Can’t access pfsense LAN IP from main network

helis821

I’m sure I’ve done something dumb, so apologies - but I’m going mad trying to work out what the issue is!

Setup Overview:
pfSense is running as a VM in Proxmox

•It has two virtual NICs:
•WAN – bridged to the main physical network (via vmbr0)
•LAN – used for internal VM subnet (via vmbr1)

•The WAN interface connects to the main router and gets its IP via DHCP

•The LAN interface uses a static IP on a separate subnet

• A static route is configured on the main router, pointing the LAN subnet to the pfSense WAN IP

• pfSense is configured with appropriate firewall rules to allow access from the main subnet

—-

I want to be able to access devices on the subnet from my main router (192.168.1.x) without exposing devices to the internet without filtering through pfsense.

Firewalls were created on WAN that would allow access to 192.168.50.1 (the LAN subnet) & access to other devices on the subnet FROM 192.168.1.x

This worked fines at initial setup - a static route was created on my router that meant it worked. Then I had to do a factory reset on my router… at which point everything broke.

The pfsense firewall rules didn’t change, but when I put the static route back on the router I could no longer connect to pfsense via 192.168.50.1 - after some tweaking I’ve managed to access pfsense by it’s 192.168.1.x ip.

Initial thoughts were that the routing wasn’t working - but I can ping 192.168.50.1 successfully, but the webgui will not appear & I cannot see LAN subnets.

Is there some obvious button I need to press to make things work - I cannot for the life of me see what is different, router settings all seem to be the same and the static route is definitely working!

Grateful if anyone can tell me the obvious mistake I will have made!

patient0

@helis821 to recap:

Main router net 192.168.1.x (/24?)
Static route on main router to route 192.168.50.0/24 to pfSense WAN IP
pfSense WAN - IP in the 192.168.1.x subnet, per DHCP
pfSense LAN IP 192.168.50.1, LAN network 192.168.50.0. (/24?)

Does the pfSense WAN get the same IP (static mapping) from the main router? I assume so if you set a static route on the main router.

Is pfSense doing NAT? If pfSense doing NAT then I don't really see how a static route is necessary since everything behind pfSense is hidden from upstream.

helis821

@patient0 So my aim is to be able to access 192.168.40.x from my main network devices 192.168.1.x (i.e. access VMs that are being routed through a vpn on a seperate subnet)

Rules I've been playing around with below in firewall to achieve this - as mentioned, I can ping 192.168.40.1 (pfsense), but GUI will not open

2c7915d2-8d90-4e31-a92d-94e057e9f5da-image.png

patient0

@helis821 said in Can’t access pfsense LAN IP from main network:

Rules I've been playing around with below in firewall to achieve this - as mentioned, I can ping 192.168.40.1 (pfsense), but GUI will not open

Ok, it's not 192.168.50.x anymore as you mentioned in the first post, but 192.168.40.x.

With the 'This Firewall' rule access to the firewall GUI by the 192.168.1.x address should be possible.

And the last rule should work if the destination is .40.0/24. Run package capture on WAN if it does not.

helis821

@patient0 ah - sorry, yes! I started testing another setup, but this setup is 192.168.40.x (and the static route is set to this as well)

This is what I'm getting on 192.168.1.3
eb092dcb-41be-4459-bb4d-d784b2b28309-Screenshot 2025-04-10 171139.png

Wan Packet capture at the time of this from pfsense:

