Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    rule to allow traffic between networks

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kirshman
      last edited by

      Hi. I have 3 internal networks set up on our system. LAN is our normal internal network, computers all see each other and dhcp runs 192.168.1./24. The second is opt 1, this runs our public wifi that we don't want to see the rest of the network and it's running well. dhcp 192.168.2./24. The third is opt2. This runs a display computer that we need to be off our proxy server because some of the software it runs doesn't play well with proxy. it's dhcp 192.168.3.*/24. I would like to set up it up so that the computer on opt2 can communicate with the computers on LAN. Right now it can't see any other networks either. What rule can i make so opt2 can communicate with LAN. Thanks!

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Action Pass
        Interface OPT2
        Address Family IPv4
        Protocol Any
        Source OPT2 net
        Destination LAN net

        -Rico

        1 Reply Last reply Reply Quote 0
        • K
          kirshman
          last edited by

          This didn't work for me. I still can't access shares or ping any machines on net from opt2

          NogBadTheBadN johnpozJ 2 Replies Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            Show your Config (Screenshots).

            -Rico

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @kirshman
              last edited by

              @kirshman said in rule to allow traffic between networks:

              This didn't work for me. I still can't access shares or ping any machines on net from opt2

              Firewall on the far end host maybe ?

              Did you try a ping from a host on the OPT2 network to the LAN firewall interface?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad
                last edited by

                @kirshman said in rule to allow traffic between networks:

                This didn't work for me. I still can't access shares or ping any machines on net from opt2

                Firewall on the far end host maybe ?

                Did you try a ping from a host on the OPT2 network to the LAN firewall interface?

                Also do a packetcapture does it show traffic passing out of the LAN firewall interface?

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @kirshman
                  last edited by

                  @kirshman said in rule to allow traffic between networks:

                  This didn't work for me. I still can't access shares or ping any machines on net from opt2

                  And can we see this rule? That would have to be above any rules that would block traffic.

                  The rule @Rico gave would allow anything on opt2 to talk to anything on lan net.. If that not working then the rule is not placed correctly on the opt2 interface, or was put in wrong. Or you have firewalls on the stuff on your lan net?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • K
                    kirshman
                    last edited by kirshman

                    Here are screenshots of my rules sections! Rules are really new to me. I asked a question on another post and used the rules that were suggested to me. Let me know how to fix/improve, i'm ready to learn. Also ignore the apply changes part up there, I had hit that after making the rule yesterday. There is a default windows firewall running on there, but it let the connection pass when the 2 pcs were both on lan. opt2rules.jpg lanrules.jpg

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Why is asking you to apply the rules.. Did you apply any rules you created? With the Apply Changes button?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      K 1 Reply Last reply Reply Quote 0
                      • K
                        kirshman @johnpoz
                        last edited by

                        @johnpoz yes, sorry, i added that in an edit. I did apply the rules, and accidentally moved something else before taking screenshots. The rule was applied yesterday, and didn't allow connection.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Well you can see from the 0/10 on your rules that rule has been evaluated..

                          The order of those rules would allow access.. Do you have any rules on floating.

                          Try pinging your lan IP from opt2 network.. Can you ping the pfsense lan IP? Which is part of lan net and should be allowed, even with your block firewall rule below that.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            kirshman @johnpoz
                            last edited by

                            @johnpoz no rules in floating. yes i was just able to ping the lan network ip, but not any computers on the lan network and can't access any shares on that network.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              @kirshman said in rule to allow traffic between networks:

                              but not any computers on the lan network and can't access any shares on that network.

                              Well than as we have been stating.. You have firewall on what your trying to access in lan, or its not pointing back to pfsense as its gateway..

                              If you want to prove that to yourself - then sniff on your lan interface in pfsense while you try and ping from your opt interface - do you see pfsense send on the traffic..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              K 1 Reply Last reply Reply Quote 0
                              • K
                                kirshman @johnpoz
                                last edited by

                                @johnpoz this is what i got back
                                11:53:20.374377 IP 192.168.3.11 > 192.168.1.230: ICMP echo request, id 1, seq 26, length 40
                                does this mean somehow my winows firewall is blocking it? I'm not sure why i couldn't access our share folder though cause that's just running on a raspberrypi nas with no firewall.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  Exactly! you sent on ping to that IP.. An no response! You sniffed on the LAN right.

                                  Out of the box windows firewall would block ping from anything other than its local network.. So 192.168.1.230 not going to answer something from 192.168.3.X that is not its local network.

                                  Who says pi doesn't have firewall? You can for sure run firewall on pi.. What pi OS are you running?

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kirshman
                                    last edited by kirshman

                                    Ok. I'll jump on and disable the firewalls to test after lunch. Thanks for all your help so far, I really appreciate it!

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kirshman
                                      last edited by kirshman

                                      I'm running raspbian on my pi. I ran sudo iptables -L and this is what i got.
                                      Chain INPUT (policy ACCEPT)
                                      target prot opt source destination

                                      Chain FORWARD (policy ACCEPT)
                                      target prot opt source destination

                                      Chain OUTPUT (policy ACCEPT)
                                      target prot opt source destination

                                      It doesn't seem like anything would be blocked using this.

                                      I did confirm with adding that rule, and turning off firewalls i can ping, but i still cant access shares, or get the programs I want to talk to each other. just as a completely random chance, I'm trying to connect vmix to a propresenter ndi between these networks. when i check with vmix with 2 computers on LAN it sees it. the one on Opt2 still doesn't see the NDI. I know that's probably past the scoper we're at, just one the offchance someone has worked through this I thought I'd throw it out there :)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        @kirshman said in rule to allow traffic between networks:

                                        but i still cant access shares

                                        How are you trying to access them?

                                        Your not going to be able to use discovery for example? You would have to hit the IP directly or via a fqdn that resolves to the proper IP.

                                        Your rule is any IPv4 - so if your using IPv4, firewall not going to block anything.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kirshman
                                          last edited by kirshman

                                          got it, was opening run and using \ \pcname, but when i used the ipaddress that worked

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            pcname isn't going to resolve, unless you client auto added suffix.. Or you were on the same L2 using a discovery protocol.

                                            pcname.domain.tld should be setup to resolve. Whatever domain and tld your using.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.