No routing between local networks
-
Hi All,
I have setup pfsense into a mini PC with 6 interfaces and assigned each interface as follow:
igb0 - WAN1 with DHCP client
igb1 - WAN2 with DHCP client
igb2 - LAN1 for client connections 192.168.1.1/24 with DHCP server enabled
igb3 - LAN2 for server connections 192.168.2.1/24 (all servers are having static IPs)
igb4 - DMZ planned for servers that can be access from external
igb5 - unusedIn Firewall setup, I grouped LAN1 and LAN2 as LANNet and rule to allow all IPv4, all protocols
My problem is, I'm unable to connect/ping from PC in LAN1 (IP 192.168.1.100 - assigned by DHCP) to PC in LAN2 (IP 192.168.2.10 - static IP).
I can only ping to LAN2 interface (192.168.2.1)Please help to suggest if any configuration I missed.
Thank you in advance.
-
@gueaje Firewall on the PC.
Do a packet capture on LAN2, do you see packets from LAN1 ?
-
@gueaje This is typical for OSes like Windows with their firewall.
-
@nogbadthebad no packet flowing from LAN1 to LAN2 or the other way round
@bob-dig said in No routing between local networks:
@gueaje This is typical for OSes like Windows with their firewall.
Just tested between TrueNAS and Ubuntu, the same blockage is there.
-
@gueaje said in No routing between local networks:
@nogbadthebad no packet flowing from LAN1 to LAN2 or the other way round
@bob-dig said in No routing between local networks:
@gueaje This is typical for OSes like Windows with their firewall.
Just tested between TrueNAS and Ubuntu, the same blockage is there.
Do a packet capture on LAN2, do you see packets from LAN1 ?
-
@nogbadthebad said in No routing between local networks:
@gueaje said in No routing between local networks:
@nogbadthebad no packet flowing from LAN1 to LAN2 or the other way round
@bob-dig said in No routing between local networks:
@gueaje This is typical for OSes like Windows with their firewall.
Just tested between TrueNAS and Ubuntu, the same blockage is there.
Do a packet capture on LAN2, do you see packets from LAN1 ?
packet capture run on LAN2, no packet from LAN1
packet capture run on LAN1, no packet from LAN2 -
@gueaje Firewall rules on the interface or incorrect subnet mask on the clients if I had to guess.
Drag a screenshot of your firewall rules, into your post.
-
@nogbadthebad
here you go, WireGuard, DMZ, LANCGUEST and LANSEVER has no rule setup.
LAN1 is LANCLIENT
LAN2 is LANSEVER
-
@gueaje I'd be tempted to remove the floating rule and interface group, then add any any rules on LANCLIENT & LANSEVER.
Firewall rules are generally processed as follows:-
Floating Rules
Interface Group rules
Interface tab rulesAndy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@nogbadthebad
Removed floating rule and interface group, and recreate the same rule under LANCLIENT and LANSEVER, still no luck.Tried to reboot the pfsense machine as well.
-
@gueaje The subnet mask and gateway is correct on each box, that you're trying to ping from & to ?
The interfaces are directly attached so it should work.
-
@nogbadthebad said in No routing between local networks:
interfaces are directly attached so it should work.
Yes, I have checked and rechecked that since you pointed out earlier.
Also I tried to use ping tool from diagnostic menu in pfsense.
I can ping the hosts from respective pfsense interface (i.e. ping using LANSERVER to ping host in the same network), but it's not reachable if I change source address to LANCLIENT.BTW, if it helps, hosts from both networks are able to access internet.
Can this configuration cause the issue? i.e. instead routing the traffic directly from LANSERVER to LANCLIENT, this setup cause the traffic directed to internet?
-
@gueaje Is your default route your WAN gateway and are you using any sort of PIA ?
Diagnostics -> Routes
-
@nogbadthebad said in No routing between local networks:
@gueaje I'd be tempted to remove the floating
Tempted ? ;)
What about this one :@gueaje
re create the firewall rule you've removed on the LAN interface when you installed pfSense.
By pure magic, things start to work.If these are the rules on the LAN interface :
then, yeah, all traffic (except destination port 22 80 443 TC pfSense itself) goes into the default, last, hidden "black hole" rule. That included 'ping'.
Why did you remove the pass rule that was present in the beginning ? That comes with some punishment ;)
Btw : my advise : stay away from floating rules (leave them as you've found them : none).
-
I don't have PIA. (yet, still considering it. based on your question, looks like I have to put aside that consideration :) )
In the setup, I leave it as Automatic. Under Diagnostic route, it point to WAN1 right now.
Should I change it to LANCLIENT or LANSEVER? -
@gertjan
From fresh install, it was not working with default setup (no rule except "Anti-Lockout Rule).
Hence, I added floating rule to allow all for LAN networks, and it still not working. -
@gueaje Just start over freshly.
-
@gueaje Leave it as is.
I only asked about PIA as everything would route via your OpenVPN interface unless you has don't pull routes.
As you're not using PIA it should be fine.
-
@gueaje said in No routing between local networks:
@gertjan
From fresh install, it was not working with default setup (no rule except "Anti-Lockout Rule).Read pfSense manual : Firewall Rule Best Practices
In a default two-interface LAN and WAN configuration, pfSense utilizes default deny on the WAN and default allow on the LAN.
This means you find the anti lockout rule and a pass rule on the LAN interface.
So, again, on a default pfSense you will find this pass rule on the interface called LAN (other interface are not assigned yet).
It is presumed that when you create other (more) LAN type interface, you copy this rule to your new LAN interfaces also. You have to change the "Source" while coping, of course. -
@bob-dig said in No routing between local networks:
@gueaje Just start over freshly.
Will need to find time later, probably over long weekend.
Currently can't afford downtime due to work from home.