16:11:14.224883 ARP, Request who-has 192.168.1.3 (bc:24:11:XX:XX:XX) tell 192.168.1.2, length 46
16:11:14.224893 ARP, Reply 192.168.1.3 is-at bc:24:11:XX:XX:XX, length 28
16:11:14.596387 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:14.596422 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:14.596429 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:14.596432 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:14.596596 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:14.601686 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 694
16:11:14.602154 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:15.694942 IP 192.168.40.1.443 > 192.168.1.2.49998: tcp 0
16:11:16.622917 IP 192.168.1.2.63698 > 192.168.1.255.32412: UDP, length 21
16:11:16.623203 IP 192.168.1.2.63700 > 192.168.1.255.32414: UDP, length 21
16:11:17.119261 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:17.119290 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:17.119296 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:17.119299 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:17.119463 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:17.124820 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 547
16:11:17.125129 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:19.634265 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:19.634303 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:19.634310 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:19.634313 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:19.634498 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:19.639602 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 578
16:11:19.640711 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:19.894899 IP 192.168.40.1.443 > 192.168.1.2.49998: tcp 0
16:11:21.601269 IP 192.168.1.2.49990 > 192.168.40.1.443: tcp 0
16:11:21.602110 IP 192.168.1.2.50004 > 192.168.40.1.443: tcp 0
16:11:21.602141 IP 192.168.40.1.443 > 192.168.1.2.50004: tcp 0
16:11:21.632885 IP 192.168.1.2.63700 > 192.168.1.255.32414: UDP, length 21
16:11:21.633100 IP 192.168.1.2.63698 > 192.168.1.255.32412: UDP, length 21
16:11:22.158283 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:22.158314 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:22.158321 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:22.158324 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:22.158499 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:22.163814 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 544
16:11:22.164154 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:22.661269 IP 192.168.40.1.443 > 192.168.1.2.50004: tcp 0
16:11:24.682759 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:24.682786 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:24.682797 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:24.682800 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:24.682966 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:24.687997 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 632
16:11:24.688405 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:24.894967 IP 192.168.40.1.443 > 192.168.1.2.50004: tcp 0
16:11:26.647993 IP 192.168.1.2.63700 > 192.168.1.255.32414: UDP, length 21
16:11:26.648321 IP 192.168.1.2.63698 > 192.168.1.255.32412: UDP, length 21
16:11:27.193535 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:27.193566 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:27.193573 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:27.193576 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:27.193814 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:27.199199 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 544
16:11:27.200534 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:29.089984 IP 192.168.40.1.443 > 192.168.1.2.50004: tcp 0
16:11:29.707864 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:29.707895 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:29.707903 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:29.707906 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:29.708057 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:29.713382 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 602
16:11:29.713786 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:31.662120 IP 192.168.1.2.63698 > 192.168.1.255.32412: UDP, length 21
16:11:31.662335 IP 192.168.1.2.63700 > 192.168.1.255.32414: UDP, length 21
16:11:31.676897 IP 192.168.1.2.49998 > 192.168.40.1.443: tcp 0
16:11:32.234914 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:32.234946 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:32.234951 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:32.234955 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:32.235124 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:32.240455 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 525
16:11:32.240820 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:34.750512 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:34.750540 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:34.750546 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:34.750549 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:34.750698 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:34.755817 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 591
16:11:34.756173 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:36.675964 IP 192.168.1.2.63700 > 192.168.1.255.32414: UDP, length 21
16:11:36.676137 IP 192.168.1.2.63698 > 192.168.1.255.32412: UDP, length 21
16:11:37.280826 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:37.280850 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:37.280856 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:37.280859 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:37.281024 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:37.286405 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 524
16:11:37.286792 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:38.546192 ARP, Request who-has 192.168.1.2 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 46
16:11:39.793292 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:39.793323 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:39.793329 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:39.793332 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:39.793501 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:39.798519 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 626
16:11:39.798873 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0
16:11:40.765636 IP 192.168.1.2.50004 > 192.168.40.1.443: tcp 0
16:11:40.766361 IP 192.168.1.2.50010 > 192.168.40.1.443: tcp 0
16:11:40.766413 IP 192.168.40.1.443 > 192.168.1.2.50010: tcp 0
16:11:41.688409 IP 192.168.1.2.63698 > 192.168.1.255.32412: UDP, length 21
16:11:41.688637 IP 192.168.1.2.63700 > 192.168.1.255.32414: UDP, length 21
16:11:41.794969 IP 192.168.40.1.443 > 192.168.1.2.50010: tcp 0
16:11:42.305571 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:42.305602 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:42.305608 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 202
16:11:42.305611 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0
16:11:42.305803 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 35
16:11:42.311098 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 572
16:11:42.311503 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 0

patient0

@helis821 said in Can’t access pfsense LAN IP from main network:

If you put your package capture between three "`" it will look like code (Markdown syntax)

16:11:14.224883 ARP, Request who-has 192.168.1.3 (bc:24:11:XX:XX:XX) tell 192.168.1.2, length 46
16:11:14.224893 ARP, Reply 192.168.1.3 is-at bc:24:11:XX:XX:XX, length 28
16:11:14.596387 IP 192.168.1.2.49880 > 192.168.1.3.443: tcp 85
16:11:14.596422 IP 192.168.1.3.443 > 192.168.1.2.49880: tcp 0

This is what I'm getting on 192.168.1.3

I'm not sure. Does it work from the pfSense LAN?
It looks like the connection to port 443 does work but then no handshake happens.

I haven't used Windows in a long time but in other threads there was the issue that the Windows firewall blocks connections from non-local networks. Maybe disable the Windows firewall or use a non-Windows client?

the other

hey there,
I am by no means a network expert (rather a noob an amateur user ;))...so forgive me, in case I'm b§$%&tting around:

it seems to me as if you try to connect via https, but your address on .40 offers only http/1.1...so the failed handshake might not have anything to do with routing but rather with you trying https but getting offered only http.
At least that's my interpretation of your screenshot.
:)

helis821

@patient0 yep, works from pfsense lan - also, just tried routing a test VM Ubuntu desktop through vmbr0 on pfsense & it can access both 192.168.1.1 and 192.168.40.1 - not sure if that’s due to it not being windows OR that vmbr0 is on same Wan?

Not sure I’ve got another device to test from though! mobile (iOS) also can’t access 192.168.40.1 but can get to 192.168.1.3 - what’s strange is that my windows desktop and mobile could access before router reset

helis821

@helis821 forgot to say - also doesn't work with windows firewall disabled