How to set to allow host in one LAN access hotst in another LAN? urgent!!!!



  • I have problem in allowing host in one lan access hotst in another lan. The gateway is pfsense. There are two LANs: LAN: 10.0.10.0/24; OPT2: 10.0.20.0/24. I have set firewall according to: http://forum.pfsense.org/index.php/topic,15856.0.html.

    1. at LAN: allow LAN net to OPT2 net.
    2. at OPT2" allow OPT2 net to LAN net.
      No other rules or NAT about it.

    Now my problem is I can ping computer from LAN to OPT2, but can not ping from OPT2 to LAN. Only difference is that LAN interface is LAN's gateway, OPT2 interface is not OPT2's gateway. Are there anything I missed? What should I do?

    Thanks for any help..



  • This is routing tables:

    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            ***-***-***-***.in UGS        0    83239  fxp2
    10.0.20.0          link#3            UC          0        4  fxp1
    10.0.20.1          00:16:46:e8:c0:9e  UHLW        1      60  fxp1    517
    10.0.20.103        00:0b:97:db:82:7c  UHLW        1      56  fxp1    844
    10.0.10.0          link#2            UC          0        7  fxp0
    10.0.10.1          00:09:3d:13:7f:7b  UHLW        1  1844903  fxp0  1100
    10.0.10.5          00:15:e9:bd:e8:ac  UHLW        1        0  fxp0  1174
    10.0.10.88          00:03:81:ef:48:8b  UHLW        1      10  fxp0    748
    10.0.10.91          00:0f:ea:6d:ea:63  UHLW        1  124739  fxp0  1152
    10.0.10.231        00:1e:90:8a:ce:66  UHLW        1    69115  fxp0  1163
    10.0.10.246        00:1e:90:81:65:d3  UHLW        1  312514  fxp0  1194
    10.0.10.252        00:1e:90:8a:fb:b5  UHLW        1  111334  fxp0  1147
    10.0.100.0/26      10.0.100.2        UGS        0    28354  tun0
    10.0.100.2        10.0.100.1        UH          1        0  tun0
    localhost          localhost          UH          0        0    lo0
    192.168.1.0        link#5            UC          0        2  fxp3
    192.168.1.1        00:11:25:aa:02:9e  UHLW        1    84844  fxp3  1134
    192.168.30.0      link#1            UC          0        0    rl0
    192.168.30.1      00:04:5a:2f:87:ff  UHLW        2      50    rl0    619
    calsl05.terago.ca  192.168.30.1      UGHS        0  381753    rl0
    ***-***-***-***/28 link#4            UC          0        0  fxp2
    ***-***-***-***.in 00:d0:05:11:dc:0a  UHLW        3    6575  fxp2    669
    gw                00:02:b3:9c:d7:23  UHLW        1    14646    lo0
    ns1.uniserve.com  ***-***-***-***.in UGHS        0  1239662  fxp2

    –-------------------------------------------------------------------------
    for example:
    at 10.0.20.99, I can ping 10.0.10.103.
    but at 10.0.10.103, I cannot ping 10.0.20.99



  • @caigeliu:

    OPT2 interface is not OPT2's gateway. Are there anything I missed? What should I do?

    Then you need to add a static route on the client machines so they can access the LAN subnet via pfSense. Otherwise the traffic will hit whatever box is their default gateway, which won't know where to route it.


  • Rebel Alliance Developer Netgate

    @ktims:

    @caigeliu:

    OPT2 interface is not OPT2's gateway. Are there anything I missed? What should I do?

    Then you need to add a static route on the client machines so they can access the LAN subnet via pfSense. Otherwise the traffic will hit whatever box is their default gateway, which won't know where to route it.

    Or set a route in whatever is opt2's gateway to point traffic bound for the LAN subnet to the pfSense box's OPT2 IP address.



  • Thanks jimp and ktims. But no luck.
    For example, I want ping from 10.0.10.103 to 10.0.20.99. The pfSense has IP 10.0.10.254(gatewayIP is 10.0.10.1) and 10.0.20.254(gatewayIP is 10.0.20.254).

    At 10.0.10.103,
    add route 10.0.20.99 mask 255.255.255.255 10.0.10.254
    But ping is not working.

    I guess I may missed some settings in LAN and OPT2 or NAT.

    Thanks for any help and suggestions.



  • simple check here only

    can you ping them from their local network.  I have been caught before like this, trying to ping, only to find a firewall was preventing replies.

    Not an answer for you - sorry

    Mick



  • Thanks znelbok,
    What I did:
    At 10.0.10.103, I ping 10.0.20.99
    The package should go this way:

    10.0.10.103  ===>  OPT1 (GW 10.0.10.254)  ===> LAN (10.0.20.254) ===> 10.0.20.99

    I monitor at OPT1:
    2009-04-30 12:12:57.544251 IP 10.0.10.103 > 10.0.20.99: ICMP echo request, id 24078, seq 2, length 64

    I monitor at LAN:
    2009-04-30 12:12:56.541444 arp who-has 10.0.20.99 tell (WAN IP)
    2009-04-30 12:12:56.541955 arp reply 10.0.20.99 is-at 00:03:4f:02:0e:36 (oui Unknown)
    2009-04-30 12:12:56.541964 IP 10.0.10.103 > 10.0.20.99: ICMP echo request, id 24078, seq 1, length 64

    Always unidirected packages from 10.0.10.103 > 10.0.20.99, no reply packages from 10.0.20.99 > 10.0.10.103.

    Any suggestions? Should I set NAT and how?



  • It's been solved.

    LAN host only allow ping locally. OPT2 can ping remotely. That is why I can only ping from LAN to OPT2, not from OPT2 to LAN.

    Solution: NAT => Outbound => Manual, add a new rule:

    Ineerface: LAN
    Source: OPT2
    Destination: LAN
    NAT address: Interface address

    Then it's working. Thanks all of you for kind suggestions.


Log in to reply