LAN2 Cannot Connect to main LAN



  • LAN is 192.168.1.0/24 Gateway 192.168.1.1
    LAN2 is 192.168.2.0/24 Gateway 192.168.2.1

    PFSense provides DHCP & DNS to both
    Both LAN & LAN2 can connect to Internet OK.

    I have workstations on LAN2 that need to connect to devices on LAN but the connection does not work:

    On my LAN2 PC (192.168.2.20) I can ping my NAS by name (NAS1)and it is resolved as the correct IP (192.168.1.8) but is shown as "destination host unreachable."

    • Trying to connect to the NAS web interface (192.168.1.8:8080) from 192.168.2.20 just times out.

    • Trying to RDP to another workstation on LAN (192.168.1.5) from LAN2 (192.168.2.20) also fails.

    Firewall rules are:
    LAN - default allow any to any, all ports
    LAN2 - Alias for trusted LAN2 workstation IPs to LAN NET for alias of allowed ports.

    • I also added another LAN2 rule to allow LAN to LAN2 which I didn't think was required as expected traffic is not in that direction, but it didn't help.

    I have tried restarting pfsense after modifying rules in case there is some issue with original "states" but it makes no difference.

    There are no private/bogon networks limitations on either LAN or LAN2.

    The only non-standard setting may be the Firewall NAT Outbound is set to Manual Outbound NAT as recommended/required for pfBlockerNG setup.

    Everything I have read says that if pfSense is the Gateway for both interfaces, the only thing needed are the Firewall Rules but it just doesn't seem to work.

    Any advice would be gratefully received.

    Rgds


  • LAYER 8 Rebel Alliance

    @IanHK said in LAN2 Cannot Connect to main LAN:

    LAN2 - Alias for trusted LAN2 workstation IPs to LAN NET for alias of allowed ports.

    LAN2 > LAN access working when you try with Firewall Rule any-any (LAN2)?

    -Rico



  • Hi Rico,

    Thanks for helping.

    If I change the LAN2 rule to completely open any/any/all ports the result is the same - pinging NAS1 identifies the correct IP (192.168.1.8) but shows "destination host unreachable" and opening the web access page just times out.

    Internet continues to work OK - I am typing this from 192.168.2.20

    For this LAN2 > LAN traffic, the rule uses "*" for the Gateway - I assume this is "default" which should mean that pfsense handles it at it manages both 192.168.1.x and 192.168.2.x subnets. But is there any way to force this and/or prevent this outbound from LAN2 going straight to the WAN - which I assume is what's going on somehow as it doesn't seem to be the basic rule structure?

    Regards


  • LAYER 8 Rebel Alliance

    Please show your Interface configuration LAN & LAN2 and Firewall Rules.
    Anything in the Firewall Logs when you try to access NAS1?

    -Rico


  • Galactic Empire

    @IanHK said in LAN2 Cannot Connect to main LAN:

    Thanks for helping.
    If I change the LAN2 rule to completely open any/any/all ports the result is the same - pinging NAS1 identifies the correct IP (192.168.1.8) but shows "destination host unreachable" and opening the web access page just times out.
    Internet continues to work OK - I am typing this from 192.168.2.20
    For this LAN2 > LAN traffic, the rule uses "*" for the Gateway - I assume this is "default" which should mean that pfsense handles it at it manages both 192.168.1.x and 192.168.2.x subnets. But is there any way to force this and/or prevent this outbound from LAN2 going straight to the WAN - which I assume is what's going on somehow as it doesn't seem to be the basic rule structure?
    Regards

    Double check the subnet masks are correct and default gateways on the end devices.



  • LAN is 192.168.1.0 255.255.255.0 DHCP 192.168.1.101 - 199
    LAN2 is 192.168.2.0 255.255.255.0 DHCP 192.168.2.101 - 199

    The workstation IP (192.168.2.20) and target NAS (192.168.1.8) are DHCP Static Mappings.

