4. Troubleshooting Connections between Subnets

Troubleshooting Connections between Subnets

  • B

    Hey everyone,

    I updated to 2.1 last week, and most things seemed to be just fine.  However, for some reason my ability to ping between my LAN and OPT1 networks seems to have stopped working.

    LAN = 192.168.10.15/24
    OPT1 = 10.20.10.15/24

    The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet.

    Both rules are the first rule in the list (LAN has the anti-lockout rule).

    What I'm seeing in the states table is what is confusing me (and probably why things aren't working):
    Protocol, Source->Router->Destination, State
    ICMP, 10.20.10.5 <- 192.168.10.66, 0:0
    ICMP, 192.168.10.66:1 -> 12.34.56.78:51293 -> 10.20.10.5, 0:0  (The router IP is the WAN2 IP, we have a failover that was setup a while back and WAN2 is our default)

    I guess my question is how do I take the WAN out of this LAN <-> OPT1 route?

    *Edit, more info.  I can use the PING tool on the pfsense using both OPT1 and LAN as the source location and the pings seem to work fine.  Other boxes on the same OPT1 or LAN subnet can ping other boxes on their same subnet (e.g. 10.20.10.1 can ping 10.20.10.2)

    0
  • B

    Okay, I had to toy around with it a lot but it seems okay now.

    So I'm not entirely sure why, but I had to delete the rules to "Allow OPT1 -> LAN" and "Allow LAN -> OPT1" on OPT1 and LAN, respectively.  And then rebuild them.

    Even turning the logging on with the rules wouldn't log any packets.  Once I deleted and recreated them, they started logging successful packets.

    It was very weird.

    0
  • P

    The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet.

    What you describe here in the first post is around the wrong way - if the rules were like that at first then they would not have worked.
    The way you describe doing it in the 2nd post is correct and works. That is why it works now and did not work at first.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy