Cannot ping from OPT1 to OPT2 but can the other way…?

  • I have been beating my head against this firewall all night.

    I have a Wireless access point on 192.168.2.x
    I have a management PC on 192.168.1.x

    I can ping from the .2 net to the .1 but not from the .1 to the .2

    I have dropped ALL firewall rules except allow everything on each.

    The rules are identical on both and I have this wacky uni-directional issue.
    How is that possible?!

    I would be willing to allow someone to look at this using remote desktop ( if you felt it would help.

    I have no odd settings on either interface in their setup, meaning they are also identical in setup at that level.

    Does anyone have any ideas? :-[

  • Yes, depending on the model of wifi access point you have, it might have a residual FW in place. If you have been testing with the WAP ip address, try with another computer behind .2 net. As always, check subnet masks to make sure that you are not including one subnet in another subnet behind the other side. It will not route if that is the case. Can you ping an ip address in each subnet with the pfSense machine? Is the devices in the .2 and .1 net using pfSense as the default gateway?

  • I can ping both devices from the firewall.

    There is no FW I the wap.
    I can get to it from the pfsense firewall using a telnet to port 80.

    I just don't get it.  I have torn down and rebuilt the firewall rules a few times.
    The masks are fine.

    If you would like to view this I can arrange it if you like

  • Are you working with the WAP itself. There are some models that do not respect the entered GW. Thus it will never work. I would check out the model WAP you have and check to see if it allows you to modify the config from a subnet other than the one it is connected to.

  • Use a computer on the .2 net to check to make sure that pfSense is indeed working.

  • I have,  I am browsing and replying from it on the 2 network

  • Day 2 and I'm still stumped.  It's bizzare.

    Any takers on the screen sharing idea?

  • Have you added any packages or have you used manual outbound NAT?

  • Yes I have packages, but not anything that effects routing.
    Just charts and AVAHI for bonjour

    No NAT rules on these nets

  • Is the local firewalls off on the computers that you are testing with?

  • There are no firewalls on anything other than the PFsense device.

    I can reach other devices on the .2 network from the .5  it's only the WAP that I cannot reach, however, the WAP cannot block traffic like this on its own.

    Its odd.

    I can get to the web interface from the same subnet, (.2)
    I cannot get to it from any other.
    I can get to any other device on the .2 net from the other subnets.

    It's maddening.

    Is there some ip blocking mechanism in the PFSENSE firewall if I haven't installed a IDS type package?

  • No, please see my earlier post. Some WAP GUI do not allow access except from the LAN subnet. You might check for a settings that allows for remote configuration.

  • podilarius…

    I know this, and can assure you that I have been able to get access to this interface from other networks without trouble before.
    I have bookmarks for it and everything.

    It seems that no matter what IP I place it on, nothing allows access to it though PFSense from other subnets.

    I placed my IPCop back online to test.
    I got to it with no issues.

    I'm about to call a priest in for an exorcism.

  • IPCop probably NATed the connection. Add a NAT rule at the top that will change the source IP to the OPT2 (.2) network interface address of pfsense if coming from LAN or OPT1 subnets. Did the IPCop and pfSense share the same IP address?

  • Yes they have the same ip topology and they are direct replacements for each other.

    Is what you're suggesting going to reset something or clear the problem?
    Why would it NAT communication from and OPT"A" to OPT"B" interface?!

  • pfSense does not. It does not normally make sense to do so since they are local. What I am suggesting is that IPCop NATed and that is why it worked.
    You will have to switch to manual outbound NAT so that you can add the rule to NAT traffic to the specific WAP GUI address. The traffic would "look" like it is coming from the pfSense machine and allow GUI access.
    You could also power up IPCop and check the rules for NATing out (while not connected to a network).

  • No NATting happens on ipcop either.

    I also Know that I had access to it a few months ago with the same firewall rules.

  • Then something must have changed on the WAP. Perhaps the default gateway, route, or subnet mask. If it worked with pfSense before and nothing changed, then it would work now.

  • Agreed, but I have reset it and verified the right information in he setup.

  • Are there any tools on the WAP that you can use? Like traceroute, ping, or anything? Have you recently upgraded the firmware or something? id you upgrade pfsense recently? Can you post your LAN, OPT1, and OPT2 rules?

  • No tools on the wap.
    I'll post my rules in a few moments.
    Stand by…

  • @podilarius:

    Are there any tools on the WAP that you can use? Like traceroute, ping, or anything? Have you recently upgraded the firmware or something? id you upgrade pfsense recently? Can you post your LAN, OPT1, and OPT2 rules?

    Here they are, the two nets.  all rules but (* ANY) disabled.

  • So the rules are strait forward, okay … enable ssh on pfsense. using ssh login several times to pfsense. The purpose is to run tcpdump on each interface involved.
    Using tcpdump watch for the originating traffic from the client, then see if it makes it to the other side of pfsense (which according to the rules should work with no problem). The watch to see if you see any traffic returned from the WAP. You can setup 4 ssh sessions, two for each interface watching in and out on each.

  • Interesting idea.

    Will do.

Log in to reply