Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Cannot access from WLAN to PC in LAN but internet works

    Scheduled Pinned Locked Moved Wireless
    11 Posts 2 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nsteinmetz
      last edited by

      Hi,

      I use pfsense 1.2.3 and my wife reported me today that she cannot access to the NAS from her desktop. I just implemented pfsense this week-end and thought I tested such a thing but looks it does not work.

      Configuration is :

      • LAN : 192.168.1.0/24
      • WLAN : 192.168.3.0/24

      I set up Squid, Squidguard and HAVP but it should not have impacts on that. I also set-up a remote VPN and a site to site VPN (192.168.5.0/24 routing towards 192.168.4.0/24) with my house.

      When I look at the routes table, is there something I should declare ?

      
      IPv4
      Destination	Gateway	Flags	Refs	Use	Mtu	Netif	Expire
      default	84.99.65.1	UGS	0	511913	1492	ng0	 
      10.0.8.0/24	10.0.8.2	UGS	0	0	1500	tun1	 
      10.0.8.2	10.0.8.1	UH	1	0	1500	tun1	 
      84.99.65.1	84.99.65.73	UH	1	13720	1492	ng0	 
      84.99.65.73	lo0	UHS	0	0	16384	lo0	 
      127.0.0.1	127.0.0.1	UH	0	480715	16384	lo0	 
      192.168.1.0/24	link#1	UC	0	106	1500	vr0	 
      192.168.1.1	192.168.1.2	UH	1	3696	1500	tun0	 
      192.168.3.0/24	link#3	UC	0	0	1500	ath0	 
      192.168.4.0/24	192.168.1.1	UGS	0	3020	1500	tun0	 
      
      

      Any clue ?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        I'm guessing NAS on LAN and desktop on WLAN.

        Default firewall configuration blocks access from OPTx interfaces to LAN. Did you add an appropriate firewall rule to allow the access you are looking for?

        Depending on the protocols and usage patterns involved it might be more effective to bridge LAN and WLAN.

        1 Reply Last reply Reply Quote 0
        • N
          nsteinmetz
          last edited by

          Indeed, NAS is in LAN and Laptop in WLAN.

          For both LAN & WLAN, I have only the default rule "(W)Lan to any". Shoud I explicitely add some routes or rules ?

          I cannot bridge both as for transparent proxy & HAVP, it's not supported according to the tutorial.

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            It would be helpful to have more detail on "not work" - timeout? connection immediately refused? no route? etc etc

            Having a look at the firewall log might suggest what the problem is.

            The default (pre configured) rule on non-LAN interfaces is NOT pass all but block all. Is that the default rule you mean?

            1 Reply Last reply Reply Quote 0
            • N
              nsteinmetz
              last edited by

              @wallabybob:

              The default (pre configured) rule on non-LAN interfaces is NOT pass all but block all. Is that the default rule you mean?

              Sorry, the default rule I set up is that I duplicated the LAN to any rule in the WLAN. That the only rule I have for LAN & WLAN.

              I will try to have more details from my wife to define what does "not work".

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                A strict duplication of the default LAN rule on WLAN won't work.

                The default LAN rule says allow from LAN subnet to any. This rule duplicated to WLAN interface won't allow traffic from the WLAN subnet because an IP address on the WLAN subnet won't match the LAN subnet in the rule.

                1 Reply Last reply Reply Quote 0
                • N
                  nsteinmetz
                  last edited by

                  So if I understand well, I have to set a route from 192.168.1.0/24 to 192.168.3.0/24 & vice versa + set a rule in the firewall to allow communications between from LAN to WLAN and vice versa ?

                  1 Reply Last reply Reply Quote 0
                  • W
                    wallabybob
                    last edited by

                    @nsteinmetz:

                    So if I understand well, I have to set a route from 192.168.1.0/24 to 192.168.3.0/24 & vice versa

                    Not normally. Normally systems on 192.168.1.0/24 and 192.168.3.0/24 will have a default route to the pfSense
                    box and the pfSense box knows how to route between between 192.168.1.0/24 and 192.168.3.0/24.

                    @nsteinmetz:

                    So if I understand well, I have to . . . set a rule in the firewall to allow communications between from LAN to WLAN and vice versa ?

                    Not quite. The standard LAN rule allows traffic from the LAN subnet to anywhere (including WLAN). As soon as something makes a connection from the LAN interface the firewall effectively creates a temporary rule that allows traffic for that connection in the reverse direction (e.g. from WLAN to LAN). This temporary rule is deleted when the connection closes.

                    The standard rule for OPTx interfaces doesn't allow anything. Hence if you want to (for example) ssh from WLAN to LAN you will need to add a rule to allow it.

                    In pfSense firewall rules apply on the input side of an interface. Packets are checked against rules in order until a packet matches a rule the the action specified in the rule is taken.

                    Suppose the firewall rules on WLAN are:
                    1: If source IP is LAN subnet (192.168.1.0/24) ALLOW
                    2: If source IP is anything BLOCK

                    I have chosen these rules because you said you duplicated the LAN rule (no mention of any changes to the rule). I have assumed this ordering.

                    On WLAN a packet arrives with a source IP address of something in WLAN subnet (192.168.3.0/24). This doesn't match rule 1 so processing continues to rule 2 where there is a match so the firewall blocks this packet.

                    Suppose you change the rules on WLAN to:
                    1. If source IP is WLAN subnet (192.168.3.0/24) ALLOW
                    2. If source IP is anything BLOCK
                    Then if a packet arrives on WLAN with a source address in WLAN subnet (192.168.3.0/24) it will match rule 1 so it allowed and no further rule processing takes place.

                    I have no idea what security policy you want. Perhaps the rule on WLAN should be at least a little more strict
                    than If source IP is WLAN subnet ALLOW.

                    1 Reply Last reply Reply Quote 0
                    • N
                      nsteinmetz
                      last edited by

                      I just want that WLAN and LAN see each other. I would have bridged them only if the transparent proxy would allow it but it does not.

                      I should have feedback from my wife tomorrow as she was not at her office today.

                      Thanks for your explaination. Indeed, I set up a rule that is If WLAN subnet, Allow.

                      1 Reply Last reply Reply Quote 0
                      • N
                        nsteinmetz
                        last edited by

                        My wife just reported me that ping is OK from its laptop to the NAS.

                        Yesterday I added two rules :
                        -  in the LAN section to allow all the LAN subnet traffic to the WLAN subnet
                        -  in the LAN section to allow all the WLAN subnet traffic to the LAN subnet

                        Anything else missing ?

                        For the WLAN configuration, I did not add 192.168.1.1 as gateway. Shoud I add it ?

                        1 Reply Last reply Reply Quote 0
                        • N
                          nsteinmetz
                          last edited by

                          Ok, it was a Windows Explorer issue with something I do not understand.

                          If she tries \server_name, she access it but with only one folder, not all of the folders. That's why she thought she did not have access to it.

                          If she tries \IP.of.the.server, she access the whole content.

                          Looks that the NAS did not appear also in the "Network" tab but as I set up a shortcut to \IP.of.the.server, it works well.

                          Sorry for the noise :-[

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.