Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wan - lan - opt1 and problems …

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 2 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dbx655
      last edited by

      since two days I am trying to find an answer to my problem. basically I have wan, lan functioning perfectly, I decided to use opt1 for separate subnet.

      my setup

      lan    192.168.0.1/24
      opt1  192.168.10.1/24

      I enabled opt1 set type to static/192.168.10.1
      then dhcp server I enabled the dhcp server for opt1 and set as follow

      Subnet 192.168.10.0
      Subnet mask 255.255.255.0
      Available range 192.168.10.0 - 192.168.10.255
      Range 192.168.10.10 to 192.168.10.20

      and added a firewall rule under opt1 same as default lan rule which is

      Proto Source Port Destination Port Gateway Schedule Description

      • LAN2 net * *                 *         *

      After I rebooted pfsense (just to make sure, after reading some posts) On LAN side everything is OK, but on OPT1 side (opt1 is connected to separate switch) the client cannot get an ip address here is some more info

      $ ifconfig -a
      sis0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      options=8 <vlan_mtu>ether xx:xx:xx:xx:xx
      inet6 fe80::219:d1ff:fe82:5b44%sis0 prefixlen 64 scopeid 0x1
      media: Ethernet autoselect (100baseTX <full-duplex>)
      status: active
      em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx
      inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
      inet6 fe80::202:a5ff:fe4e:d706%em0 prefixlen 64 scopeid 0x2
      media: Ethernet autoselect (100baseTX <full-duplex>)
      status: active
      em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx:xx
      inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
      inet6 fe80::202:a5ff:fe4e:d707%em1 prefixlen 64 scopeid 0x3
      media: Ethernet autoselect (100baseTX <full-duplex>)
      status: active
      lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
      inet 127.0.0.1 netmask 0xff000000
      inet6 ::1 prefixlen 128
      inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
      enc0: flags=0<> metric 0 mtu 1536
      pfsync0: flags=41 <up,running>metric 0 mtu 1460
      pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
      pflog0: flags=100 <promisc>metric 0 mtu 33204
      ng0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
      inet 206.248.XXX.XXX –> 206.248.XXX.XXX netmask 0xffffffff
      inet6 fe80::219:d1ff:fe82:5b44%ng0 prefixlen 64 scopeid 0x8

      and some more

      LAN interface (em0)
      Status up
      MAC address xx:xx:xx:xx:xx
      IP address 192.168.0.1 
      Subnet mask 255.255.255.0
      Media 100baseTX <full-duplex>In/out packets 80983/85428 (20.64 MB/68.10 MB)
      In/out errors 0/0
      Collisions 0

      LAN2 interface (em1)
      Status up
      MAC address xx:xx:xx:xx:xx
      IP address 192.168.10.1 
      Subnet mask 255.255.255.0
      Media 100baseTX <full-duplex>In/out packets 0/0 (0 bytes/292 bytes)
      In/out errors 23/1
      Collisions 0

      What I am trying to achieve,

      first        use properly dhcp on opt1
      second  opt1 cannot talk to lan subnet, can access internet
                  lan can talk to opt1 access internet

      any help on this will be highly appreciated, also thanks for the answers...</full-duplex></full-duplex></up,pointopoint,running,noarp,simplex,multicast></promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.

        When a system initially requests an IP address by DHCP it doesn't have a "real" IP address, certainly not one on LAN2 subnet. (I think 0.0.0.0 is typically used as the source IP address in initial "cold start" DHCP requests.) Hence a DHCP request is unlikely to pass your firewall rule. Depending on your security requirements for traffic between LAN and LAN2 you might want to add a firewall rule to LAN2 along the lines of

        Proto    Source    Port    Destination    Port    Gateway    Schedule    Description   
          UDP      *            67-68  *                    67-68                                      Allow DHCP

        You wrote LAN can talk to OPT1 but there is no sign of any received packets on OPT1. How were you attempting to talk to OPT1 and what response were you getting?

        1 Reply Last reply Reply Quote 0
        • D
          dbx655
          last edited by

          @wallabybob:

          Did you notice there were 23 "in" errors on em1 (OPT1) and the received packet count was 0. What is destroying the incoming packets? This has to be fixed before you will be able to get much further.

          Yes, I did, I think it is because I unplugged couple times the eth cable from nic since dhcp was failing to assign an ip to the clients on LAN2.

