LAN –> OPT1 won't work



  • I cannot get something that I thought I had my head around to work, and I have it working at work where I have set up something similar, but not here at home for some reason.

    Setup:

    pfSense 1.2.3-RELEASE
    3 network cards, WAN, LAN, and OPT1

    LAN is connected to gigE switch, Ip of 192.168.100.1/24,  everything works fine, and has for over a year
    OPT1 I have enabled with an IP of 192.168.102.50/24
    DLink DI-624 set with static IP of 192.168.102.1/24, with cable going from one of the LAN ports on the DLink to the OPT1 interface

    Problem:

    I am trying to access the web setup of the DLink, from the LAN side.  I can ping 192.168.102.1 from Diagnostics –>Ping, and it comes back fine.

    When I try to ping the DLink from my PC, I get nothing.  I have tried adding rules to the OPT1 and LAN firewall pages allowing all to all, but that does not help.

    I am completely stumped, and am sure it's something simple.  Any ideas?  At this point, I am not even trying to allow access by wireless clients to the WAN, because once I have the DLink set up so that I can access the web interface, I am going to turn on encryption in it, and then setup the Captive Portal on the OPT1 interface

    Thanks for all your help



  • your DI-624 most likely doesn't have a way to specify a default gateway or you failed to specify one.

    Roy…



  • Ok - couple of changes to the above setup:

    OPT1 is now WLAN
    WLAN is 192.168.103.1/24
    DLink is 192.168.102.2/24

    I have followed these instructions:
    http://bitworking.org/news/Configuring_the_D_Link_DI_624_as_only_a_wireless_access_point

    Note that when I have the DLink connected to the second ethernet port of my PC, and that ort configured in Windows as 192.168.103.1/24, I can access the web interface.  It is when it has to go across the pfSensere box that it becomes inaccesible

    I ran a Packet Capture, and it looks like this:

    01:05:12.077624 IP 192.168.101.254.2866 > 192.168.103.2.80: tcp 0
    01:05:15.041397 IP 192.168.101.254.2866 > 192.168.103.2.80: tcp 0
    01:05:21.080069 IP 192.168.101.254.2866 > 192.168.103.2.80: tcp 0
    01:05:22.077255 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 254
    01:05:22.077464 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 272
    01:05:22.077668 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 326
    01:05:22.078204 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 318
    01:05:22.078873 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 248
    01:05:22.079083 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 290
    01:05:22.079633 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 322
    01:05:22.080337 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 268
    01:05:22.080556 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 320
    01:05:22.081142 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 314
    01:05:22.081834 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 246
    01:05:22.082057 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 289
    01:05:22.082601 IP 192.168.103.2.1900 > 239.255.255.250.1900: UDP, length 319
    

    I started the packet capture, went to another tab in Firefox, and the tried to aces the web interface address, which timed out, as it always has.  I have all default rules in place, and have added one on the WLAN tab, allowing any protocol,from the WLAN interface.



  • There is a FAQ that explains the best way to setup wifi AP.
    http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
    That is the best solution.

    Now if you are trying to access a single device from one network to the other network then you should create an alias for that device, ie 'dlink', and then firewall pass rule to pass LAN traffic to OPT1: [ * | LAN net | * | dlink | ] and vice verses on OPT1: . This should give any PC on the LAN side access to your dlink. Basic MANY to ONE.

    Now for MANY to MANY you wont need to set up any aliases just striaght firewall rules pointing LAN subnet to OPT1 subnet. LAN: [*|LAN net|*|OPT1 net|*], OPT1: [*|OPT1 net|*|LAN net|*]. This should allow all traffic in both directions.
    
    and last the ONE to ONE. whereby you would create two aliases one for a 'PC' and one for 'dlink' and then create firewall pass rule to pass PC traffic to dlink: [ * | PC | * | dlink | *] and vice verses on OPT1:*   . This should allow access from your PC to your dlink ONLY and should not pass anyother traffic from LAN to OPT1.

Locked