How to set to allow host in one LAN access hotst in another LAN? urgent!!!!

caigeliu

I have problem in allowing host in one lan access hotst in another lan. The gateway is pfsense. There are two LANs: LAN: 10.0.10.0/24; OPT2: 10.0.20.0/24. I have set firewall according to: http://forum.pfsense.org/index.php/topic,15856.0.html.

1. at LAN: allow LAN net to OPT2 net.
2. at OPT2" allow OPT2 net to LAN net.
   No other rules or NAT about it.

Now my problem is I can ping computer from LAN to OPT2, but can not ping from OPT2 to LAN. Only difference is that LAN interface is LAN's gateway, OPT2 interface is not OPT2's gateway. Are there anything I missed? What should I do?

Thanks for any help..

caigeliu

This is routing tables:

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            ---.in UGS        0    83239  fxp2
10.0.20.0          link#3            UC          0        4  fxp1
10.0.20.1          00:16:46:e8:c0:9e  UHLW        1      60  fxp1    517
10.0.20.103        00:0b:97:db:82:7c  UHLW        1      56  fxp1    844
10.0.10.0          link#2            UC          0        7  fxp0
10.0.10.1          00:09:3d:13:7f:7b  UHLW        1  1844903  fxp0  1100
10.0.10.5          00:15:e9:bd:e8:ac  UHLW        1        0  fxp0  1174
10.0.10.88          00:03:81:ef:48:8b  UHLW        1      10  fxp0    748
10.0.10.91          00:0f:ea:6d:ea:63  UHLW        1  124739  fxp0  1152
10.0.10.231        00:1e:90:8a:ce:66  UHLW        1    69115  fxp0  1163
10.0.10.246        00:1e:90:81:65:d3  UHLW        1  312514  fxp0  1194
10.0.10.252        00:1e:90:8a:fb:b5  UHLW        1  111334  fxp0  1147
10.0.100.0/26      10.0.100.2        UGS        0    28354  tun0
10.0.100.2        10.0.100.1        UH          1        0  tun0
localhost          localhost          UH          0        0    lo0
192.168.1.0        link#5            UC          0        2  fxp3
192.168.1.1        00:11:25:aa:02:9e  UHLW        1    84844  fxp3  1134
192.168.30.0      link#1            UC          0        0    rl0
192.168.30.1      00:04:5a:2f:87:ff  UHLW        2      50    rl0    619
calsl05.terago.ca  192.168.30.1      UGHS        0  381753    rl0
---/28 link#4            UC          0        0  fxp2
---.in 00:d0:05:11:dc:0a  UHLW        3    6575  fxp2    669
gw                00:02:b3:9c:d7:23  UHLW        1    14646    lo0
ns1.uniserve.com  ---.in UGHS        0  1239662  fxp2

–-------------------------------------------------------------------------
for example:
at 10.0.20.99, I can ping 10.0.10.103.
but at 10.0.10.103, I cannot ping 10.0.20.99

ktims

@caigeliu:

OPT2 interface is not OPT2's gateway. Are there anything I missed? What should I do?

Then you need to add a static route on the client machines so they can access the LAN subnet via pfSense. Otherwise the traffic will hit whatever box is their default gateway, which won't know where to route it.

jimp

@ktims:

@caigeliu:

OPT2 interface is not OPT2's gateway. Are there anything I missed? What should I do?

Then you need to add a static route on the client machines so they can access the LAN subnet via pfSense. Otherwise the traffic will hit whatever box is their default gateway, which won't know where to route it.

Or set a route in whatever is opt2's gateway to point traffic bound for the LAN subnet to the pfSense box's OPT2 IP address.

caigeliu

Thanks jimp and ktims. But no luck.
For example, I want ping from 10.0.10.103 to 10.0.20.99. The pfSense has IP 10.0.10.254(gatewayIP is 10.0.10.1) and 10.0.20.254(gatewayIP is 10.0.20.254).

At 10.0.10.103,
add route 10.0.20.99 mask 255.255.255.255 10.0.10.254
But ping is not working.

I guess I may missed some settings in LAN and OPT2 or NAT.

Thanks for any help and suggestions.

znelbok

simple check here only

can you ping them from their local network.  I have been caught before like this, trying to ping, only to find a firewall was preventing replies.

Not an answer for you - sorry

Mick

caigeliu

Thanks znelbok,
What I did:
At 10.0.10.103, I ping 10.0.20.99
The package should go this way:

10.0.10.103  ===>  OPT1 (GW 10.0.10.254)  ===> LAN (10.0.20.254) ===> 10.0.20.99

I monitor at OPT1:
2009-04-30 12:12:57.544251 IP 10.0.10.103 > 10.0.20.99: ICMP echo request, id 24078, seq 2, length 64

I monitor at LAN:
2009-04-30 12:12:56.541444 arp who-has 10.0.20.99 tell (WAN IP)
2009-04-30 12:12:56.541955 arp reply 10.0.20.99 is-at 00:03:4f:02:0e:36 (oui Unknown)
2009-04-30 12:12:56.541964 IP 10.0.10.103 > 10.0.20.99: ICMP echo request, id 24078, seq 1, length 64

Always unidirected packages from 10.0.10.103 > 10.0.20.99, no reply packages from 10.0.20.99 > 10.0.10.103.

Any suggestions? Should I set NAT and how?

caigeliu

It's been solved.

LAN host only allow ping locally. OPT2 can ping remotely. That is why I can only ping from LAN to OPT2, not from OPT2 to LAN.

Solution: NAT => Outbound => Manual, add a new rule:

Ineerface: LAN
Source: OPT2
Destination: LAN
NAT address: Interface address

Then it's working. Thanks all of you for kind suggestions.