4. Troubleshooting Connections between Subnets

Troubleshooting Connections between Subnets

  • B

    Hey everyone,

    I updated to 2.1 last week, and most things seemed to be just fine.  However, for some reason my ability to ping between my LAN and OPT1 networks seems to have stopped working.

    LAN = 192.168.10.15/24
    OPT1 = 10.20.10.15/24

    The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet.

    Both rules are the first rule in the list (LAN has the anti-lockout rule).

    What I'm seeing in the states table is what is confusing me (and probably why things aren't working):
    Protocol, Source->Router->Destination, State
    ICMP, 10.20.10.5 <- 192.168.10.66, 0:0
    ICMP, 192.168.10.66:1 -> 12.34.56.78:51293 -> 10.20.10.5, 0:0  (The router IP is the WAN2 IP, we have a failover that was setup a while back and WAN2 is our default)

    I guess my question is how do I take the WAN out of this LAN <-> OPT1 route?

    *Edit, more info.  I can use the PING tool on the pfsense using both OPT1 and LAN as the source location and the pings seem to work fine.  Other boxes on the same OPT1 or LAN subnet can ping other boxes on their same subnet (e.g. 10.20.10.1 can ping 10.20.10.2)

    0
  • B

    Okay, I had to toy around with it a lot but it seems okay now.

    So I'm not entirely sure why, but I had to delete the rules to "Allow OPT1 -> LAN" and "Allow LAN -> OPT1" on OPT1 and LAN, respectively.  And then rebuild them.

    Even turning the logging on with the rules wouldn't log any packets.  Once I deleted and recreated them, they started logging successful packets.

    It was very weird.

    0
  • P

    The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet.

    What you describe here in the first post is around the wrong way - if the rules were like that at first then they would not have worked.
    The way you describe doing it in the 2nd post is correct and works. That is why it works now and did not work at first.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy