LAN2 Cannot Connect to main LAN

IanHK

LAN is 192.168.1.0/24 Gateway 192.168.1.1
LAN2 is 192.168.2.0/24 Gateway 192.168.2.1

PFSense provides DHCP & DNS to both
Both LAN & LAN2 can connect to Internet OK.

I have workstations on LAN2 that need to connect to devices on LAN but the connection does not work:

On my LAN2 PC (192.168.2.20) I can ping my NAS by name (NAS1)and it is resolved as the correct IP (192.168.1.8) but is shown as "destination host unreachable."

• Trying to connect to the NAS web interface (192.168.1.8:8080) from 192.168.2.20 just times out.

• Trying to RDP to another workstation on LAN (192.168.1.5) from LAN2 (192.168.2.20) also fails.

Firewall rules are:
LAN - default allow any to any, all ports
LAN2 - Alias for trusted LAN2 workstation IPs to LAN NET for alias of allowed ports.

• I also added another LAN2 rule to allow LAN to LAN2 which I didn't think was required as expected traffic is not in that direction, but it didn't help.

I have tried restarting pfsense after modifying rules in case there is some issue with original "states" but it makes no difference.

There are no private/bogon networks limitations on either LAN or LAN2.

The only non-standard setting may be the Firewall NAT Outbound is set to Manual Outbound NAT as recommended/required for pfBlockerNG setup.

Everything I have read says that if pfSense is the Gateway for both interfaces, the only thing needed are the Firewall Rules but it just doesn't seem to work.

Any advice would be gratefully received.

Rgds

Rico

@IanHK said in LAN2 Cannot Connect to main LAN:

LAN2 - Alias for trusted LAN2 workstation IPs to LAN NET for alias of allowed ports.

LAN2 > LAN access working when you try with Firewall Rule any-any (LAN2)?

-Rico

IanHK

Hi Rico,

Thanks for helping.

If I change the LAN2 rule to completely open any/any/all ports the result is the same - pinging NAS1 identifies the correct IP (192.168.1.8) but shows "destination host unreachable" and opening the web access page just times out.

Internet continues to work OK - I am typing this from 192.168.2.20

For this LAN2 > LAN traffic, the rule uses "*" for the Gateway - I assume this is "default" which should mean that pfsense handles it at it manages both 192.168.1.x and 192.168.2.x subnets. But is there any way to force this and/or prevent this outbound from LAN2 going straight to the WAN - which I assume is what's going on somehow as it doesn't seem to be the basic rule structure?

Regards

Rico

Please show your Interface configuration LAN & LAN2 and Firewall Rules.
Anything in the Firewall Logs when you try to access NAS1?

-Rico

NogBadTheBad

@IanHK said in LAN2 Cannot Connect to main LAN:

Thanks for helping.
If I change the LAN2 rule to completely open any/any/all ports the result is the same - pinging NAS1 identifies the correct IP (192.168.1.8) but shows "destination host unreachable" and opening the web access page just times out.
Internet continues to work OK - I am typing this from 192.168.2.20
For this LAN2 > LAN traffic, the rule uses "*" for the Gateway - I assume this is "default" which should mean that pfsense handles it at it manages both 192.168.1.x and 192.168.2.x subnets. But is there any way to force this and/or prevent this outbound from LAN2 going straight to the WAN - which I assume is what's going on somehow as it doesn't seem to be the basic rule structure?
Regards

Double check the subnet masks are correct and default gateways on the end devices.

IanHK

LAN is 192.168.1.0 255.255.255.0 DHCP 192.168.1.101 - 199
LAN2 is 192.168.2.0 255.255.255.0 DHCP 192.168.2.101 - 199

The workstation IP (192.168.2.20) and target NAS (192.168.1.8) are DHCP Static Mappings.

Workstation seems to pick up everything correctly:

DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d493:903e:358e:10%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Wednesday, April 3, 2019 3:58:33 PM
Lease Expires . . . . . . . . . . : Wednesday, April 3, 2019 5:58:32 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 83896568
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5F-AE-27-00-28-F8-0A-93-99
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Note, the "Allow trusted WiFi" rule above was changed to an any/any/all rule without improving the situation. This originally had aliases for the x.x.2.x workstations and permitted ports.

