Ping-share- 2 subnets



  • Dear All,
    after i installed Pfsense with 3 NIC's i couldnt figure this out hopefully someone can help me,
    NIC1= WAN
    NIC2= LAN
    NIC3 = LAB

    i have installed Pfsense behind a ISP Gateway all is working fine between the subnets the only two things i have now are :

    From the LAN i can't ping/Connect the machines behind the WAN,
    From the WAN i can't ping/Connect the Machines on the LAN
    when i am connected with VPN ( virtual Subnet ) can't ping the WAN.

    please advise how to get this working ,
    much appreciate really



  • anyone ? :-[


  • Rebel Alliance Global Moderator

    Isn't this still the same problem you had in this thread?

    https://forum.pfsense.org/index.php/topic,71809.0.html

    Why are you starting another one with not even a link to the info in that one?

    By default wan devices would not be able to ping lan devices, nat is on by default and all unsolicited traffic to the wan would be blocked.  What firewall rules do you have?  did you disable nat?

    As to your vpn question - are you routing all traffic to the vpn on the client.  What network is the client on, what network is the wan.  If you can not ping wan from lan, highly unlikely that it would work from vpn, etc.



  • @johnpoz:

    Isn't this still the same problem you had in this thread?

    https://forum.pfsense.org/index.php/topic,71809.0.html

    Why are you starting another one with not even a link to the info in that one?

    By default wan devices would not be able to ping lan devices, nat is on by default and all unsolicited traffic to the wan would be blocked.  What firewall rules do you have?  did you disable nat?

    As to your vpn question - are you routing all traffic to the vpn on the client.  What network is the client on, what network is the wan.  If you can not ping wan from lan, highly unlikely that it would work from vpn, etc.

    Thank you for your answer,
    Firewall rules i have are :
    WAN :
    Allow : Protocol any Source WAN adress , Destination LAN Adress ,
    LAN
    Interface LAN, Protocol ANY, Source LAN subnet, Destination Any,

    My VPN question,
    i dont know if i route all the traffic to the VPN client, i just created a Open VPN connection as in the tutorial when i am connected i recieved a Virtual Network IP 192.168.6.200

    waiting for your answer

    thank you


  • Rebel Alliance Global Moderator

    Post a screenshot for gosh sake!!  What destination lan address?  why would you allow ALL on your wan?  You had the broken rules before

    What about your openvpn tab..  What about floating - is that empty? Are you forwarding - did you turn off NAT?

    Post your openvpn server setup.  What is your client config - as to pointing clients down the tunnel.  See screen, what networks are you telling the client is down the tunnel.  What network is the client on..  If he is on say 192.168.2.0 why would he go down the tunnel to get to 192.168.2.0/24 when his machine is connected to that network locally already.

    Why did you break this thread out to another one - I would get the mods to merge these threads..  It is not good practice to have more than 1 thread going over the same issue.




  • @johnpoz:

    Post a screenshot for gosh sake!!  What destination lan address?  why would you allow ALL on your wan?  You had the broken rules before

    What about your openvpn tab..  What about floating - is that empty? Are you forwarding - did you turn off NAT?

    Post your openvpn server setup.  What is your client config - as to pointing clients down the tunnel.  See screen, what networks are you telling the client is down the tunnel.  What network is the client on..  If he is on say 192.168.2.0 why would he go down the tunnel to get to 192.168.2.0/24 when his machine is connected to that network locally already.

    Why did you break this thread out to another one - I would get the mods to merge these threads..  It is not good practice to have more than 1 thread going over the same issue.

    First off apologies i didnt mean to start more post, thought it was closed as it took two weeks since no one answers.i am new to PFSense,
    attached are the rules of my Firewall,
    about the NAT is not off and the outband NAT is Automaticaly,
    i have added 192.168.2.0/24 to the IPv4 Local Network/s over the VPN i can access the network 192.168.2.0/24 over the VPN the reason is to access the Vcenter and Vsphere over the VPN .









  • Rebel Alliance Global Moderator

    Ok for starters – why do you have a rule that says labnet can talk to labnet on lab tab - Never would be used makes no sense.

    Why on the wan would you have a rule that says the wan address can talk to lan address?  Again pointless rule that makes no sense.

    Remove these rules!!

    Also where is your openvpn server setup?  And where are these boxes?
    "reason is to access the Vcenter and Vsphere over the VPN ."

    Are we to guess where they are an what IP they are - did you give that info in the other thread?  Should we have to know you had the other thread and bounce back and forth between them to get info is my point..



  • @johnpoz:

    Ok for starters – why do you have a rule that says labnet can talk to labnet on lab tab - Never would be used makes no sense.

    Why on the wan would you have a rule that says the wan address can talk to lan address?  Again pointless rule that makes no sense.

    Remove these rules!!

