Allow traffic between LAN and various other networks (OPTs)

YannickBon

Hello,

I have a problem where i can't seem to be able to allow traffic between LAN and other OPT interfaces. I'm not a 100% sure it's a firewalling problem, but I thought I ought to start here.
I cant get to ping anything both ways.

Any help would be greatly appreciated.

Here are the rules set in my LAN (called FMVNET):

And here is the rule of one of the specific OPT (which is called WAPMANAGMENT):
(I'm actually pretty sure I shoudn't even need this rule for the traffic to pass)

Here are some other informations that my be relevant:

• FMVNET has an active DHCP server, WAPMANAGMENT does not.
• There are no specific gateways or routing or NAT rules that have been implemented besides the automatic ones.

I'm not sure where to shoot from here so any help would be greatly appreciated.

Many thanks for your time

viragomann

@yannickbon said in Allow traffic between LAN and various other networks (OPTs):

And here is the rule of one of the specific OPT (which is called WAPMANAGMENT):
(I'm actually pretty sure I shoudn't even need this rule for the traffic to pass)

You need a pass rule on the interface where the source device is connected to.
So if you only want to pass traffic from LAN to OPT you need the rules only on LAN.

Maybe the destination device is blocking the access from the other subnet by its own firewall.

Jarhead

@yannickbon No dhcp server on wapmgnt, can you ping the interface from a device on that network?
Tell us what does work.

As said, you do need that rule on the OPT interface. No rules means everything is blocked.
That said, the rules you have should allow traffic between the two interfaces so I would start with what I asked above.

YannickBon

@jarhead Thanks for your reply,

When I'm on the wapmngmnt network, I can ping devices that are on the network, but i can't ping the pfsense box. Which is very strange.

When on the fmvnet network, I can ping the pfsense box and other devices on the same network, but I can't ping anything on the wapmngmnt network.

@viragomann Thank you for your reply. I checked the firewall of the devices on the wapmngmnt network and nothing seems to be blocking anything specific. To be clear, these devices are Aruba networks antennas and they have just a very basic setup.

Uglybrian

HI- is that your only fire wall rule on OPT and you may want to try Avahi in system/package manager.

YannickBon

@uglybrian Thanks for your reply.
Yes it is my only rule on this interface. I'll give avahi a look.

Uglybrian

@yannickbon You can try a second pass rule below your current rule.
Allow /WAPMANAGMENT net / to/ MAPMANAGMENT addresses

YannickBon

@uglybrian Just tried it. Doesn't seem to affect anything. The pings are the same as described above.

viragomann

@yannickbon
I'm wondering, what Avahi could do here.

Did you investigate this:
@viragomann said in Allow traffic between LAN and various other networks (OPTs):

Maybe the destination device is blocking the access from the other subnet by its own firewall.

?

Jarhead

@viragomann Avahi will do nothing for you.

Do you have a gateway set on the wapmgnt devices?
No dhcp, you'll have to set it manually.

YannickBon

@viragomann Yes, as I stated before the devices on the network don't seem to have any rules blocking traffic.

@Jarhead No I don't have an upstream gateway. Could you explain why this would be necessary? I thought this was only necessary for WAN type networks.

The only thing I'm trying to do here is to allow traffic between my LAN (FMVNET) and my OPT1 (WAPMANAGMENT). And in a second time give WAPMANAGMENT internet access (but that's not the problem i'm trying to solve first).

YannickBon

The initial problem is sovled.

I have a netgate 7100. The issue was in the VLANs members in the switch configuration. I don't know why, but the interface was in two VLANs at the same time which I guess caused troubles.

Now I just gotta find out why I can't seem to connect this WAPMANAGMENT network to the internet.
I made these two very basic rules (basicaly a copy of the LAN rules but limited to WAN) but it doesn't seem to work.

viragomann

@yannickbon
WAN net is only the (small) subnet which is assigned to the WAN interface.
This rule can be dangerous besides, since it would allow access to the web configurator using the WAN address.

If you want to allow internet you need to set the destination to any.

To block access to your LAN add a block rule again to the top of the rule set. Also consider to block access to the pfSense web configurator.

YannickBon

@viragomann Finally! Thank you for you wonderful help. It's been very useful. Now to more testing