• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot access all ip's accross different subnets

Scheduled Pinned Locked Moved General pfSense Questions
12 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mbc0
    last edited by mbc0 Mar 29, 2020, 12:30 PM Mar 29, 2020, 12:28 PM

    Hi,

    I have pfsense running as a VM on an unraid server

    I have a 4 port nic with the following interfaces.

    6598b75c-4073-4a9b-b288-165bb285adff-image.png
    I can ping anything from LAN to UniFi and vica versa but am not able to access some addresses on LAN2

    For example if I ping 192.168.2.55 from a VM on LAN2 I get a response and can access the device but if I repeat from LAN or UniFi I cannot reach it.

    But if I ping another device 192.168.2.57 from LAN or UniFi I can reach it without issue.

    I have several devices I can reach and several I cannot

    As far as I can tell my rules are correct so can anyone please help as to why this is happening?

    Thank you

    d53acb2e-f7d6-496e-81dc-133124ff7ede-image.png
    eda8d224-d41b-4e1d-82cf-03293a97cfd6-image.png
    44949208-53f9-4c6d-b60f-51fef5aaadc7-image.png
    61bd2ddd-e05b-4047-990b-aee974dd8330-image.png
    38c4f8d4-9897-44d6-8e14-292f4dbfe6bc-image.png
    d24e6691-1865-4fc7-a9f9-0454d5a81e2e-image.png

    1 Reply Last reply Reply Quote 0
    • R
      Rico LAYER 8 Rebel Alliance
      last edited by Mar 29, 2020, 1:29 PM

      What device/OS is 192.168.2.55?
      The Windows Firewall is blocking any incoming connection outside the local/known subnet.

      -Rico

      1 Reply Last reply Reply Quote 0
      • M
        mbc0
        last edited by Mar 29, 2020, 1:49 PM

        Hi,

        Many thanks for your reply, I should have mentioned I already disabled the windows firewall

        ad41fd12-29e5-4f93-a70d-6618aa94e17e-image.png

        22538361-bece-4168-8a88-d09bb186edad-image.png

        537bd808-ae20-4273-a2b0-a15d2737682c-image.png

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Mar 29, 2020, 2:34 PM

          Dude no shit you can ping from same network... This has nothing to do with pfsense, and most firewalls allow pinging from same network.

          Here is the thing.. If you can ping some devices in this network, from lan.. Then its the device firewall or security software. or its using the wrong gateway, or has a bad mask?

          So you want to ping device connected to different interface from lan... Ok sniff on pfsense interface in this other network, say your lan 2 interface while you ping from device in lan..

          Do you see pfsense send the ping.. If so then NOT pfsense!!

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            mbc0
            last edited by Mar 29, 2020, 3:22 PM

            Obviously I can ping from the same network, this was just a screenshot to prove the device existed.

            I started the packet capture on LAN2 interface (all protocols)

            I then pinged 192.168.2.55 from 192.168.0.12 (Windows 10)

            I tried to access 192.168.2.55 from 192.168.1.59 (Android Phone)

            Here are the results with none of those IP's mentioned.

            16:14:07.693246 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.693286 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.693612 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.693657 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.693696 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.693967 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.693979 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.693995 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.694016 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.694188 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.694228 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.694285 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.694463 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.694513 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.694533 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.694692 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.694732 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.694884 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.694895 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.694907 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.695178 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.695217 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.695289 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.695296 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.695305 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 824
            16:14:07.695398 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.695463 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.701541 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.701551 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 1152
            16:14:07.701572 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 296
            16:14:07.701583 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.701593 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 156
            16:14:07.701604 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.701614 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 252
            16:14:07.702194 IP 192.168.2.53.59121 > 192.168.1.27.554: tcp 0
            16:14:07.734057 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734095 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734168 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734342 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734534 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734557 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.734650 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.734686 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.734731 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.734751 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734932 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.734956 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.735104 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.735202 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.735291 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.735310 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.735489 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.735512 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.735674 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.735749 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.735872 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.735905 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.736063 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1108
            16:14:07.736121 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.736157 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.775443 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.775468 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 256
            16:14:07.776072 IP 192.168.2.53.59121 > 192.168.1.27.554: tcp 0
            16:14:07.777087 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.777111 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 1152
            16:14:07.777133 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 296
            16:14:07.777154 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.777190 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 236
            16:14:07.777227 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.777491 IP 192.168.2.53.59121 > 192.168.1.27.554: tcp 0
            16:14:07.777527 IP 192.168.2.53.59121 > 192.168.1.27.554: tcp 0
            16:14:07.813525 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 16
            16:14:07.813550 IP 192.168.1.27.554 > 192.168.2.53.59121: tcp 248
            16:14:07.814100 IP 192.168.2.53.59121 > 192.168.1.27.554: tcp 0
            16:14:07.814906 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.814945 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.815146 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.815321 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.815350 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.815390 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.815607 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.815752 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.815790 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.815893 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.815994 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.816033 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.816117 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.816159 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.816459 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.816485 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.816530 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.816661 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.816731 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.816894 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.816931 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.817131 IP 192.168.2.53.59130 > 192.168.0.24.554: tcp 0
            16:14:07.817251 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.817303 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1460
            16:14:07.817420 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 1364
            16:14:07.817478 IP 192.168.0.24.554 > 192.168.2.53.59130: tcp 396