          If I can get some help, I want to first confirm my setup mentioned before is correct. (for the Interface assign, and dhcp setting related to it)

          INTERFACES / OPT1

          TYPE STATIC
          192.168.10.1/24

          SERVICES / DHCP FOR OPT1

          Subnet         192.168.10.0
          Subnet mask 255.255.255.0
          Available range 192.168.10.0 - 192.168.10.255
          Range                192.168.10.10 - 192.168.10.20

          as for the rules I have only one for now

          Proto Source Port Destination Port Gateway Schedule

          • LAN2 net * *         * *

          When I create opt1 and enable dhcp on it to static with ip 192.168.10.1 I can ping that gateway from 192.168.0.0 subnet

          Also some more info on dhcp logs

          Jan  7 23:22:16 pfsense dhcpd: Listening on BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
          Jan  7 23:22:16 pfsense dhcpd: Sending on  BPF/em1/00:02:a5:4e:XX:XX/192.168.10/24
          Jan  7 23:22:16 pfsense dhcpd: Listening on BPF/em0/00:02:a5:4e:XX:XX/192.168.0/24
          Jan  7 23:22:16 pfsense dhcpd: Sending on  BPF/em0/00:02:a5:4e:XX:0XX/192.168.0/24
          Jan  7 23:22:16 pfsense dhcpd: Sending on  Socket/fallback/fallback-net

          I think it should be VERY easy task but why? why me  ???

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            I don't know enough details about what you have done but on the evidence I would suspect a problem with incoming frames on the OPT1 interface.

            I would configure a system connected to OPT1 with a static IP address in the OPT1 subnet range and then verify that when I ping that system from the pfSense console I get a ping response and when I ping the pfSense OPT1 interface IP address from the OPT1 system with fixed IP address I get a ping response.

            I can't see any problem with your OPT1 configuration other than the firewall rule issue I pointed out previously.

            1 Reply Last reply Reply Quote 0
            • D
              dbx655
              last edited by

              I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one

              now I need help with a firewall rule, what I am trying to achieve

              LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
              OPT1 = cannot see LAN subnet and internet connection,

              Thank you in advance.,

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                @dbx655:

                I am practicing it on VM, on VM there is no problems with different subnets, I will check my cables. switch etc, one by one

                You got your desired configuration working on a VM environment?

                @dbx655:

                now I need help with a firewall rule, what I am trying to achieve

                LAN = can see (rdp, ping, windows shares etc) OPT1 and internet connection
                OPT1 = cannot see LAN subnet and internet connection,

                Firewall rules apply on input side to the firewall. Firewall rules are processed in order until a match is seen.

                Default configuration gives what you ask for LAN. I'm not sure if I should read your OPT1 requirements as "cannot access LAN and cannot access internet" or as "can access Internet and cannot access LAN". The latter is probably more useful so, Firewall rules on OPT1:
                Rule 1: BLOCK anything to LAN subnet
                Rule 2: Allow anything to anwhere
                I'd turn on logging on Rule 1 so you can more readily verify it does what you want.

                1 Reply Last reply Reply Quote 0
                • D
                  dbx655
                  last edited by

                  Yes, In VM things are better than cold basement :) Ok, with those tips I almost configured my pcs in VM (but both network adapters manually configured) 192.168.10.1/192.168.20.1

                  I achieved almost all I wanted. Except this,

                  I cannot explore OPT1 from LAN in windows (network computers), but from LAN (in same machine) I can rdp and ping into OPT1 machine and ping both gateways. My firewall rules are :

                  LAN
                  default rule plus udp 67-68

                  OPT1
                  the rules that you asked me to add in their order

                  How can I see OPT1 machines from LAN computers' shares in windows??

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • W
                    wallabybob
                    last edited by

                    I suspect windows network browsing might be limited to the "local" subnet due to the protocol mechanisms involved (subnet broadcasting? or LAN multicasting by MAC address?).

                    However it is still possible to browse a known computer in another subnet by specifying it by name or ip address, e.g. in Windows Explorer: _\winhost_ or _\192.168.20.56_.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dbx655
                      last edited by

                      I know that, but for some reason it doesn't work, again I can ping, rdp etc but cannot browse shares. Maybe some other specific ports to open ?

                      1 Reply Last reply Reply Quote 0
                      • W
                        wallabybob
                        last edited by

                        Works for me:  I have Linux system with Samba on OPT3, a few Win2k systems on LAN and all the Win2k systems can see the Samba shares on the Linux system on OPT3.

                        OPT3 has rule pass anything to everywhere. I expect a more restrictive rule set would suffice.

                        I suggest you check your firewall log. It would probably give some hints about ports to LAN that might need to be opened on your OPT1.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dbx655
                          last edited by

                          maybe the block rule towards LAN? because for me OPT1 will be one way network, I don't know how it works but we open the door to OPT1 but OPT1 has to send something back to LAN? and because of the block back to LAN I cannot see the shares but than how come ping and rdp works, on wm test systems are xps, on real network two systems are server 2003s. I really don't know what to do. Also since couple days I experience pppoe drop on wan port.

                          1 Reply Last reply Reply Quote 0
                          • W
                            wallabybob
                            last edited by

                            When the firewall allows a connect through it also constructs a temporary rule specific to that connection, to allow the back traffic.

                            I don't know the details of how windows explorer discovers the shares. Its possible the server attempts to create a new connection (or more) back to the client. These new connections would be blocked by the rule I suggested.
                            If you have logging on the OPT1 rule then any attempt by the Windows server to establish a "back connection" to the LAN should appear in the firewall log and the information logged will allow you to add firewall rules to allow these back connections.

                            But I don't recall reading a description of the security policy for OPT1; you might want something much more relaxed.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.