Router-Router users not allowed through



  • Hi all

    At my work place, we use an Ubiquiti Nanostation to transmit a wifi signal across our camp (we're in the Antarctic so cabling is next to impossible). Any one connecting to this can access the Netgate SG-3100 firewall, through the gateway (Either a BGAN or Openport - set up with failover) and then are allowed through to the very limited internet.

    We have a few harder structures where we use other Nanostations to receive the same camp-wifi signal directly connected to Ubiquiti Picostations internally with another wifi on a different channel rebroadcasted a local wifi internally - essentially acting as relays/boosters. The Nanostations act as Stations, and the Picostations act as Access Points - with no DHCP enabled (all IPs are handled by the SG-3100). It all works well, except when someone connects to one of these internal wifis, they cant directly access the firewall. They cant ping the IP, or load the web interface, and they cant get to the gateway but they do get an IP from the firewall... They can ping everything else on the network just fine, and the Nanostations and Picostations can ping the firewall and gateways just fine.

    Those users have firewall rules allowing unlimited internet access through the primary gateway, but they still cant get to the firewall. If they jump onto the camp wifi they have no problems at all. I've tried creating firewall rules to allow everyone on the network to have access to the firewall, but it still doesnt work (and I shouldnt have to anyways). I've added the IP of the Nanostations and Picostations with access also

    Is this a pfsense/firewall problem or a Ubiquit problem?


  • Rebel Alliance

    Maybe it's only me, but I don't really get what you are doing there.
    Can you draw a picture of this setup?

    -Rico



  • @deanoevans said in Router-Router users not allowed through:

    but they do get an IP from the firewall

    That's only one third of most essential luggage. What about a DNS and a gateway ? (and check LAN "mask")

    If not, as @Rico : for you, your network setup is clear as water (well : ici here) but I can't "see" the global picture.
    A drawing ?



  • 0_1543602762595_ug.png

    Apologies for the crude drawing. I can use my phone in Situation A and have full access to the firewall, web interface, gateways and the internet. If I go inside and jump on the MainTent SSID, I cant access the Firewall or anything behind it, but I still get an IP from the DHCP on the firewall.



  • Figured it out!

    Under DHCP, I had ARP Table Static Entry ticket when assigning a static IP. I disabled that and now it works.

    Thanks for the help