Wan - lan - opt1 and problems …



  • since two days I am trying to find an answer to my problem. basically I have wan, lan functioning perfectly, I decided to use opt1 for separate subnet.

    my setup

    lan    192.168.0.1/24
    opt1  192.168.10.1/24

    I enabled opt1 set type to static/192.168.10.1
    then dhcp server I enabled the dhcp server for opt1 and set as follow

    Subnet 192.168.10.0
    Subnet mask 255.255.255.0
    Available range 192.168.10.0 - 192.168.10.255
    Range 192.168.10.10 to 192.168.10.20

    and added a firewall rule under opt1 same as default lan rule which is

    Proto Source Port Destination Port Gateway Schedule Description

    • LAN2 net * *                 *         *

    After I rebooted pfsense (just to make sure, after reading some posts) On LAN side everything is OK, but on OPT1 side (opt1 is connected to separate switch) the client cannot get an ip address here is some more info

    $ ifconfig -a
    sis0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=8 <vlan_mtu>ether xx:xx:xx:xx:xx
    inet6 fe80::219:d1ff:fe82:5b44%sis0 prefixlen 64 scopeid 0x1
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
    inet6 fe80::202:a5ff:fe4e:d706%em0 prefixlen 64 scopeid 0x2
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx:xx
    inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
    inet6 fe80::202:a5ff:fe4e:d707%em1 prefixlen 64 scopeid 0x3
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    enc0: flags=0<> metric 0 mtu 1536
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
    pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    pflog0: flags=100 <promisc>metric 0 mtu 33204
    ng0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
    inet 206.248.XXX.XXX –> 206.248.XXX.XXX netmask 0xffffffff
    inet6 fe80::219:d1ff:fe82:5b44%ng0 prefixlen 64 scopeid 0x8

    and some more

    LAN interface (em0)
    Status up
    MAC address xx:xx:xx:xx:xx
    IP address 192.168.0.1 
    Subnet mask 255.255.255.0
    Media 100baseTX <full-duplex>In/out packets 80983/85428 (20.64 MB/68.10 MB)
    In/out errors 0/0
    Collisions 0

    LAN2 interface (em1)
    Status up
    MAC address xx:xx:xx:xx:xx
    IP address 192.168.10.1 
    Subnet mask 255.255.255.0
    Media 100baseTX <full-duplex>In/out packets 0/0 (0 bytes/292 bytes)
    In/out errors 23/1
    Collisions 0

    What I am trying to achieve,

    first        use properly dhcp on opt1
    second  opt1 cannot talk to lan subnet, can access internet
                lan can talk to opt1 access internet

    any help on this will be highly appreciated, also thanks for the answers...</full-duplex></full-duplex></up,pointopoint,running,noarp,simplex,multicast></promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>



  • Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.

    When a system initially requests an IP address by DHCP it doesn't have a "real" IP address, certainly not one on LAN2 subnet. (I think 0.0.0.0 is typically used as the source IP address in initial "cold start" DHCP requests.) Hence a DHCP request is unlikely to pass your firewall rule. Depending on your security requirements for traffic between LAN and LAN2 you might want to add a firewall rule to LAN2 along the lines of

    Proto    Source    Port    Destination    Port    Gateway    Schedule    Description   
      UDP      *            67-68  *                    67-68                                      Allow DHCP

    You wrote LAN can talk to OPT1 but there is no sign of any received packets on OPT1. How were you attempting to talk to OPT1 and what response were you getting?



  • @wallabybob:

    Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.

    Yes, I did, I think it is because I unplugged couple times the eth cable from nic since dhcp was failing to assign an ip to the clients on LAN2.

    If I can get some help, I want to first confirm my setup mentioned before is correct. (for the Interface assign, and dhcp setting related to it)

    INTERFACES / OPT1

    TYPE STATIC
    192.168.10.1/24

    SERVICES / DHCP FOR OPT1

    Subnet         192.168.10.0
    Subnet mask 255.255.255.0
    Available range 192.168.10.0 - 192.168.10.255
    Range                192.168.10.10 - 192.168.10.20

    as for the rules I have only one for now

    Proto Source Port Destination Port Gateway Schedule

    • LAN2 net * *         * *

    When I create opt1 and enable dhcp on it to static with ip 192.168.10.1 I can ping that gateway from 192.168.0.0 subnet