    Workstation seems to pick up everything correctly:

    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::d493:903e:358e:10%16(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Lease Obtained. . . . . . . . . . : Wednesday, April 3, 2019 3:58:33 PM
    Lease Expires . . . . . . . . . . : Wednesday, April 3, 2019 5:58:32 PM
    Default Gateway . . . . . . . . . : 192.168.2.1
    DHCP Server . . . . . . . . . . . : 192.168.2.1
    DHCPv6 IAID . . . . . . . . . . . : 83896568
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5F-AE-27-00-28-F8-0A-93-99
    DNS Servers . . . . . . . . . . . : 192.168.2.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    LAN2_Rules.JPG

    Note, the "Allow trusted WiFi" rule above was changed to an any/any/all rule without improving the situation. This originally had aliases for the x.x.2.x workstations and permitted ports.

    LAN_Rules.JPG

    Thanks.


  • LAYER 8 Rebel Alliance

    pfSense Interface configuration.

    -Rico



  • Interfaces:

    Iface_LAN.JPG

    Iface_LAN2.JPG


  • LAYER 8 Rebel Alliance

    IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.0.0.0

    Wrong Subnet Mask, change to 255.255.255.0

    -Rico



  • But where is that being set - the WiFi AP is using pfsense as the DHCP so the settings are coming from pfsense aren't they:

    LAN2_DHCP.JPG


  • LAYER 8 Rebel Alliance

    This happens only for your static mappings or in general?
    Check for any second DHCP server in your network. You have any Wireless AP in this network? Check for running DHCP server there.

    -Rico


  • Galactic Empire

    @Rico said in LAN2 Cannot Connect to main LAN:

    IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.0.0.0

    Wrong Subnet Mask, change to 255.255.255.0

    -Rico

    ☺

    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::d493:903e:358e:10%16(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Lease Obtained. . . . . . . . . . : Wednesday, April 3, 2019 3:58:33 PM
    Lease Expires . . . . . . . . . . : Wednesday, April 3, 2019 5:58:32 PM
    Default Gateway . . . . . . . . . : 192.168.2.1
    DHCP Server . . . . . . . . . . . : 192.168.2.1
    DHCPv6 IAID . . . . . . . . . . . : 83896568
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5F-AE-27-00-28-F8-0A-93-99
    DNS Servers . . . . . . . . . . . : 192.168.2.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Could be you've changed the subnet mask on the DHCP server / pfSense and the lease on the client hasn't expired.



  • There will be a short delay!

    Tried to reboot after resaving to get a clean slate, and completely lost all internet connectivity.

    Really appreciate the help and will revert if/when I get off this 3G phone link.



  • Well, that's a few hours of my life I won't get back!

    Tried absolutely everything I could think of with my Asus Access Point and eventually did a factory reset to get back to a known start point.

    1. I gave up trying to get LAN2 to work, and just set the AP to automatically get the DHCP settings from pfSense. Plugged it back in and was back at the same status as this morning - everything talking to everything but no way to isolate some wifi users form the main network.
    • The auto settings gave my wifi connected PC this setup - note the subset mask that is driven entirely by pfSense on LAN interface: 255.255.255.0

    LAN_DHCP.JPG

    Because everything is driven by pfSense, just for giggles I moved the AP from LAN to LAN2 - and look what happened to the subnet mask - it goes back to the troublesome 255.0.0.0 !!!

    LAN2_DHCP.JPG

    As this is seen as the reason my LAN2>LAN access is not working as it should, can anybody help to explain where/how in pfSense the subnet mask is modified for LAN2 compared to LAN when both are set the same?

    pfSense 2.4.4 release-P1

    Thanks



  • I modified the LAN2 DHCP settings to 192.168.2.1 /25 and restarted the DHCP service.

    The new lease has got the same 255.0.0.0 issue as before:

    LAN2_NEW_DHCP.JPG

    Bizarre !


  • Galactic Empire

    Remove the AP from LAN2 and plug the laptop in directly, what do you get then ?



  • I checked for a device getting a DHCP address, rather than static mappings - and it's the same - LAN2 DHCP gives a 255.0.0.0 subnet mask but simply plugging the cable from LAN2 back to LAN the assignments are normal - i.e. 255.255.255.0

    There doesn't seem to be anywhere in pfSense where this could be going wrong - the DHCP settings pick up the correct range of possible IPs based on the interface settings so it appears to have the correct picture of what LAN2 looks like.

