Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Cannot ping from OPT1 to OPT2 but can the other way…?

    Firewalling
    2
    25
    4631
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      burnsl last edited by

      I have been beating my head against this firewall all night.

      I have a Wireless access point on 192.168.2.x
      I have a management PC on 192.168.1.x

      I can ping from the .2 net to the .1 but not from the .1 to the .2

      I have dropped ALL firewall rules except allow everything on each.

      The rules are identical on both and I have this wacky uni-directional issue.
      How is that possible?!

      I would be willing to allow someone to look at this using remote desktop (join.me) if you felt it would help.

      I have no odd settings on either interface in their setup, meaning they are also identical in setup at that level.

      Does anyone have any ideas? :-[

      1 Reply Last reply Reply Quote 0
      • P
        podilarius last edited by

        Yes, depending on the model of wifi access point you have, it might have a residual FW in place. If you have been testing with the WAP ip address, try with another computer behind .2 net. As always, check subnet masks to make sure that you are not including one subnet in another subnet behind the other side. It will not route if that is the case. Can you ping an ip address in each subnet with the pfSense machine? Is the devices in the .2 and .1 net using pfSense as the default gateway?

        1 Reply Last reply Reply Quote 0
        • B
          burnsl last edited by

          I can ping both devices from the firewall.

          There is no FW I the wap.
          I can get to it from the pfsense firewall using a telnet to port 80.

          I just don't get it.  I have torn down and rebuilt the firewall rules a few times.
          The masks are fine.

          If you would like to view this I can arrange it if you like

          1 Reply Last reply Reply Quote 0
          • P
            podilarius last edited by

            Are you working with the WAP itself. There are some models that do not respect the entered GW. Thus it will never work. I would check out the model WAP you have and check to see if it allows you to modify the config from a subnet other than the one it is connected to.

            1 Reply Last reply Reply Quote 0
            • P
              podilarius last edited by

              Use a computer on the .2 net to check to make sure that pfSense is indeed working.

              1 Reply Last reply Reply Quote 0
              • B
                burnsl last edited by

                I have,  I am browsing and replying from it on the 2 network

                1 Reply Last reply Reply Quote 0
                • B
                  burnsl last edited by

                  Day 2 and I'm still stumped.  It's bizzare.

                  Any takers on the screen sharing idea?

                  1 Reply Last reply Reply Quote 0
                  • P
                    podilarius last edited by

                    Have you added any packages or have you used manual outbound NAT?

                    1 Reply Last reply Reply Quote 0
                    • B
                      burnsl last edited by

                      Yes I have packages, but not anything that effects routing.
                      Just charts and AVAHI for bonjour

                      No NAT rules on these nets

                      1 Reply Last reply Reply Quote 0
                      • P
                        podilarius last edited by

                        Is the local firewalls off on the computers that you are testing with?

                        1 Reply Last reply Reply Quote 0
                        • B
                          burnsl last edited by

                          There are no firewalls on anything other than the PFsense device.

                          1 Reply Last reply Reply Quote 0
                          • B
                            burnsl last edited by

                            UPDATE:
                            I can reach other devices on the .2 network from the .5  it's only the WAP that I cannot reach, however, the WAP cannot block traffic like this on its own.

                            Its odd.

                            I can get to the web interface from the same subnet, (.2)
                            I cannot get to it from any other.
                            I can get to any other device on the .2 net from the other subnets.

                            It's maddening.

                            Is there some ip blocking mechanism in the PFSENSE firewall if I haven't installed a IDS type package?

                            1 Reply Last reply Reply Quote 0
                            • P
                              podilarius last edited by

                              No, please see my earlier post. Some WAP GUI do not allow access except from the LAN subnet. You might check for a settings that allows for remote configuration.

                              1 Reply Last reply Reply Quote 0
                              • B
                                burnsl last edited by

                                podilarius…

                                I know this, and can assure you that I have been able to get access to this interface from other networks without trouble before.
                                I have bookmarks for it and everything.

                                It seems that no matter what IP I place it on, nothing allows access to it though PFSense from other subnets.

                                I placed my IPCop back online to test.
                                I got to it with no issues.

                                I'm about to call a priest in for an exorcism.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  podilarius last edited by

                                  IPCop probably NATed the connection. Add a NAT rule at the top that will change the source IP to the OPT2 (.2) network interface address of pfsense if coming from LAN or OPT1 subnets. Did the IPCop and pfSense share the same IP address?

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    burnsl last edited by

                                    Yes they have the same ip topology and they are direct replacements for each other.

                                    Is what you're suggesting going to reset something or clear the problem?
                                    Why would it NAT communication from and OPT"A" to OPT"B" interface?!

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      podilarius last edited by

                                      pfSense does not. It does not normally make sense to do so since they are local. What I am suggesting is that IPCop NATed and that is why it worked.
                                      You will have to switch to manual outbound NAT so that you can add the rule to NAT traffic to the specific WAP GUI address. The traffic would "look" like it is coming from the pfSense machine and allow GUI access.
                                      You could also power up IPCop and check the rules for NATing out (while not connected to a network).

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        burnsl last edited by

                                        No NATting happens on ipcop either.

                                        I also Know that I had access to it a few months ago with the same firewall rules.

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          podilarius last edited by

                                          Then something must have changed on the WAP. Perhaps the default gateway, route, or subnet mask. If it worked with pfSense before and nothing changed, then it would work now.

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            burnsl last edited by

                                            Agreed, but I have reset it and verified the right information in he setup.
                                            Nada

                                            1 Reply Last reply Reply Quote 0
                                            • P
                                              podilarius last edited by

                                              Are there any tools on the WAP that you can use? Like traceroute, ping, or anything? Have you recently upgraded the firmware or something? id you upgrade pfsense recently? Can you post your LAN, OPT1, and OPT2 rules?

                                              1 Reply Last reply Reply Quote 0
                                              • B
                                                burnsl last edited by

                                                No tools on the wap.
                                                I'll post my rules in a few moments.
                                                Stand by…

                                                1 Reply Last reply Reply Quote 0
                                                • B
                                                  burnsl last edited by

                                                  @podilarius:

                                                  Are there any tools on the WAP that you can use? Like traceroute, ping, or anything? Have you recently upgraded the firmware or something? id you upgrade pfsense recently? Can you post your LAN, OPT1, and OPT2 rules?

                                                  Here they are, the two nets.  all rules but (* ANY) disabled.




                                                  1 Reply Last reply Reply Quote 0
                                                  • P
                                                    podilarius last edited by

                                                    So the rules are strait forward, okay … enable ssh on pfsense. using ssh login several times to pfsense. The purpose is to run tcpdump on each interface involved.
                                                    Using tcpdump watch for the originating traffic from the client, then see if it makes it to the other side of pfsense (which according to the rules should work with no problem). The watch to see if you see any traffic returned from the WAP. You can setup 4 ssh sessions, two for each interface watching in and out on each.

                                                    1 Reply Last reply Reply Quote 0
                                                    • B
                                                      burnsl last edited by

                                                      Interesting idea.

                                                      Will do.

                                                      1 Reply Last reply Reply Quote 0
                                                      • First post
                                                        Last post