Problems with rules between networks
-
Hi everyone, I have a problem that I can't solve:
I have a pfsense v2.7, with 2 interfaces configured, one called PRODUCTION 192.168.1.0/24 and one LAN 192.168.3.0/24I created some rules, in this way the PRODUCTION network and the LAN network can "see" each other.
In the PRODUCTION network, there are devices that have a class of 192.168.201.0/24. Clearly these devices are seen by the PRODUCTION network if an address of the same subnet is set on the network card, example:
On a Windows PC on the PRODUCTION network it will have an IP of 192.168.1.33 and if a second IP of 192.168.201.33 is also entered, it will also be able to see the devices with 192.168.201.0/24.
The requirement is that the PCs on the LAN network can also see the devices with the 192.168.201.0/24 subnet.
Is there a rule I need to set? Or do you have any other advice for me?Thanks everyone in advance
-
PRODUCTION 192.168.1.0/24
LAN 192.168.3.0/24
192.168.201.0/24 is a third pfSense interface ?@vettalex said in Problems with rules between networks:
The requirement is that the PCs on the LAN network can also see the devices with the 192.168.201.0/24 subnet.
If not already done, put a pass-all on the LAN interfaces that allows traffic to 192.168.201.0/24 subnet.
@vettalex said in Problems with rules between networks:
.... can "see" each other
devices on 'some' network can't see devices on other networks. Other networks, that includes also devices on the WAN network, and what lies behind = the entire internet.
if all goes well - and conditions can apply, a LAN based device can access (send a packet to) any device anywhere. if that device can then send back answer packets, then you might say it can "see" the other device.The word "see" is more valid for the devices on the same network, like 192.168.3.0/24 : they don't need pfSense to talk to each other. Individual (on each device) firewall rules will still apply, though.
-
@Gertjan no, an interface with 192.168.201.0/24 was not created
In the PRODUCTION network (192.168.1.0/24), there are devices with IP 192.168.201.32, 192.168.201.33 etc...I would like to understand how I can show these devices from the LAN network with IP 192.168.3.0/24
Unfortunately on these devices, it is not possible to set a gateway :(
-
@Gertjan Hi, so given how the network is set up, it is not possible to make a device with IP 192.168.201.32, which is under an interface configured with subnet 192.168.1.0/24, communicate with a PC that has IP 192.168.3.45 on another interface with subnet 192.168.3.0/24?
Thanks and sorry if I ask you again -
@vettalex said in Problems with rules between networks:
Unfortunately on these devices, it is not possible to set a gateway :(
If the devices have no option to set a gateway you have to masquerade the traffic to them with an outbound NAT rule, so that responses are directed back to the pfSense interface IP.
-
@vettalex said in Problems with rules between networks:
Unfortunately on these devices, it is not possible to set a gateway :(
Here is an example - but you should create another interface/vlan for devices on this 192.168.201.0/24
So for example, I have some IP cameras on a 10.1.1.0/24 network behind my NVR, they all point to the NVR as their gateway 10.1.1.1, but I want to get to these cameras directly from my networks, so I can view the video via rtsp..
So I created a interface on pfsense 10.1.1.253/24 and put this interface into that L2 network... Now when I want to access a camera at 10.1.1.X pfsense knows how to get there, but since since the cameras have no clue how to get to my 192.168.9.0/24 network other than sending to their gateway, the nvr at 10.1.1.1 it wouldn't work.. Same goes if they have no gateway..
So you create an outbound nat on pfsense that says hey when sending traffic to 10.1.1 make it look its coming from your 10.1.1.253 address, so the cameras just think some other device on 10.1.1 is talking to them and talk directly back to it.
-
@johnpoz Thank you so much, all solved. I learned something else. Thanks again