Thanks.

Rico

pfSense Interface configuration.

-Rico

IanHK

Interfaces:

Rico

IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0

Wrong Subnet Mask, change to 255.255.255.0

-Rico

IanHK

But where is that being set - the WiFi AP is using pfsense as the DHCP so the settings are coming from pfsense aren't they:

Rico

This happens only for your static mappings or in general?
Check for any second DHCP server in your network. You have any Wireless AP in this network? Check for running DHCP server there.

-Rico

NogBadTheBad

@Rico said in LAN2 Cannot Connect to main LAN:

IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0

Wrong Subnet Mask, change to 255.255.255.0

-Rico

DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d493:903e:358e:10%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Wednesday, April 3, 2019 3:58:33 PM
Lease Expires . . . . . . . . . . : Wednesday, April 3, 2019 5:58:32 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 83896568
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5F-AE-27-00-28-F8-0A-93-99
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Could be you've changed the subnet mask on the DHCP server / pfSense and the lease on the client hasn't expired.

IanHK

There will be a short delay!

Tried to reboot after resaving to get a clean slate, and completely lost all internet connectivity.

Really appreciate the help and will revert if/when I get off this 3G phone link.

IanHK

Well, that's a few hours of my life I won't get back!

Tried absolutely everything I could think of with my Asus Access Point and eventually did a factory reset to get back to a known start point.

1. I gave up trying to get LAN2 to work, and just set the AP to automatically get the DHCP settings from pfSense. Plugged it back in and was back at the same status as this morning - everything talking to everything but no way to isolate some wifi users form the main network.

• The auto settings gave my wifi connected PC this setup - note the subset mask that is driven entirely by pfSense on LAN interface: 255.255.255.0

Because everything is driven by pfSense, just for giggles I moved the AP from LAN to LAN2 - and look what happened to the subnet mask - it goes back to the troublesome 255.0.0.0 !!!

As this is seen as the reason my LAN2>LAN access is not working as it should, can anybody help to explain where/how in pfSense the subnet mask is modified for LAN2 compared to LAN when both are set the same?

pfSense 2.4.4 release-P1

Thanks

IanHK

I modified the LAN2 DHCP settings to 192.168.2.1 /25 and restarted the DHCP service.

The new lease has got the same 255.0.0.0 issue as before:

Bizarre !

NogBadTheBad

Remove the AP from LAN2 and plug the laptop in directly, what do you get then ?

IanHK

I checked for a device getting a DHCP address, rather than static mappings - and it's the same - LAN2 DHCP gives a 255.0.0.0 subnet mask but simply plugging the cable from LAN2 back to LAN the assignments are normal - i.e. 255.255.255.0

There doesn't seem to be anywhere in pfSense where this could be going wrong - the DHCP settings pick up the correct range of possible IPs based on the interface settings so it appears to have the correct picture of what LAN2 looks like.

Other than deleting the LAN2 interface completely and re-creating it, does anybody have any other suggestions ?

Thanks

IanHK

Hi NogBTB,

Smart thought - bizarre result!

I cable connected my PC directly to the LAN2 interface and it gives me:

• a LAN address of 192.168.1.20 NOT the expected LAN2 address of 192.168.2.20

• Subnet mask 255.255.255.0

I originally had the static mappings on the LAN DHCP, and duplicated them to LAN2 (changing x.x1.x to x.x.2.x) so these devices (MACs) are defined in static mappings on both LAN and LAN2.

I am guessing this is the root cause, and in a steady state I could remove them from LAN once LAN2 is actually working, but should a PC connected to LAN2 be served an LAN IP and/or is there a way to stop it happening while keeping the fallback mappings on the LAN DHCP ?

Thanks

NogBadTheBad

Post a copy of the following:-

1. An ipconfig /all when directly connected to LAN2

2. An arp -a when directly connected to LAN2

3. Status-> Interfaces LAN & LAN2.

IanHK

Will do, thanks. Just need a moment to let things settle....