Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow traffic between LAN and various other networks (OPTs)

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 691 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      YannickBon
      last edited by

      Hello,

      I have a problem where i can't seem to be able to allow traffic between LAN and other OPT interfaces. I'm not a 100% sure it's a firewalling problem, but I thought I ought to start here.
      I cant get to ping anything both ways.

      Any help would be greatly appreciated.

      Here are the rules set in my LAN (called FMVNET):
      Capture d’écran 2022-12-09 142300.jpg

      And here is the rule of one of the specific OPT (which is called WAPMANAGMENT):
      Capture d’écran 2022-12-09 142545.jpg (I'm actually pretty sure I shoudn't even need this rule for the traffic to pass)

      Here are some other informations that my be relevant:

      • FMVNET has an active DHCP server, WAPMANAGMENT does not.
      • There are no specific gateways or routing or NAT rules that have been implemented besides the automatic ones.

      I'm not sure where to shoot from here so any help would be greatly appreciated.

      Many thanks for your time

      V J 2 Replies Last reply Reply Quote 0
      • V
        viragomann @YannickBon
        last edited by

        @yannickbon said in Allow traffic between LAN and various other networks (OPTs):

        And here is the rule of one of the specific OPT (which is called WAPMANAGMENT):
        (I'm actually pretty sure I shoudn't even need this rule for the traffic to pass)

        You need a pass rule on the interface where the source device is connected to.
        So if you only want to pass traffic from LAN to OPT you need the rules only on LAN.

        Maybe the destination device is blocking the access from the other subnet by its own firewall.

        1 Reply Last reply Reply Quote 0
        • J
          Jarhead @YannickBon
          last edited by

          @yannickbon No dhcp server on wapmgnt, can you ping the interface from a device on that network?
          Tell us what does work.

          As said, you do need that rule on the OPT interface. No rules means everything is blocked.
          That said, the rules you have should allow traffic between the two interfaces so I would start with what I asked above.

          Y 1 Reply Last reply Reply Quote 0
          • Y
            YannickBon @Jarhead
            last edited by

            @jarhead Thanks for your reply,

            When I'm on the wapmngmnt network, I can ping devices that are on the network, but i can't ping the pfsense box. Which is very strange.

            When on the fmvnet network, I can ping the pfsense box and other devices on the same network, but I can't ping anything on the wapmngmnt network.

            @viragomann Thank you for your reply. I checked the firewall of the devices on the wapmngmnt network and nothing seems to be blocking anything specific. To be clear, these devices are Aruba networks antennas and they have just a very basic setup.

            1 Reply Last reply Reply Quote 0
            • U
              Uglybrian
              last edited by

              HI- is that your only fire wall rule on OPT and you may want to try Avahi in system/package manager.

              Y 1 Reply Last reply Reply Quote 0
              • Y
                YannickBon @Uglybrian
                last edited by

                @uglybrian Thanks for your reply.
                Yes it is my only rule on this interface. I'll give avahi a look.

                U 1 Reply Last reply Reply Quote 0
                • U
                  Uglybrian @YannickBon
                  last edited by

                  @yannickbon You can try a second pass rule below your current rule.
                  Allow /WAPMANAGMENT net / to/ MAPMANAGMENT addresses

                  Y 1 Reply Last reply Reply Quote 0
                  • Y
                    YannickBon @Uglybrian
                    last edited by

                    @uglybrian Just tried it. Doesn't seem to affect anything. The pings are the same as described above.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @YannickBon
                      last edited by

                      @yannickbon
                      I'm wondering, what Avahi could do here.

                      Did you investigate this:
                      @viragomann said in Allow traffic between LAN and various other networks (OPTs):

                      Maybe the destination device is blocking the access from the other subnet by its own firewall.

                      ?

                      J Y 2 Replies Last reply Reply Quote 0
                      • J
                        Jarhead @viragomann
                        last edited by

                        @viragomann Avahi will do nothing for you.

                        Do you have a gateway set on the wapmgnt devices?
                        No dhcp, you'll have to set it manually.

                        1 Reply Last reply Reply Quote 0
                        • Y
                          YannickBon @viragomann
                          last edited by

                          @viragomann Yes, as I stated before the devices on the network don't seem to have any rules blocking traffic.

                          @Jarhead No I don't have an upstream gateway. Could you explain why this would be necessary? I thought this was only necessary for WAN type networks.

                          The only thing I'm trying to do here is to allow traffic between my LAN (FMVNET) and my OPT1 (WAPMANAGMENT). And in a second time give WAPMANAGMENT internet access (but that's not the problem i'm trying to solve first).

                          1 Reply Last reply Reply Quote 0
                          • Y
                            YannickBon
                            last edited by

                            The initial problem is sovled.

                            I have a netgate 7100. The issue was in the VLANs members in the switch configuration. I don't know why, but the interface was in two VLANs at the same time which I guess caused troubles.

                            Now I just gotta find out why I can't seem to connect this WAPMANAGMENT network to the internet.
                            I made these two very basic rules (basicaly a copy of the LAN rules but limited to WAN) but it doesn't seem to work.
                            Capture d’écran 2022-12-12 165250.jpg

                            V 1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @YannickBon
                              last edited by

                              @yannickbon
                              WAN net is only the (small) subnet which is assigned to the WAN interface.
                              This rule can be dangerous besides, since it would allow access to the web configurator using the WAN address.

                              If you want to allow internet you need to set the destination to any.

                              To block access to your LAN add a block rule again to the top of the rule set. Also consider to block access to the pfSense web configurator.

                              Y 1 Reply Last reply Reply Quote 1
                              • Y
                                YannickBon @viragomann
                                last edited by

                                @viragomann Finally! Thank you for you wonderful help. It's been very useful. Now to more testing

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.