 10.0.1.200.37300 > 10.0.2.2.80: tcp 0
    13:45:02.753765 IP 10.0.2.2.80 > 10.0.1.200.37300: tcp 0
    13:45:02.753796 IP 10.0.1.200.37302 > 10.0.2.2.80: tcp 0
    13:45:02.753992 IP 10.0.2.2.80 > 10.0.1.200.37302: tcp 0
    13:45:02.754098 IP 10.0.1.200.37302 > 10.0.2.2.80: tcp 0
    13:45:02.754341 IP 10.0.1.200.37302 > 10.0.2.2.80: tcp 325
    13:45:02.754518 IP 10.0.2.2.80 > 10.0.1.200.37302: tcp 0
    13:45:03.755895 IP 10.0.2.2.80 > 10.0.1.200.37302: tcp 0
    13:45:03.756204 IP 10.0.1.200.37302 > 10.0.2.2.80: tcp 0
    13:45:03.756317 IP 10.0.1.200.37302 > 10.0.2.2.80: tcp 0
    13:45:03.756464 IP 10.0.2.2.80 > 10.0.1.200.37302: tcp 0
    13:45:03.756649 IP 10.0.1.200.37304 > 10.0.2.2.80: tcp 0
    13:45:03.756924 IP 10.0.2.2.80 > 10.0.1.200.37304: tcp 0
    13:45:03.757028 IP 10.0.1.200.37304 > 10.0.2.2.80: tcp 0
    13:45:03.757305 IP 10.0.1.200.37304 > 10.0.2.2.80: tcp 325
    13:45:03.757472 IP 10.0.2.2.80 > 10.0.1.200.37304: tcp 0
    13:45:04.758756 IP 10.0.2.2.80 > 10.0.1.200.37304: tcp 0
    13:45:04.759200 IP 10.0.1.200.37304 > 10.0.2.2.80: tcp 0
    13:45:04.759420 IP 10.0.1.200.37304 > 10.0.2.2.80: tcp 0
    13:45:04.759568 IP 10.0.2.2.80 > 10.0.1.200.37304: tcp 0
    13:45:04.759774 IP 10.0.1.200.37306 > 10.0.2.2.80: tcp 0
    13:45:04.760049 IP 10.0.2.2.80 > 10.0.1.200.37306: tcp 0
    13:45:04.760158 IP 10.0.1.200.37306 > 10.0.2.2.80: tcp 0
    13:45:04.760416 IP 10.0.1.200.37306 > 10.0.2.2.80: tcp 325
    13:45:04.760586 IP 10.0.2.2.80 > 10.0.1.200.37306: tcp 0
    13:45:05.761957 IP 10.0.2.2.80 > 10.0.1.200.37306: tcp 0
    13:45:05.762746 IP 10.0.1.200.37306 > 10.0.2.2.80: tcp 0
    13:45:05.762968 IP 10.0.2.2.80 > 10.0.1.200.37306: tcp 0
    13:45:05.763109 IP 10.0.1.200.37308 > 10.0.2.2.80: tcp 0
    13:45:05.763304 IP 10.0.2.2.80 > 10.0.1.200.37308: tcp 0
    13:45:05.763467 IP 10.0.1.200.37308 > 10.0.2.2.80: tcp 0
    13:45:05.763730 IP 10.0.1.200.37308 > 10.0.2.2.80: tcp 325
    13:45:05.763891 IP 10.0.2.2.80 > 10.0.1.200.37308: tcp 0
    13:45:06.765117 IP 10.0.2.2.80 > 10.0.1.200.37308: tcp 0
    13:45:06.765716 IP 10.0.1.200.37308 > 10.0.2.2.80: tcp 0
    13:45:06.765973 IP 10.0.1.200.37310 > 10.0.2.2.80: tcp 0
    13:45:06.765993 IP 10.0.2.2.80 > 10.0.1.200.37308: tcp 0
    13:45:06.766266 IP 10.0.2.2.80 > 10.0.1.200.37310: tcp 0
    13:45:06.766424 IP 10.0.1.200.37310 > 10.0.2.2.80: tcp 0
    13:45:06.766688 IP 10.0.1.200.37310 > 10.0.2.2.80: tcp 325
    13:45:06.766860 IP 10.0.2.2.80 > 10.0.1.200.37310: tcp 0
    13:45:07.767719 IP 10.0.2.2.80 > 10.0.1.200.37310: tcp 0
    13:45:07.768118 IP 10.0.1.200.37310 > 10.0.2.2.80: tcp 0
    13:45:07.768306 IP 10.0.1.200.37310 > 10.0.2.2.80: tcp 0
    13:45:07.768450 IP 10.0.2.2.80 > 10.0.1.200.37310: tcp 0
    13:45:07.768759 IP 10.0.1.200.37312 > 10.0.2.2.80: tcp 0
    13:45:07.768959 IP 10.0.2.2.80 > 10.0.1.200.37312: tcp 0
    13:45:07.769122 IP 10.0.1.200.37312 > 10.0.2.2.80: tcp 0
    13:45:07.769385 IP 10.0.1.200.37312 > 10.0.2.2.80: tcp 325
    13:45:07.769547 IP 10.0.2.2.80 > 10.0.1.200.37312: tcp 0
    13:45:08.770291 IP 10.0.2.2.80 > 10.0.1.200.37312: tcp 0
    13:45:08.771033 IP 10.0.1.200.37312 > 10.0.2.2.80: tcp 0
    13:45:08.771233 IP 10.0.2.2.80 > 10.0.1.200.37312: tcp 0
    13:45:08.771348 IP 10.0.1.200.37314 > 10.0.2.2.80: tcp 0
    13:45:08.771548 IP 10.0.2.2.80 > 10.0.1.200.37314: tcp 0
    13:45:08.771698 IP 10.0.1.200.37314 > 10.0.2.2.80: tcp 0
    13:45:08.771990 IP 10.0.1.200.37314 > 10.0.2.2.80: tcp 325
    13:45:08.772154 IP 10.0.2.2.80 > 10.0.1.200.37314: tcp 0
    13:45:09.773141 IP 10.0.2.2.80 > 10.0.1.200.37314: tcp 0
    13:45:09.773580 IP 10.0.1.200.37314 > 10.0.2.2.80: tcp 0
    13:45:09.773785 IP 10.0.2.2.80 > 10.0.1.200.37314: tcp 0
    
