Routing between OPT and LAN subnets on SG1100

itzhak

Hello,
I am new to pfsense and I'm trying to get the SG-1100 routing traffic between the LAN and OPT networks.
At this time, I have completed the setup wizard with mostly default settings and the LAN network is working perfectly running on 172.16.1.0/24 and providing DHCP.

I then enabled the OPT interface and assigned it to 172.16.2.1/24 and set up DHCP along with a wide open firewall rule allowing any protocol to leave that network on any port.

Both networks are working independently and allowing hosts to reach the internet.

As expected, a host on 172.16.2.0/24 (OPT net) cannot reach a host on 172.16.1.0/24 (LAN net) and vice versa. This is what I would like to change. 172.16.2.2 is a managed switch that I would like to be able to access from the 172.16.1.0/24 network for administration purposes.

I have tried entering firewall rules that allow all protocols on all ports from the LAN net to the OPT net on both interfaces and from the OPT net to the LAN net on both interfaces.

I can ping the 172.16.2.1 (OPT) interface on the sg1100 from a host on the 172.16.1.0/24 network.
I can ping the managed switch on 172.16.2.2 from the 'ping' diagnostic page in the web interface, as long as I send the ping from the 172.16.2.1 (OPT) interface.

I cannot ping the 172.16.2.2 switch from a host on the 172.16.1.0/24 network.
I cannot ping the 172.16.2.2 switch from the LAN interface in the 'ping' diagnostic page in the web interface.
What am I doing wrong?

chpalmer

@itzhak said in Routing between OPT and LAN subnets on SG1100:

As expected, a host on 172.16.2.0/24 (OPT net) cannot reach a host on 172.16.1.0/24 (LAN net) and vice versa

This is not "expected".. Have you rebooted?

johnpoz

You sure shouldn't have to reboot... Firewall rules on the devices come to mind, no gateway or wrong gateway on the devices say you switch come to mind.

If device on lan can ping pfsense opt IP, then points to something blocking on the opt network, device firewall, device wrong gateway. Something between? You mention downstream switch(s)?

If pfsense lan and opt rules allow traffic then devices would be able to talk to each other normally.. Post up your rules on lan and opt for sanity check.

chpalmer

@johnpoz said in Routing between OPT and LAN subnets on SG1100:

You sure shouldn't have to reboot..

I agree but I have run into this before myself a couple times. A quick reboot seemed to kick something loose in my case. Most cases though it just works.

itzhak: remember that a windows machine assumes any IP address outside its own subnet is public and will treat it as though..

itzhak

Thanks for the suggestions!
@chpalmer
I tried rebooting - Issue persists.
Also re: 'This is not "expected".. Have you rebooted?' - Why is it not expected? Does pfsense automatically route between subnets?

@johnpoz at this time there aren't any firewalls configured on the hosts. All of the hosts are receiving their gateway settings from DHCP. The downstream switch is what I am trying to reach, so I can configure it. It's set to 172.16.2.2 and the OPT interface is set to 172.16.2.1

I am posting some screen shots for clarity.

Screen Shot 2019-08-05 at 10.05.25 PM.jpg image url)

Screen Shot 2019-08-05 at 10.05.32 PM.jpg

Screen Shot 2019-08-05 at 10.05.42 PM.jpg

Screen Shot 2019-08-05 at 10.09.47 PM.jpg

Screen Shot 2019-08-05 at 10.10.12 PM.jpg

itzhak

A few other things:
@chpalmer - no windows in this setup - just the SG1100, a Cisco switch and my Mac.
Here is a screen shot where I can ping the 172.16.2.1 OPT interface from my Mac on the 172.16.1.0/24 network.

Screen Shot 2019-08-05 at 10.29.43 PM.jpg

chpalmer

@itzhak said in Routing between OPT and LAN subnets on SG1100:

Why is it not expected? Does pfsense automatically route between subnets?

Yes. Routing happens automatically.

Regarding your rules.. Making a rule with Opt as the source on your LAN rule is backwards. Your rule would (if not already allowed by the allow all rule above it) would be source- LAN Net. Destination- Opt

But as I mention.. Your LAN "allow all" rule already allows the traffic.

Same is true for your "Opt" rules. "Opt net" is the source. "LAN net" is the destinaton

johnpoz

So when you say downstream, I think of a L3 switch doing routing... This is just an L2 switch on your network with a IP on the SVI for whatever vlan your trying to talk to it on.

Did you setup a gateway on this SVI/Switch? Do you have routing on the L2 switch to allow what your doing? If your coming from different networks.

If this is the same switch and you have 2 svi on it 192.168.1.2 and 192.168.2.2? If you source is on the 192.168.2 then sure it can answer.. But if you ping its 2.2 address from 1.1, how would it answer.. If it also has an SVI on the lan network it would try to answer there - but that is asymmetrical, and yeah going to be problematic

Your switch should only have single SVI, in the network you want to manage it on unless its going to be doing L3 routing.. If that is your opt network, then ok its gateway should be 192.168.2.1 your opt interface on pfsense. And if you ping it from another network, it will know how to answer you via sending the answer back to pfsense.

I don't think you called out what specific cisco you have.. But here for example here is the default route.. So I can talk to this switch from any network where my firewall rules allow it, and it can answer back.

It only has the 1 IP, I have no other SVIs setup on it because its not doing L3 currently.. Only L2..