Phone on VLAN can't ping PC on LAN
-
Hello. My first time setting up pfSense, I feel like I got pretty far, but I finally hit a roadblock.
My setup is as follows:
WAN is on em7, cable coming in from ISP modem
LAN is on em6, going out to a dumb switch
I've set up 3 VLANs on em6: LANWIFI (VLAN 20), LANGUEST (VLAN 30), and GARBAGE (VLAN 40). The Garbage VLAN is where I intend to dump all my IoT things.LAN subnet is 192.168.10.0/24, I've given it a range of 100-200
LANWIFI is 192.168.20.0/24, range 100-200
LANGUEST is 192.168.30.0/24, range 100-200
GARBAGE is 192.168.40.0/24, range 100-200WAN rules are the default "Block private networks" and "Block bogon networks" rules that pfSense applies
LAN rules are the default Anti-Lockout Rule, wide open IPv4, and IPv6
LANWIFI rule is what I think is wide open, IPv4 any protocol, any source/port, any dest/port, any gateway.Disregarding LANGUEST and GARBAGE for now, because my current problem is with LANWIFI.
The physical cable all these (V)LANs are on goes into a dumb switch, and connected to that switch is a Ubiquiti LR AP.
All devices can access the internet just fine. But some devices can ping other devices one way, but the devices can't ping the other way.
For instance, my PC 192.168.10.104 can ping my phone 192.168.20.101, but my phone can't ping my PC. But both devices can ping, say, Google, just fine. My phone 20.101 can ping my wife's phone 20.100 and vice versa. I have a Synology NAS on 192.168.10.103 that my phone also can't ping, so it's more than just the Windows firewall on my PC interfering.
So, all the 192.168.20.0 devices can ping each other, and the subnet 10 devices can ping the subnet 20 devices, but the subnet 20 devices can't ping the subnet 10 devices back. But my phone on the 20 subnet can ping 192.168.10.1
I've checked all the UniFi settings that the internet suggests I check, namely making sure "Block LAN to WLAN Multicast and Broadcast Data" is disabled, which it is. So, as far as I can tell, the AP is configured properly. And the only rule on WIFILAN is wide open, and all devices on all subnets are able to connect to the internet just fine.
So I've reached the end of my networking knowledge here. Does anyone have any clue what the issue might be? Thanks.
-
Post a screenshot of your LANWIFI rules. You might have set protocol to be TCP/UDP instead of Any by accident or something.
Windows wont respond to pings outside its own subnet, so disable the Windows firewall and any A/V firewalls during testing.
When in doubt, run a packet capture (Diagnostics - Packet Capture) and see what's actually being passed between the various interfaces.
-
-
Looks good to me. Check my other recommendations, and have a glance at the doc below:
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
-
I changed my LAN rules and suddenly my cell phone can ping the NAS, which it couldn't before. Instead of the default wide open rules, I made my own wide open rule. I don't know if this is a security risk or anything, or what the difference is between the default rules and mine.
-
Those rules are similar enough that it shouldn't have mattered.
-
It seems you're right, it stopped working. lol
-
Check your firewall log for blocked traffic, and do a packet capture to see what's going on. Those are two methods of troubleshooting connectivity issues. I assume you went through the Connectivity doc I linked to?
-
LAN is on em6, going out to a dumb switch
Before we even get to the firewall rules, here's your main issue. If you're using VLAN's terminated on PFsense, em6 needs to be trunked to a managed switch.
-
I should clarify, it's not a dumb switch, but it is a managed switch that I just hadn't done any tinkering with. So it has been passing the VLANs just fine. I've since discovered that, as I imagined, my problem pinging PCs from my phone was Windows Firewall settings, which I've corrected. The problem pinging my NAS across subnets turned out to be a limitation of the phone app I was using. Tried a different app and I was connecting to the NAS no problem.
Thanks, everybody, for the help! Everything's up and running now.
