Need help with subnets



  • I have on subnet with all my servers on it, and anohter with all the computers in my house on it. how do i get the computers to be able to acess files on the server if there on different subnets??? Ive been getting pointed in every random direction because i keep getting told "You need to set the rules!" and "you need to use RIP!" but that dosint help me when people dont say what i need to f*** do when using them, so pleas someone help me :( ive been working on this for like a week


  • Rebel Alliance Global Moderator

    And how are these "segments" connected to your pfsense?

    So Lets say one segment is 192.168.1.0/24 and connected to pfsense on its LAN inteface with an address 192.168.1.1/24..  Now on a different interface in pfsense OPT1 you have 192.168.2.1/24 with servers on this 192.168.2.0/24 segment.

    Is this how your connected?  If not - tell us how your network is all connected together and be happy to walk you through how to proceed.  So example of your network?




  • Here is my networks current layout


  • Rebel Alliance Global Moderator

    So at first I thought those were on the same network with that /23, but .0 and .1 would be 1, and then 2 and .3 would be next..  Do you really have that many devices on each segment, why use /23?

    So you should be good.. What is not working?

    So which one of those is the LAN interface and which is OPT 1

    What are the rules you have on those interfaces?  I would assume you have each segment using the pfsense interface IP as gateway with the same /23 mask.

    And we are SURE your not using that AP as nat gateway – its really just being used as AP, cuz if not that could be your issue.



  • I checked that, and originally i thought that was the source of the problem. But then i rememberd that not too long after setting up the PFsense router, i had set what was normally an ISR into "AP Mode" which makes it function souly as an AP. Here is all the subnets and rules i have. (Btw, i have about 25 devices running on the wifi LAN)


  • Rebel Alliance Global Moderator

    So what is the issue..  Now your LAN, that first rule is pointless, since your 2nd rule is more open.

    On your wifilan which I assume is your default lan interface because of the antilockout and wifilan lan as source with desc, etc. Look fine.

    So your segments should talk fine with each other.  So I wonder why you have a /23 if you have 25 some devices??  That makes no sense to have such a large mask.

    So I assume your pfsense interfaces are

    192.168.1.1/23 wifilan
    192.168.2.1/23 lan

    Where clients on wifilan are
    192.168.1.x/23
    default gateway 192.168.1.1
    dns 192.168.1.1

    and clients on your lan are
    192.168.2.x/23
    default gateway 192.168.2.1
    dns 192.168.2.1

    So for example I am on my wired network 192.168.1.0/24 and wireless is 192.168.2.0/24 and I have the following

    C:\Windows\System32>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : i5-w7
      Primary Dns Suffix  . . . . . . . : local.lan
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : local.lan

    Ethernet adapter Local:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
      Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.1.253
      DNS Servers . . . . . . . . . . . : 192.168.1.253
      NetBIOS over Tcpip. . . . . . . . : Enabled

    And so you can see I can ping a device on my wireless network, my blackberry for example

    C:\Windows\System32>ping blackberry

    Pinging blackberry.local.lan [192.168.2.229] with 32 bytes of data:
    Reply from 192.168.2.229: bytes=32 time=106ms TTL=127
    Reply from 192.168.2.229: bytes=32 time=129ms TTL=127
    Reply from 192.168.2.229: bytes=32 time=152ms TTL=127

    Ping statistics for 192.168.2.229:
        Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 106ms, Maximum = 152ms, Average = 129ms

    So I don't see anything wrong in you firewall rules – so unless you have local firewalls blocking your access on your servers, or have your wificlients behind a NAT on what you think is an AP?  I don't see anything wrong.. You sure you don't have 192.168.1.0/xx behind your wireless router and 192.168.1.0/xx on your wan of your wifi router?  And you just think its setup as accesspoint?  I would look on a client, and see what it shows for your mac of your pfsense IP with arp command -- if you see your AP mac then that is where your issue is.

    Just look via ifconfig on you pfsense

    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=98 <vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:00:00:02
            inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255

    And then on your client

    C:\Windows\System32>arp -a

    Interface: 192.168.1.100 –- 0xc
      Internet Address      Physical Address      Type
      192.168.1.7          00-0c-29-dd-02-ba    dynamic
      192.168.1.8          00-0c-29-57-41-d5    dynamic
      192.168.1.31          b8-27-eb-1c-6e-09    dynamic
      192.168.1.40          2c-76-8a-ad-f6-56    dynamic
      192.168.1.50          00-15-99-21-1c-a0    dynamic
      192.168.1.99          00-06-dc-43-ad-78    dynamic
      192.168.1.220        7f-bf-a9-aa-29-5b    dynamic
      192.168.1.252        00-13-10-fe-84-08    dynamic
      192.168.1.253        00-50-56-00-00-02    dynamic
      192.168.1.255        ff-ff-ff-ff-ff-ff    static
      224.0.0.251          01-00-5e-00-00-fb    static
      224.32.32.107        01-00-5e-20-20-6b    static
      239.255.255.250      01-00-5e-7f-ff-fa    static
      255.255.255.255      ff-ff-ff-ff-ff-ff    static</vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>



  • When you say you're having trouble accessing files on your server LAN, I take it you're referring to filesharing in Windows XP/Vista/7? If that's the case, you need to configure a WINS server option in your DHCP settings on your workstation LAN. Most Windows server discovery services use broadcast messages to determine the IP of a fileserver, which doesn't work across subnets.

    Go into the DHCP Server configuration on your LAN and under WINS servers put the IP of your fileserver. This will tell your computer to explicitly contact your fileserver to determine what fileservers are on your network. Save the settings, restart the DHCP server and then release and renew the IP on your workstation. Then you should be able to access your fileserver by NetBIOS name or IP address. You also need to ensure your clients and your fileserver are in the same workgroup.



  • Another thing that you need to check is that all your Windows machines have their firewall setup as home or private. If you have the firewall set up as public then that could be a potential source of your problems. You might want to try to disable all firewalls to see if this will help you.

    Also just for anyone referencing this post, you don't need a dynamic routing protocol when you want to route across two different networks/subnets when those networks are directly connected to the router that is doing the routing. As long as you have a rule allowing traffic out of those interfaces you are good. So if you have any rip going on disable it

    192.168.1.1 /23 is in the middle of your IP scope and is not good form, you could potentially assign that IP out to a host and that would cause your internet issues a well. You should make your WiFi Lan interface 192.168.0.1 that is the first useable IP on the 192.168.0.0/23 supernet.


Locked