Help with Rules Setup



  • Hi,
        Can you experts please help me with my firewall/rules setup issue.

    Ping from 192.168.2.100 ( Wifi Notebook IP ) to 192.168.1.1 ( Router IP ) –-> OK
    Ping from 192.168.2.100 ( Wifi Notebook IP ) to 192.168.1.51 ( Desktop 1 IP ) –-> NOT OK
    Remote Desktop from 192.168.2.100 ( Wifi Notebook IP ) to 192.168.1.51 ( Desktop 1 IP ) –-> OK

    I cannot ping to any machine from OPT1WIFI (192.168.2.) to LAN (192.168.1.)
    Also I cannot resolve any hostname from OPT1WIFI (192.168.2.) in LAN (192.168.1.)
    Funny thing is how is my 192.168.2.100 ( Wifi Notebook IP ) can Remote Desktop to 192.168.1.51 ( Desktop 1 IP ) even though the ping fails  ???

    I know I am missing something.
    Please help…..

    Thanks in advance for your help.

    Here is my setup......

    Hardware Setup
    Cable Model <–-> Pfsense <---> Gigaswitch <----> Desktop 1 & 2
    Also, Pfsense <---> Wifi <---> Notebook 1, 2 & 3.

    LAN interface (em1)
    IP address        192.168.1.1  
    Subnet mask 255.255.255.0

    WAN interface (em0)
    IP address         67.81.81.xxx  
    Subnet mask 255.255.254.0
    Gateway        GW_WAN 67.81.80.xxx
    ISP DNS servers 167.206.245.xxx
                            167.206.245.xxx

    OPT1WIFI interface (ath0)
    IP address         192.168.2.1  
    Subnet mask 255.255.255.0

    Rules
    Please see attachment

    Diagnostics commands from Laptop 1 (192.168.2.100 )

    C:>IPCONFIG /ALL
      Host Name . . . . . . . . . . . . : HP6910P
      Primary Dns Suffix  . . . . . . . : us.ups.com
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : us.ups.com
                                          local

    Wireless LAN adapter Wireless Network Connection:

    Connection-specific DNS Suffix  . : local
      Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AG
      Physical Address. . . . . . . . . : 00-21-5C-A2-7B-XX
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::xxxx:7b1f:a379:xxxx%12(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.2.100(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Saturday, August 27, 2011 9:54:16 AM
      Lease Expires . . . . . . . . . . : Saturday, August 27, 2011 11:54:15 AM
      Default Gateway . . . . . . . . . : 192.168.2.1
      DHCP Server . . . . . . . . . . . : 192.168.2.1
      DHCPv6 IAID . . . . . . . . . . . : 218112348
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6A-7F-xx-00-23-5A-31-16-66

    DNS Servers . . . . . . . . . . . : 192.168.2.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    C:>tracert 192.168.1.51

    Tracing route to 192.168.1.51 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.2.1
     2     *        *        *     Request timed out.

    C:>nbtstat -A 192.168.1.51

    Local Area Connection:
    Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

    Bluetooth Network Connection:
    Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

    Wireless Network Connection:
    Node IpAddress: [192.168.2.100] Scope Id: []

    C:>route print 192.168.1.51

    Interface List
    14…00 24 7e 39 4e 2b ......Bluetooth Device (Personal Area Network)
    12...00 21 5c a2 7b b1 ......Intel(R) Wireless WiFi Link 4965AG
    11...00 23 5a 31 16 66 ......Intel(R) 82566MM Gigabit Network Connection
     1...........................Software Loopback Interface 1
    21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

    IPv4 Route Table

    Active Routes:
     None
    Persistent Routes:
     None

    IPv6 Route Table

    Active Routes:
     None
    Persistent Routes:
     None

    ![pfsense rules.png](/public/imported_attachments/1/pfsense rules.png)
    ![pfsense rules.png_thumb](/public/imported_attachments/1/pfsense rules.png_thumb)



  • Are you having virus protection/software firewall on that 1.51 machine? or any else where you cant ping?



  • Your first rules on LAN and OPT1 both allow all traffic, further rules are redundant.

    Whatever your problem is, it isn't pfSense related. Can you ping Desktop1 from any system, including pfSense and other hosts on the same subnet?



  • Metu/Cry,
       Thanks for the tip.
    You were correct. There was Windows firewall turned on in that Desktop ( 192.168.1.51 ) which was preventing pings.
    Once I turned off the Firewall it was pinging fine.

    But how is that I am unable to do hostname lookups for other devices like network printers?
    For example if I cannot ping BRN001BA9021E23 from the laptop ( 192.168.2.104 ).

    Thanks.




  • Does your another network dns server know those names?
    and does it know to find it from another subnet?



  • I have seem to have two DHCP servers and I don't think it knows how to find the other one.
    Can you please explain how to set this up so that I can lookup hostnames across sub domains/interfaces.

    Thanks,
    Sai




  • 2nd DHCP server screen shot.




  • Because those are different networks thats why you need to have different dhcp servers.
    But you can try to give dns-server entries by manual.

    Somewhat like this:
    Lan dhcp: first dns server pfsense interface address and secondary dns, pfsense opt1wifi interface address
    and vice versa in opt1wifi

    Try that



  • DHCP is used to allocate IP addresses. DNS is used to look up addresses. If you want name lookups to work then you need to configure your a DNS domain and have your DHCP server register leases with the DNS server.



  • Metu/Cry,
        Once I turned on the "Register DHCP leases in DNS forwarder" and "Register DHCP static mappings in DNS forwarder", the hostname lookup started working. I am now able to ping through hostname across the subdomains.
    Thanks a lot for your help guys.

    Regards,
    Sai


Log in to reply