Multi LAN routing help

Mac101

Hi All,
I am having some issues setting up multi LAN with routing between the LAN's.
One LAN is on 192.168.1.0/24 (LAN) and the other on 192.168.10.0/24.(OPT1) both have interfaces in their respective subnets ending in 254. I also have a WAN interface on 192.168.100.254. I can ping using the built in diagnostics from the LAN to a device connected to OPT1 but not from OPT1 to device connected to LAN. From OPT1 I can ping the Lan gateway (192.168.1.254) and from LAN I can ping the Lan device.
Initially I thought it might be a firewall issue but when the firewall is disabled it makes no difference. I have the "block Private Networks" unticked on all interfaces

Any help would be greatly appreciated
Thanks
Darren

viragomann

@Mac101 said in Multi LAN routing help:

but when the firewall is disabled it makes no difference

Which firewall? pfSense or that one on the destination device?

Mac101

the PfSense firewall

kiokoman

the default rules for LAN is to permit traffic to any destination
the default rules for OPTx is to deny

show us with a screenshot what rules do you have on that interface
and Diagnostic -> routes

Mac101

advancef firewall.jpg firewall rules.jpg

kiokoman

ah noticed only now sorry, pfsense is a VM
how did you pass the network card to the vm and why 3 ip?

Mac101

The hardware platform has 6 nic's with bridges created on each of the 3 nic'c being used for the VMs. The intention is to have 1 network for VOIP, 1 for local lan and the 3rd for internet.
I have used the 192.168.100.0/24 subnet in this lab environment to sort out any bugs before I change it over to PPOE and plug into my modem.

kiokoman

i understand, it could be that you created an asymmetric routing somewhere.
here it's too late and i'm too tired to think of anything, maybe try some traceroute -i br0/br1/br2 and you could ask for the help of @Derelict or some other expert in the field if you post the routing table

johnpoz

Your lan rule is tcp only - that is going to be a problem for any dns, etc.

You have a upstream router from your pfsense VM that is not just default route out in a double nat role? What VM platform are you on, how is everything connected both logically and physically.. You mention bridges - which is almost never a good thing.

I take it that network is just not transit - are there hosts on this network between pfsense and this other router - yeah that ill scream asymmetrical.

BTW - your diagram is bit small and light texting, maybe its the beers and now wine I am drinking but its a bit hard to make out.

Mac101

I have fixed up the protocol issue on the LAN interface, thanks for spotting that one.
I'm not familiar with asymmetric routing, but assume that it is when the paths to and from a device are different. I honestly don't think that this is the case here, as the connected machines, physical and virtual, have the correct default gateway set. (ie 192.168.1.254 for lan and 192.168.10.254 for opt1). I have carried out traceroutes in both directions.
Lan to Opt1:-

192.168.1.254
192.168.10.1

Opt1 to Lan:-

192.168.10.254
************** timed out

I can ping from Opt1 to 192.168.1.254 but nothing else connected in that subnet
I can ping from Lan to any device inside either network.

I am using KVM on Debian 10 as the virtualisation platform.
Considering that I am only having issues in the traffic in one direction, I still believe it to be a config issue with Pfsense

kiokoman

idk.. i'm using KVM myself on my ubuntu server at work but without the bridge part, you have already disabled pf and if it's not a routing problem i don't see how it could be a pfsense problem.
can you check with this if the bridge is working ?
https://superuser.com/questions/1211852/why-linux-bridge-doesnt-work

johnpoz

@Mac101 said in Multi LAN routing help:

but nothing else connected in that subnet

And you sure those dest not running their own host firewall.

If they are windows for example - they not going to answer ping from outside there own network. Just sniff on pfsense, when you ping - do you see it sending out the ping..

Mac101

Thanks guys, this will give me a couple of new tools and approaches to diagnose where the issue is.

Mac101

Thanks, the stupid windows firewall was causing issues, or should I say stupid me for not checking that first. I can now ping and trace route in both directions however if I try to browse to the web page on 192.168.10.55 from the lan, the page does not load.

Mac101

Looks like another software firewall issue. The web page I was trying to access (FreePBX) must have som ebuilt in firewall preventing access outside of its subnet. I plugged in a cisco handset and can browse to the web interface on 192.168.10.56 from the lan without any issues.
Thanks again for your help in steering me in the right direction, I really appreciate it and I am learning heaps

johnpoz

looks like it does
https://wiki.freepbx.org/display/FPG/Firewall

Did you enable that module?