Lan1, lan2 and 1 wan. I need to reach a host on lan2 from lan1



  • Hi there.
    I had to add a second subnet to my network infrastructure which is now as follow:
    lan1 : 10.0.0.0/24 
    lan2 : 10.0.50.0/24
    For both I'm using an rj-45 port of my pfsense (1.2.3) appliance.
    Now I need to reach a host in lan2 from lan1 but I cannot get it working. I need to reach it through port 80. I tried different rules with no success. Should I set it on tha Lan tab or lan2 tab?
    Any hints?
    Sorry for this newbie question.
    thanks in advance.
    max
    Italy



  • What rules does you have in place on the LAN1 and LAN2? If you are using a default allow out rule from LAN1 and LAN2 subnet, it should work. If not then you are going to have to create a rule in both sides to allow the correct traffic back and forth. Although, I think if you create a rule and use the keep state, you might just have to only create the rule in the LAN1 tab. I used to have a similar setup, but I didn't care about traffic between the 2 nets so I had a wide open allow rule between the two.



  • I have a similar setup. LAN1 is the office network, and has the default allow to any rule applied, and was there since installation. After a few weeks I added LAN2, which is to be a customer network, and have no access to LAN1.

    I created a rule for LAN2, identical to the default allow to any rule on LAN1, but had a !LAN1 destination, rather than any. This allows LAN2 pcs to access the web, but not anything on LAN1.

    I do however have a PC on LAN2 that needs to access a shared folder on a pc in LAN1. For this I have created a firewall rule, putting it above the main allow to any but !LAN1 rule, as follows:

    Source 10.0.0.11 (ip of public PC on LAN2)
    Protocol any
    Destination 192.168.0.105 (ip of computer in office with the shared folder)

    Unfortunately, this doesn't work. I have reset the states, to no avail, and nothing is working. If I run a tracert on the public pc to 192.168.0.105, it correctly resolves the hostname of that office PC, but is unable to reach it, and windows file shares are not accessible.

    Does anybody have any idea why this isn't working, or what other rules i need in place to get this working??



  • If it is a Windows machine, the local windows firewall might also be blocking the foreign address. To test, disable the FW on the local machine (at 192.168.0.105) and try to ping.

    If that does not work, startup tcpdumps on either side of the FW to make sure traffic is getting through. Check your state tables and FW logs for any entries.



  • thanks for this podilarius.

    In effect though, my rules are correct? I don't think it is windows firewall, as before I seperated the two LANs, the two were on the same subnet (192.168.0.0/16 and the other machine was 192.168.1.99, connecting to 192.168.0.105) and it worked. It was also able to see fileshares on the other office PCs, which I now want to prevent, hence putting this machine on the customer/public LAN2).

    As they were on the same switch initially, it was impossible to block traffic between them effectively, so this solution works, as it is a reception PC, can have internet access using vouchers just like the internet cafe pcs on the 10.0.0.0/24 network, and once I get this up and working, only needs to access one share on the office PC.

    I hope this is possible.



  • The windows firewall will block any private IP that is not on the same subnet as any of the LAN addresses, by default. You can of course change this. But, rule order is also important, if your block rule is above the single allow rule, it will get blocked. FW rules on everything except floating is first matching.

    Perhaps you could post a series screenshots of your rules.


Log in to reply