    Also some more info on dhcp logs

    Jan  7 23:22:16 pfsense dhcpd: Listening on BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
    Jan  7 23:22:16 pfsense dhcpd: Sending on  BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
    Jan  7 23:22:16 pfsense dhcpd: Listening on BPF/em0/00:02:a5:4e:XX:XX/192.168.0/24
    Jan  7 23:22:16 pfsense dhcpd: Sending on  BPF/em0/00:02:a5:4e:XX:0XX/192.168.0/24
    Jan  7 23:22:16 pfsense dhcpd: Sending on  Socket/fallback/fallback-net

    I think it should be VERY easy task but why? why me  ???



  • I don't know enough details about what you have done but on the evidence I would suspect a problem with incoming frames on the OPT1 interface.

    I would configure a system connected to OPT1 with a static IP address in the OPT1 subnet range and then verify that when I ping that system from the pfSense console I get a ping response and when I ping the pfSense OPT1 interface IP address from the OPT1 system with fixed IP address I get a ping response.

    I can't see any problem with your OPT1 configuration other than the firewall rule issue I pointed out previously.



  • I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one

    now I need help with a firewall rule, what I am trying to achieve

    LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
    OPT1 = cannot see LAN subnet and internet connection,

    Thank you in advance.,



  • @dbx655:

    I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one

    You got your desired configuration working on a VM environment?

    @dbx655:

    now I need help with a firewall rule, what I am trying to achieve

    LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
    OPT1 = cannot see LAN subnet and internet connection,

    Firewall rules apply on input side to the firewall. Firewall rules are processed in order until a match is seen.

    Default configuration gives what you ask for LAN. I'm not sure if I should read your OPT1 requirements as "cannot access LAN and cannot access internet" or as "can access Internet and cannot access LAN". The latter is probably more useful so, Firewall rules on OPT1:
    Rule 1: BLOCK anything to LAN subnet
    Rule 2: Allow anything to anwhere
    I'd turn on logging on Rule 1 so you can more readily verify it does what you want.



  • Yes, In VM things are better than cold basement :) Ok, with those tips I almost configured my pcs in VM (but both network adapters manually configured) 192.168.10.1/192.168.20.1

    I achieved almost all I wanted. Except this,

    I cannot explore OPT1 from LAN in windows (network computers), but from LAN (in same machine) I can rdp and ping into OPT1 machine and ping both gateways. My firewall rules are :

    LAN
    default rule plus udp 67-68

    OPT1
    the rules that you asked me to add in their order

    How can I see OPT1 machines from LAN computers' shares in windows??

    Thanks



  • I suspect windows network browsing might be limited to the "local" subnet due to the protocol mechanisms involved (subnet broadcasting? or LAN multicasting by MAC address?).

    However it is still possible to browse a known computer in another subnet by specifying it by name or ip address, e.g. in Windows Explorer: _\winhost_ or _\192.168.20.56_.



  • I know that, but for some reason it doesn't work, again I can ping, rdp etc but cannot browse shares. Maybe some other specific ports to open ?



  • Works for me:  I have Linux system with Samba on OPT3, a few Win2k systems on LAN and all the Win2k systems can see the Samba shares on the Linux system on OPT3.

    OPT3 has rule pass anything to everywhere. I expect a more restrictive rule set would suffice.

    I suggest you check your firewall log. It would probably give some hints about ports to LAN that might need to be opened on your OPT1.



  • maybe the block rule towards LAN? because for me OPT1 will be one way network, I don't know how it works but we open the door to OPT1 but OPT1 has to send something back to LAN? and because of the block back to LAN I cannot see the shares but than how come ping and rdp works, on wm test systems are xps, on real network two systems are server 2003s. I really don't know what to do. Also since couple days I experience pppoe drop on wan port.



  • When the firewall allows a connect through it also constructs a temporary rule specific to that connection, to allow the back traffic.

    I don't know the details of how windows explorer discovers the shares. Its possible the server attempts to create a new connection (or more) back to the client. These new connections would be blocked by the rule I suggested.
    If you have logging on the OPT1 rule then any attempt by the Windows server to establish a "back connection" to the LAN should appear in the firewall log and the information logged will allow you to add firewall rules to allow these back connections.

    But I don't recall reading a description of the security policy for OPT1; you might want something much more relaxed.


Locked