Ping from pfSense, but not from PC.
-
I am changing the new network where each segment will be separated from the others, but currently it is still all concentrated on a single switch.
The cables coming from:- router (192.168.1.1)
- pfSense NIC WAN (192.168.1.6)
- pfSense NIC LAN (192.168.121.1)
- pfSense NIC DMZ (192.168.122.1)
- Server-OLD (192.168.1.11)
- Server-NEW (192.168.122.11)
There is then connected PC-Tech (Debian) with a NIC with two IP addresses
- 192.168.121.51/24 Gateway & DNS 192.168.121.1
- 192.168.1.51/24
From pfSense I can PING all these devices, even from the LAN.
In Firewall/LAN there is a first rule with Any open.
From this PC I can ping the pfSense NIC WAN and I can access Server-NEW, but I can't PING neither the router nor the Server-OLD.I don't see a reason why it can't work, either because there is the "All open" rule on the firewall but also because everything is on the same switch.
Where am I doing wrong?
-
@darkcorner
You have both "fw rules" , and "device routing" to worry about.
Especially on the devices using 192.168.1.x (i would guess).
Since your router is on that segment too, i might suspect that units on that Vlan would have 192.168.1.1 as default-gw. And won't be able to know that the other "192.168.x.x" are behind the pfSense.Either add routes to the devices , telling that "the rest of 192.168.x.x/16" are behind the pfSense.
Or make the pfSense def-gw for ALL devices.Another thing is ... pfSense WAN default blocks any incomming traffic from ANY RFC1918 ip's.
Well the "cleanest solution" is to make your WAN-Net , a network where you just have thw pfSense WAN IF , and the ISP router.
/Bingo
-
Mmm, with everything connected to one switch like that there are numerous ways it could fail.
For your particular test either the client or the server is not using it's interface in the 192.168.1.X subnet directly. That is likely creating an asymmetric route through pfSense.
Check the firewall logs.
But ultimately I would expect problems with that sort of setup. You should move to one subnet per layer 2 segment as soon as you can.
Steve
-
As I said initially it is a temporary situation.
There are expected to be 3 small switches, for WAN, LAN and DMZ.
Pfesense has already been installed, the new server is in DMZ and the service PC is in LAN.But now the whole "operational" network still lies on network 192.168.1.0, in other words the old server and 4 PCs.
My idea is to create the work folders on the new server, transfer the contents of those on the old server and only then to move the 4 PCs to the new LAN managed by pfSense.
To do this, in the meantime, I need at least the service PC to be connected to both networks and I thought that he would use the same switch and assign a second address to his NIC.
If the PC had two NICs I would have already used the two switches and connected a NIC in the current LAN switch and a NIC in the new one, but I only have one NIC. -
Ok so to be clear you have all three pfSense NICs connected to the same switch? And it's an unmanaged layer 2 switch?
You should be able to make that work. Mostly. But you will need to be sure you have outbound NAT rules in place to avoid asymmetry.