    Other than deleting the LAN2 interface completely and re-creating it, does anybody have any other suggestions ?

    Thanks



  • Hi NogBTB,

    Smart thought - bizarre result!

    I cable connected my PC directly to the LAN2 interface and it gives me:

    • a LAN address of 192.168.1.20 NOT the expected LAN2 address of 192.168.2.20

    • Subnet mask 255.255.255.0

    I originally had the static mappings on the LAN DHCP, and duplicated them to LAN2 (changing x.x1.x to x.x.2.x) so these devices (MACs) are defined in static mappings on both LAN and LAN2.

    I am guessing this is the root cause, and in a steady state I could remove them from LAN once LAN2 is actually working, but should a PC connected to LAN2 be served an LAN IP and/or is there a way to stop it happening while keeping the fallback mappings on the LAN DHCP ?

    Thanks


  • Galactic Empire

    Post a copy of the following:-

    1. An ipconfig /all when directly connected to LAN2

    2. An arp -a when directly connected to LAN2

    3. Status-> Interfaces LAN & LAN2.



  • Will do, thanks. Just need a moment to let things settle....



  • Current status:

    1. I removed the "duplicate" static mappings so now LAN only has static IPs defined for the wired devices, and LAN2 only has static mappings for the WiFi devices.

    2. For my workstation, I removed all static mappings so it is just picku\ing up DHCP settings.

    3. LAN2 is defined as 192.168.2.0/25 - I only did this to force a change to be saved to see if it would solve the 255.0.0.0 issue

    4. I rebooted pfSense

    5. I double-checked the workstation is using DCHP - when the pfSense box / AP went wonky last night I had a fixed IP which may have caused the situation earlier today, not sure of anything anymore!

    Now, with workstation connected directly to LAN2, I am seeing an x.x.2.x DHCP assigned IP - as expected - but the subnet mask is STILL 255.0.0.0

    Attached items as requested:

    • ipconfig /all
    • arp -a
    • pfSense Status > Interfaces

    IpConfigAll.txt

    Arp-a.txt

    Status_interfaces.JPG


  • Galactic Empire

    192.168.2.1 00-0d-b9-50-e9-82 dynamic

    hmmm your getting DHCP from the pfSense LAN2 interface, thats why I asked for the arp -a, to tie in the DHCP server IP and the MAC address.

    The subnet mask is now /25 rather than /24.

    Can you post a screenshot from the LAN2 config and the DHCP settings for LAN2.



  • Thanks - here you go...

    LAN2.JPG

    LAN2DHCP_Part1.JPG

    LAN2DHCP_Part2.JPG

    LAN2DHCP_Part3.JPG


  • Galactic Empire

    https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.txt

    https://tools.ietf.org/html/rfc2132

    Remove DHCP option 1 and try again.

    No need to go anywhere near the options config for standard users.



  • You've got to be kidding! That just looked like a default panel with nothing saved - pfSense usually adds rows of saved items in a table underneath.

    Anyway, I needed to add another row to get a delete option but when i did, the DHCP assigned mask is immediately the expected 255.255.255.0 and from my x.x.2.x workstation I can access the NAS webgui on x.x.1.x

    So grateful - many, many thanks.


  • Galactic Empire

    @IanHK

    You can just blank the entry :)


  • Galactic Empire

    @IanHK said in LAN2 Cannot Connect to main LAN:

    You've got to be kidding! That just looked like a default panel with nothing saved - pfSense usually adds rows of saved items in a table underneath.

    Anyway, I needed to add another row to get a delete option but when i did, the DHCP assigned mask is immediately the expected 255.255.255.0 and from my x.x.2.x workstation I can access the NAS webgui on x.x.1.x

    So grateful - many, many thanks.

    You should be getting a mask of 255.255.255.128 if you have a /25 mask set.



  • Yes, that's what I get with the /25 setting. Thanks again.


Log in to reply