rule to allow traffic between networks
-
Hi. I have 3 internal networks set up on our system. LAN is our normal internal network, computers all see each other and dhcp runs 192.168.1./24. The second is opt 1, this runs our public wifi that we don't want to see the rest of the network and it's running well. dhcp 192.168.2./24. The third is opt2. This runs a display computer that we need to be off our proxy server because some of the software it runs doesn't play well with proxy. it's dhcp 192.168.3.*/24. I would like to set up it up so that the computer on opt2 can communicate with the computers on LAN. Right now it can't see any other networks either. What rule can i make so opt2 can communicate with LAN. Thanks!
-
Action Pass
Interface OPT2
Address Family IPv4
Protocol Any
Source OPT2 net
Destination LAN net-Rico
-
This didn't work for me. I still can't access shares or ping any machines on net from opt2
-
Show your Config (Screenshots).
-Rico
-
@kirshman said in rule to allow traffic between networks:
This didn't work for me. I still can't access shares or ping any machines on net from opt2
Firewall on the far end host maybe ?
Did you try a ping from a host on the OPT2 network to the LAN firewall interface?
-
@kirshman said in rule to allow traffic between networks:
This didn't work for me. I still can't access shares or ping any machines on net from opt2
Firewall on the far end host maybe ?
Did you try a ping from a host on the OPT2 network to the LAN firewall interface?
Also do a packetcapture does it show traffic passing out of the LAN firewall interface?
-
@kirshman said in rule to allow traffic between networks:
This didn't work for me. I still can't access shares or ping any machines on net from opt2
And can we see this rule? That would have to be above any rules that would block traffic.
The rule @Rico gave would allow anything on opt2 to talk to anything on lan net.. If that not working then the rule is not placed correctly on the opt2 interface, or was put in wrong. Or you have firewalls on the stuff on your lan net?
-
Here are screenshots of my rules sections! Rules are really new to me. I asked a question on another post and used the rules that were suggested to me. Let me know how to fix/improve, i'm ready to learn. Also ignore the apply changes part up there, I had hit that after making the rule yesterday. There is a default windows firewall running on there, but it let the connection pass when the 2 pcs were both on lan.
-
Why is asking you to apply the rules.. Did you apply any rules you created? With the Apply Changes button?
-
@johnpoz yes, sorry, i added that in an edit. I did apply the rules, and accidentally moved something else before taking screenshots. The rule was applied yesterday, and didn't allow connection.
-
Well you can see from the 0/10 on your rules that rule has been evaluated..
The order of those rules would allow access.. Do you have any rules on floating.
Try pinging your lan IP from opt2 network.. Can you ping the pfsense lan IP? Which is part of lan net and should be allowed, even with your block firewall rule below that.
-
@johnpoz no rules in floating. yes i was just able to ping the lan network ip, but not any computers on the lan network and can't access any shares on that network.
-
@kirshman said in rule to allow traffic between networks:
but not any computers on the lan network and can't access any shares on that network.
Well than as we have been stating.. You have firewall on what your trying to access in lan, or its not pointing back to pfsense as its gateway..
If you want to prove that to yourself - then sniff on your lan interface in pfsense while you try and ping from your opt interface - do you see pfsense send on the traffic..
-
@johnpoz this is what i got back
11:53:20.374377 IP 192.168.3.11 > 192.168.1.230: ICMP echo request, id 1, seq 26, length 40
does this mean somehow my winows firewall is blocking it? I'm not sure why i couldn't access our share folder though cause that's just running on a raspberrypi nas with no firewall. -
Exactly! you sent on ping to that IP.. An no response! You sniffed on the LAN right.
Out of the box windows firewall would block ping from anything other than its local network.. So 192.168.1.230 not going to answer something from 192.168.3.X that is not its local network.
Who says pi doesn't have firewall? You can for sure run firewall on pi.. What pi OS are you running?
-
Ok. I'll jump on and disable the firewalls to test after lunch. Thanks for all your help so far, I really appreciate it!
-
I'm running raspbian on my pi. I ran sudo iptables -L and this is what i got.
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destinationIt doesn't seem like anything would be blocked using this.
I did confirm with adding that rule, and turning off firewalls i can ping, but i still cant access shares, or get the programs I want to talk to each other. just as a completely random chance, I'm trying to connect vmix to a propresenter ndi between these networks. when i check with vmix with 2 computers on LAN it sees it. the one on Opt2 still doesn't see the NDI. I know that's probably past the scoper we're at, just one the offchance someone has worked through this I thought I'd throw it out there :)
-
@kirshman said in rule to allow traffic between networks:
but i still cant access shares
How are you trying to access them?
Your not going to be able to use discovery for example? You would have to hit the IP directly or via a fqdn that resolves to the proper IP.
Your rule is any IPv4 - so if your using IPv4, firewall not going to block anything.
-
got it, was opening run and using \ \pcname, but when i used the ipaddress that worked
-
pcname isn't going to resolve, unless you client auto added suffix.. Or you were on the same L2 using a discovery protocol.
pcname.domain.tld should be setup to resolve. Whatever domain and tld your using.