    

    The firewall log shows that the traffic is passed - I did add the log option in the firewall rule.

    0_1536666548973_firewall_log_http_lan_to_wlan_accesspoint.png

    It would be great if some can give me some hints to solve the problem. I really don't know where to search for the problem.

    Thanks a lot and best regards
    Alex


  • Galactic Empire

    @beppo said in Can't access networks from LAN to OPT1:

    accesspoint

    Is it a router with Wi-Fi or an actual access-point ?



  • It is an accesspoint. The webinterface is accessible from WLAN network, wired or via radio.


  • Galactic Empire

    @beppo

    I only asked as some people use a home router with Wi-Fi and connect it via the WAN port.

    It should route as the networks are directly attached, are there any other devices or could you pop a laptop where the access-point is connected and try that.

    It sort of smacks of the access-point not having a default route.



  • If I connect a laptop to the switch, where the accespoint is connected, I can connect to the webinterface. But the problem cannot be the accesspoint.

    As I did write, I have a small server running. If I connect the server to the switch with the access point, the server is not accessible anymore from LAN network.

    I totally agree with you, pfsense should route as the networks are directly connected.

    All devices are configured via the dhcp server of the LAN and WLAN interfaces.

    1_1536670410690_dhcp_server_wlan.png 0_1536670410690_dhcp_server_lan.png

    I don't know why icmp is working and the rest is not.


  • Galactic Empire

    Diagnostics -> Test Port

    Tried the above from the router using the WLAN as a source ?



  • Is working from WLAN and also from LAN.
    1_1536672109073_testport_80_wlan.png 0_1536672109073_testport_80_lan.png

    Did you have a look at the firewall log? It seams like the tcp connection cannot be establish for whatever reasons.

    0_1536672152846_firewall_log_http_lan_to_wlan_accesspoint.png



  • Update:

    Changed both switches, problem still persists.

    Scenario 1: Server is connected to LAN network
    Ping and TCP/UDP connection (e. g. http, https or ssh) from WAN network to server on LAN network is possible

    Scenario 2: Server is connected to OPT1 network
    Ping from LAN network to OPT1 is working, TCP/UDP connection (e. g. http, https or ssh) is not working

    I really don't know why. The firewall rules are equivalent on both interfaces and allow each interface to any with protocol any.

    I would really appreciate if anyone could give me some hints.

    Thanks and regards
    Alex


  • LAYER 8 Global Moderator

    @beppo said in Can't access networks from LAN to OPT1:

    13:44:59.746014 IP 10.0.1.200.37296 > 10.0.2.2.80: tcp 0
    13:44:59.746320 IP 10.0.2.2.80 > 10.0.1.200.37296: tcp 0

    That sure looks like your AP aswered.. But maybe it answered back with RST.. Ie F off sort of thing because a remote network is not allowed to access its web gui..

    Open that sniff up on wireshark... What does it tell you?



  • @johnpoz I think you are correct. I tried ssh to a server connected to OPT1 from LAN network once again and it worked. I seemed to have made a mistake on the ssh try in the first run.

    Seams to be some ACL of the access point, although I did not find something in the webinterface.

    0_1536787271620_10.0.2.2.png

    So it's not a pfsense issue. Thx for your help @NogBadTheBad and @johnpoz .


  • LAYER 8 Global Moderator

    Many an accesspoint/wifirouter will not allow remote admin. When your not from the local network you would be "remote" so you would have to enable remote admin.

    What is the make and model of this AP?


Log in to reply