Two subnets One WAN, issues between subnets



  • Hi,
    New user to pfsense.  I thought I understood this and I've read through the forums but
    nothing seems to help, the two lan subnets refuse to communicate.  Both LAN subnets have
    access to the WAN (Internet), but just not able to communicate between them.  Ping and
    tracert both fail, both directions.

    The software is running in a VM via VMware.
    Three physical ports, and three virtual NICs.
    WAN - le1
    Lan - le0 (192.168.10.0/24)
    Opt - le2 (192.168.20.0/24)

    WAN rules are:

    1. RFC1918 block private networks
    2. Block bogon networks
    3. block all externally initiated traffic

    LAN rules are:

    1. Anti-lockout Rule
    2. Any to Any

    Opt rules are:

    1. Any to Any

    NAT Outbound

    1. WAN interface - LAN to any
    2. WAN interface - Opt to any

    One other thing I think is odd.  Tracert (via PFsense) on LAN finds all the address I'm looking for.
    When I use the gateway address of the Opt LAN (192.168.20.1) it finds it as well.  When I run
    tracert on the pc (192.168.20.198), it can't find it.  Which I assume is being blocked, but disabling the rules doesn't change any behaivor.  I was thinking it may be a VMware problem,
    but looking at the virtual switches, it appears to be set up correctly.

    Thanks for any assistance in advance!



  • Try enabling permiscious mode and see if that helps. Could be a routing problem (split path).Is everything using the pfSense for its gateway?



  • Yep, that's exactly how we're using it.  I think the NIC's are already set up that way, but I will take a gander and see for sure and post back.  Thanks!



  • The adapters and virtual switches are configured in promiscuous mode.  Anyone have any other ideas?



  • Can you screen shot your route table and post in here?



  • Snapshot from PFsense routes are attached.




  • Just started up wireshark on one of the pc's that is on the 20 subnet.
    It looks like it's not finding the DNS/DHCP services, as it's falling back onto the
    169.254.x.y address.  I can clearly see that the ping is going on to the subnet, but
    no responses.  The ARP that shows up after the ping looks like:
    who has 169.254.121.164?  Tell 192.168.20.198
    The PC gets it's address from PFsense… could there be a problem in how it's getting to sort out the DNS?  We use DNS forwarding to the provider.



  • First, I would hard set an address and then test. Set your DNS to like 8.8.8.8 or 4.2.2.2. This way you bypass the services and make sure your firewall/NAT/routing is working correctly. Then if you have not restarted since you setup the DHCP and DNS, go ahead and do so.
    Check your system logs for any errors.



  • but we can get out fine via the wan, so doesn't that infer that the DNS is working?  It's only between the two subnets that is problematic.
    I don't understand if the ping from the 10 subnet is showing up on the 20 subnet, and I see it with wireshark on the 20 subnet, why isn't the
    pc on the 20 subnet responding (same pc that wireshark is on).  so it's from 192.168.10.189 pc -> ping 192.168.20.198



  • Well, turns out that the Windows 7 firewall is not allowing the traffic between different sub-nets!  I've turned them off each of the pc's and I can now get through.  Sort of weird… must be a rule there for that too!
    Thanks for the help however!



  • @Jeda:

    but we can get out fine via the wan, so doesn't that infer that the DNS is working?  It's only between the two subnets that is problematic.
    I don't understand if the ping from the 10 subnet is showing up on the 20 subnet, and I see it with wireshark on the 20 subnet, why isn't the
    pc on the 20 subnet responding (same pc that wireshark is on).  so it's from 192.168.10.189 pc -> ping 192.168.20.198

    Yes it does. Got mixed up with another issue. Sorry about that.

    Bloody windows firewall … always gets in the way.


Log in to reply