How can I get LAN to ping a 2nd lan on OPT2



  • I have my pfsense setup with 2 lans lan1 (192.168.1.0) and lan2 (192.168.2.0). lets say I have a computer at 192.168.1.61 on lan1 and another computer at 192.168.2.20 on lan2. with a clean install of pfsense I can ping 192.168.1.61 from lan2 but I can't ping 192.168.2.20 from lan1… I have tried setting firewall rules to allow this but nothing has worked.

    Can anyone offer a suggestion? I have been googling this for hours now lol.


  • LAYER 8 Global Moderator

    Post up your rules for lan1 and lan2 and be happy to point out any issue that might be there.

    By default the first lan that gets created with pfsense should be any any from lan net.  If you create a new lan interface (opt1) there will be no rules.  Now if you don't care about lan1 and lan2 talking then just duplicate the rule from your default lan on next lan where only thing that changes is source should be lan2 net



  • I did that but it still isn't working :-(


  • LAYER 8 Global Moderator

    Yeah that should work.. So do you have any floating rules that might block?  You didn't set any lan gateway on the interfaces lan or opt1 did you?  Curious why opt2 is listed and not opt1?

    So can your lan2 (opt2) on 192.168.2.0/24 ping pfsense IP, they are showing pfsense as their gateway right?  They can use the internet?

    Lets validate masks both of your lan networks are /24 right?  Because if you have say /16 they would be the same network.

    Have you rebooted pfsense since creating the interfaces and assigning them?

    I would do a traceroute and verify your not trying to route somewhere odd.. You can look and post your routes from pfsense as well would be great.



  • No floating rules have been set.

    The WAN is DHCP and LAN and OPT2 are just using the default gateway and both can get "online".

    OPT2 is not OPT1 because I have 5 NICs in the computer that I will use later on but for now they are just disabled for testing.

    The PC behind OPT2 can ping 192.168.2.254 (pfsense IP for OPT2) and can ping 192.168.1.1 (pfsense IP for LAN).

    The PC behind LAN can ping both pfsense interfaces as well. Just not 192.168.2.20 (the other PC).

    Both network masks are set at /24.

    Edit: I'm having this issue on multiple pfsense installations so I set up this very small test to try and figure out the problem so I have a clean install of pfsense, a WAN, 2 LANS, and one PC sitting directly behind each lan and i'm just trying to get them to talk to each other. :-P


  • LAYER 8 Global Moderator

    Ok – check the local firewall on the box.. Windows likes to disable icmp out of the gate, and make sure you allow network other than its local..



  • Windows firewall is off. I have also tried RDP which is set up on both computers and for whatever reason I just can't talk to 192.168.2.20

    Edit: Also if I stick the computers on the same network they can ping each other no problem.


  • LAYER 8 Netgate

    @bradcis:

    Windows firewall is off. I have also tried RDP which is set up on both computers and for whatever reason I just can't talk to 192.168.2.20

    Edit: Also if I stick the computers on the same network they can ping each other no problem.

    That doesn't mean much since windows treats the local network differently than remotes.

    Can you post ipconfig /all for the two interfaces?  This "just works" in pfSense.


  • LAYER 8 Global Moderator

    so what is the traceroute from 2.20 to your 1.x network?

    pfsense can clearly talk to 2.20 from your traceroute pic.

    It points to firewall on 2.20 box if you ask me. But I would do a sniff on the lan2 interface on pfsense for icmp traffic and then ping..  So for example I also have same networks setup on my home box lan is 192.168.1.0/24 and my wlan is 192.168.2.0/24

    So here is sniff on wlan interface for icmp, from 1.100 box..  This will validate that traffic goes out to your 2.20 box from the lan2 interface.  See below 2.252 is one of my access points. Pinging from my desktop on 192.168.1.00 to 192.168.2.252

    Pfsense has IPs 192.168.1.253 in lan, and 192.168.2.253 in wlan.  I don't use .1 or .254 because these are normal default IPs and and I fire up lots of other equipment playing around and don't want anything stepping on IPs, etc.

    Other thing is verification of the mac address that is on your 2.20 machine and that pfsense is actually seeing the same mac.. example

    If you see the pings go out your opt2 but no answer then something wrong with your 2.20 box either not answering ping or firewall or not seeing the traffic for some reason?  If you see answer but lan1 box never gets it then something wrong with pfsense.  Or maybe you never see it go out your lan2 interface?





  • LAYER 8 Global Moderator

    @Derelict:

    Can you post ipconfig /all for the two interfaces?  This "just works" in pfSense.

    Agreed - this should not be an issue.. Your rules should allow it on your interfaces.

    the sniff will for sure validate that the traffic is leaving pfsense to your 2.20 box..  If it does not answer then its not pfsense for sure.

    This normally turns out to be device related - if windows you sure your not running any sort of 3rd party firewall/antivirus/security software.

    This 2.20 box is just connected to a dumb switch that is in turn connected to pfsense lan2 interface?  The ipconfig /all info couldn't hurt to look at.  But I am really thinking firewall on the 2.20 is the problem.



  • Holy crap after all that is was my Kaspersky AV firewall… I didn't think I had installed it because I never install the software firewalls but after disabling that it started working. Thank you so much for the help. I can't believe I over looked that :-/


  • LAYER 8 Global Moderator

    Firewalls the BANE of users ;) heheeh

    Glad you got it working - and maybe learned a bit in the process of tracking it down..  I am a big fan of going to the sniff for validation..  If you would of done the sniff you would of validated that pfsense was putting the traffic on the wire, and you just wasn't getting an answer..  This would of forced you to look at the host closer.


Log in to reply