Only partial connection between 2 LANs

Felix 4

Hi,
I'm stuck on something that I can't immediately solve.
On my Natgate 4100 I have used LAN for my entire network, now I have come to the point where I would like to move cameras and smart TV over to LAN2.
LAN 192.168.20.1
LAN2 10.20.20.1
I want the things on LAN2 to only have access to what they need to, that is, the Smart TV must be able to access the Internet and cameras must be able to send an email. It is set up and working. I operate on the principle of deny all, allow the ports that are necessary. Likewise, LAN2 does not have access to the LAN.
From the LAN, I want to be able to access everything on LAN2, so I can see cameras and configure the 2 WiFi devices that are on the LAN2 network.
Now comes the problem.
From the LAN I get a fine connection to my cameras which are in the area of 10.20.20.201:5510. Notice the port is 5510 – 5520.
I can neither ping nor connect with my 2 WiFi devices that are accessed on port 80. I have investigated it in Pfsende/PfTop, and there I get the info I have posted on the attached photo. There is a connection from LAN to LAN2, but no response comes back. I've read up on maybe asymmetric routing, but I can't figure it out.
Is there anyone here who can help?
No connection.jpg

viragomann

@felix-4
To communicate with devices in other subnets, it's necessary that both devices has a proper gateway setting. I assume, you LAN computer will be set properly though, but check the settings on the wifi devices. They must use the LAN2 IP of pfSense as their gateway now.

Also many devices block access from outside of their subnet by default, so you have to allow it on their firewall first.

Felix 4

@viragomann

Thanks for reply.
The 2 WiFi devices are "ZyXEL WAP3205 v3 Multifunction Wireless Access Point" and there is only an option to set an IP and a SUB net mask, so there is no option there to set a Gatway. The IP I give, it is of course an IP in the LAN2 network, namely 10.20.20.100.

I haven't heard about the last thing you mention, I have to check about the ZyXEL WAP3205 if it applies there.
So what I have read about asymmetric routing is obviously not applicable here, I can understand. Thought there might be something since it is port 80 that applies here.?

viragomann

@felix-4
Without a gateway there is no way to communicate with any IP outside of its subnet. So you also cannot reach it from another subnet.

But to get access to the device, you can masquerade the source IPs in packets destined to the devices with the interface IP on pfSense by an outbound NAT rule.

stephenw10

A better tool for this would be Diag > States filtered by the destination IP.
The photo above really doesn't show enough to be useful here.

Screenshots of your firewall rules on LAN and LAN2 would also help. And any floating rules you may have that apply to LAN or LAN2.

Steve