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz Mar 29, 2020, 3:41 PM Mar 29, 2020, 3:34 PM

              Dude why would you do all when what your interested is in ping? And it defaults to only capturing 100 packets.. So no shit you prob finished your capture before you even ran your ping - so that is why don't see anything..

              Look at your sniff, that is what 100 packets in less than 0.2 seconds.. Really dude come on!!!

              Set the capture to be the dest IP your interested in, and just ICMP...

              pingcapture.jpg

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              M 1 Reply Last reply Mar 29, 2020, 4:24 PM Reply Quote 0
              • M
                mbc0 @johnpoz
                last edited by Mar 29, 2020, 4:24 PM

                @johnpoz said in Cannot access all ip's accross different subnets:

                Dude why would you do all when what your interested is in ping? And it defaults to only capturing 100 packets.. So no shit you prob finished your capture before you even ran your ping - so that is why don't see anything..
                Look at your sniff, that is what 100 packets in less than 0.2 seconds.. Really dude come on!!!
                Set the capture to be the dest IP your interested in, and just ICMP...

                Learning! 😉

                17:20:43.331497 IP 192.168.0.12 > 192.168.2.55: ICMP echo request, id 1, seq 3378, length 40

                17:20:46.809362 IP 192.168.1.120 > 192.168.2.55: ICMP echo request, id 1, seq 22, length 40

                so detected from both LAN & UniFi

                Windows firewalls are off, Android does not have one, I know you said it is not pfsense so I have a challenge ahead!

                Thanks for your help

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz Mar 29, 2020, 4:44 PM Mar 29, 2020, 4:42 PM

                  @mbc0 said in Cannot access all ip's accross different subnets:

                  17:20:46.809362 IP 192.168.1.120 > 192.168.2.55: ICMP echo request, id 1, seq 22, length 40

                  So clearly pfsense sent this on to this 2.55 box!! So pfsense did everything it was told to do.. For some reason that did not come back..

                  Why are you seeing both 3 seconds apart? you did sniff on 2 different interfaces at the same time? You did 2 different sniffs which yeah that would make sense then. Or you don't actually have your interfaces isolated and your running multiple layer 3 on the same layer 2 network

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • M
                    mbc0
                    last edited by Mar 29, 2020, 5:18 PM

                    I pinged from two addresses at the same time, that is why they are 3 seconds apart.

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz Mar 29, 2020, 7:29 PM Mar 29, 2020, 7:28 PM

                      Ok - well clearly pfsense sent it on.. So as stated some time back its your machines firewall, or something between pfsense and this device. Or the device your pinging isn't using pfsense as gateway.

                      If you want to validate more, then sniff on the device.. To see if its seeing the ping.. If it is you know for fact its software on this machine preventing the ping from being seen/answered - ie firewall/security software.. Or your machine is sending its answer somewhere else, which you would see in the sniff.

                      Or it never gets there, so something between pfsense and the box is dropping pings?

                      Wireshark is free, and easy to use runs on pretty much any os...

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • M
                        mbc0
                        last edited by mbc0 Mar 29, 2020, 10:01 PM Mar 29, 2020, 10:00 PM

                        I will download wireshark and see what I can find.

                        What I am really struggling to understand is from my main Windows Desktop PC (192.168.0.12) I cannot ping a Physical Machine 192.168.2.54 but can remote desktop in with no issues all? this makes zero sense to me.

                        the other devices are a mixture of dockers & vm's on my unraid server

                        some dockers I can ping and access, others I can not ping nor access. If I change them back to the 192.168.0 subnet they are all fine again. strange to me how I can access some but not others even though they are on the same subnet/network setting in unraid and are clearly visable from the physical machine on the same subnet

                        1 Reply Last reply Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz Mar 29, 2020, 11:12 PM Mar 29, 2020, 11:12 PM

                          Well ping and rdp are different protocols - the host firewall could allow rdp and not allow ping (icmp). Or if a firewall rule with pfsense, you could be allowing just tcp or tcp/udp while ping icmp..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received