[Solved] Cannot access from WLAN to PC in LAN but internet works



  • Hi,

    I use pfsense 1.2.3 and my wife reported me today that she cannot access to the NAS from her desktop. I just implemented pfsense this week-end and thought I tested such a thing but looks it does not work.

    Configuration is :

    • LAN : 192.168.1.0/24
    • WLAN : 192.168.3.0/24

    I set up Squid, Squidguard and HAVP but it should not have impacts on that. I also set-up a remote VPN and a site to site VPN (192.168.5.0/24 routing towards 192.168.4.0/24) with my house.

    When I look at the routes table, is there something I should declare ?

    
    IPv4
    Destination	Gateway	Flags	Refs	Use	Mtu	Netif	Expire
    default	84.99.65.1	UGS	0	511913	1492	ng0	 
    10.0.8.0/24	10.0.8.2	UGS	0	0	1500	tun1	 
    10.0.8.2	10.0.8.1	UH	1	0	1500	tun1	 
    84.99.65.1	84.99.65.73	UH	1	13720	1492	ng0	 
    84.99.65.73	lo0	UHS	0	0	16384	lo0	 
    127.0.0.1	127.0.0.1	UH	0	480715	16384	lo0	 
    192.168.1.0/24	link#1	UC	0	106	1500	vr0	 
    192.168.1.1	192.168.1.2	UH	1	3696	1500	tun0	 
    192.168.3.0/24	link#3	UC	0	0	1500	ath0	 
    192.168.4.0/24	192.168.1.1	UGS	0	3020	1500	tun0	 
    
    

    Any clue ?

    Thanks,



  • I'm guessing NAS on LAN and desktop on WLAN.

    Default firewall configuration blocks access from OPTx interfaces to LAN. Did you add an appropriate firewall rule to allow the access you are looking for?

    Depending on the protocols and usage patterns involved it might be more effective to bridge LAN and WLAN.



  • Indeed, NAS is in LAN and Laptop in WLAN.

    For both LAN & WLAN, I have only the default rule "(W)Lan to any". Shoud I explicitely add some routes or rules ?

    I cannot bridge both as for transparent proxy & HAVP, it's not supported according to the tutorial.



  • It would be helpful to have more detail on "not work" - timeout? connection immediately refused? no route? etc etc

    Having a look at the firewall log might suggest what the problem is.

    The default (pre configured) rule on non-LAN interfaces is NOT pass all but block all. Is that the default rule you mean?



  • @wallabybob:

    The default (pre configured) rule on non-LAN interfaces is NOT pass all but block all. Is that the default rule you mean?

    Sorry, the default rule I set up is that I duplicated the LAN to any rule in the WLAN. That the only rule I have for LAN & WLAN.

    I will try to have more details from my wife to define what does "not work".



  • A strict duplication of the default LAN rule on WLAN won't work.

    The default LAN rule says allow from LAN subnet to any. This rule duplicated to WLAN interface won't allow traffic from the WLAN subnet because an IP address on the WLAN subnet won't match the LAN subnet in the rule.



  • So if I understand well, I have to set a route from 192.168.1.0/24 to 192.168.3.0/24 & vice versa + set a rule in the firewall to allow communications between from LAN to WLAN and vice versa ?



  • @nsteinmetz:

    So if I understand well, I have to set a route from 192.168.1.0/24 to 192.168.3.0/24 & vice versa

    Not normally. Normally systems on 192.168.1.0/24 and 192.168.3.0/24 will have a default route to the pfSense
    box and the pfSense box knows how to route between between 192.168.1.0/24 and 192.168.3.0/24.

    @nsteinmetz:

    So if I understand well, I have to . . . set a rule in the firewall to allow communications between from LAN to WLAN and vice versa ?

    Not quite. The standard LAN rule allows traffic from the LAN subnet to anywhere (including WLAN). As soon as something makes a connection from the LAN interface the firewall effectively creates a temporary rule that allows traffic for that connection in the reverse direction (e.g. from WLAN to LAN). This temporary rule is deleted when the connection closes.

    The standard rule for OPTx interfaces doesn't allow anything. Hence if you want to (for example) ssh from WLAN to LAN you will need to add a rule to allow it.

    In pfSense firewall rules apply on the input side of an interface. Packets are checked against rules in order until a packet matches a rule the the action specified in the rule is taken.

    Suppose the firewall rules on WLAN are:
    1: If source IP is LAN subnet (192.168.1.0/24) ALLOW
    2: If source IP is anything BLOCK

    I have chosen these rules because you said you duplicated the LAN rule (no mention of any changes to the rule). I have assumed this ordering.

    On WLAN a packet arrives with a source IP address of something in WLAN subnet (192.168.3.0/24). This doesn't match rule 1 so processing continues to rule 2 where there is a match so the firewall blocks this packet.

    Suppose you change the rules on WLAN to:
    1. If source IP is WLAN subnet (192.168.3.0/24) ALLOW
    2. If source IP is anything BLOCK
    Then if a packet arrives on WLAN with a source address in WLAN subnet (192.168.3.0/24) it will match rule 1 so it allowed and no further rule processing takes place.

    I have no idea what security policy you want. Perhaps the rule on WLAN should be at least a little more strict
    than If source IP is WLAN subnet ALLOW.



  • I just want that WLAN and LAN see each other. I would have bridged them only if the transparent proxy would allow it but it does not.

    I should have feedback from my wife tomorrow as she was not at her office today.

    Thanks for your explaination. Indeed, I set up a rule that is If WLAN subnet, Allow.



  • My wife just reported me that ping is OK from its laptop to the NAS.

    Yesterday I added two rules :
    -  in the LAN section to allow all the LAN subnet traffic to the WLAN subnet
    -  in the LAN section to allow all the WLAN subnet traffic to the LAN subnet

    Anything else missing ?

    For the WLAN configuration, I did not add 192.168.1.1 as gateway. Shoud I add it ?



  • Ok, it was a Windows Explorer issue with something I do not understand.

    If she tries \server_name, she access it but with only one folder, not all of the folders. That's why she thought she did not have access to it.

    If she tries \IP.of.the.server, she access the whole content.

    Looks that the NAS did not appear also in the "Network" tab but as I set up a shortcut to \IP.of.the.server, it works well.

    Sorry for the noise :-[


Locked