    Also where is your openvpn server setup?  And where are these boxes?
    "reason is to access the Vcenter and Vsphere over the VPN ."

    Are we to guess where they are an what IP they are - did you give that info in the other thread?  Should we have to know you had the other thread and bounce back and forth between them to get info is my point..

    the reason i want i have those rules is to allow the connection between the subnets.
    between PFSENSE and internet there is ISP gateway wich provide also Local Subnets 192.168.2.0/24
    what rules do i need to create to allow the connection ( ping-share) between both subnets? Lab-LAN-WAN?

    attached is Open VPN server configuration





  • Rebel Alliance Global Moderator

    Well thats great you want to allow connectivity between subnets - but those rules don't do that.. Those rules don't do anything.. They are pointless.. For a client to talk to another IP on lab net - he does not even talk to pfsense..  He only talks to pfsense when he wants to leave labnet, pfsense is the gateway off labnet for him..  So that rule would never be used, and lets say it was - you have a rule above that says oh your from labnet - you can talk anywhere you want, so again that rule would never be used.

    As to the wan address talking to the lan address - what??  Pfsense owns both of those addresses, why do you think any sort of traffic would be sourced from the pfsense wan address with a destination to the lan address of pfsense.  And then why would this packet be inbound into your wan interface - its a gibberish rule that doesn't do anything!

    So isn't 192.168.2.0/24 your WAN?  How is that a local network?  And no your not forcing traffic down the tunnel.  Wouldn't a client that can talk to pfsense 192.168.2.x wan address already be able to talk to 192.168.2.0??

    Dude you don't protect things on the WAN of pfsense.. Wan to pfsense is normally a hostile network, ie the internet.. So from the other thread

    PFSENSE >>>>> NIC1 192.168.2.X
    PFSENSE >>>>> NIC 2 ( LAN ) 192.168.4.x
    PFSENSE >>>>> NIC 3 LAB 192.168.5.X

    Your local networks should be 4.x/24 and 5.x/24 since those are you lan and lab networks are they not?

    And what is the address of the client of vpn - if he has an addressin a 4.x or 5.x network that your going to want him to use the tunnel for your going to have problems if you don't force all traffic down the tunnel.. And even then you could run into conflicts.

    As to pinging stuff on the wan network?  What are you trying to ping?  Your lab rule only allows TCP, so no your not going to be able to ping anything.. Change the rule to just IPv4 if you limit outbound to only tcp, then no you would not be able to ping anything since that is (icmp) and not sure how your even talking dns.. Since that is UDP..

    see attachement




  • Maybe for some reason you have a group of systems on the subnet between pfSense and the ISP device (pfSense WAN), and maybe you want those to act like another "LAN" on pfSense, routing to/from LAN and LAB? And that way you can have 3 different "LAN-style" networks running on a pfSense piece of hardware with just 3 NICs while still having an internet connection, and without using VLANs.
    If so, then read this other post - https://forum.pfsense.org/index.php/topic,72574.0.html - to make the devices in the WANnet talk back through pfSense.

    And your rule on WAN from WANaddress to LANaddress - I suspect you mean to put WANnet to LANnet. Similarly you might want a rule allowing WANnet to LABnet. And similar rules in the other direction on LAN and LAB tabs… to allow all the subnets to talk to each other (or whatever you want to allow).


  • Rebel Alliance Global Moderator

    Well if he put wan net to lan net - he would need to turn off nat, or create forwards of what traffic he wants from wan to lan.



  • @johnpoz:

    Well thats great you want to allow connectivity between subnets - but those rules don't do that.. Those rules don't do anything.. They are pointless.. For a client to talk to another IP on lab net - he does not even talk to pfsense..  He only talks to pfsense when he wants to leave labnet, pfsense is the gateway off labnet for him..  So that rule would never be used, and lets say it was - you have a rule above that says oh your from labnet - you can talk anywhere you want, so again that rule would never be used.

    As to the wan address talking to the lan address - what??  Pfsense owns both of those addresses, why do you think any sort of traffic would be sourced from the pfsense wan address with a destination to the lan address of pfsense.  And then why would this packet be inbound into your wan interface - its a gibberish rule that doesn't do anything!

    So isn't 192.168.2.0/24 your WAN?  How is that a local network?  And no your not forcing traffic down the tunnel.  Wouldn't a client that can talk to pfsense 192.168.2.x wan address already be able to talk to 192.168.2.0??

    Dude you don't protect things on the WAN of pfsense.. Wan to pfsense is normally a hostile network, ie the internet.. So from the other thread

    PFSENSE >>>>> NIC1 192.168.2.X
    PFSENSE >>>>> NIC 2 ( LAN ) 192.168.4.x
    PFSENSE >>>>> NIC 3 LAB 192.168.5.X

    Your local networks should be 4.x/24 and 5.x/24 since those are you lan and lab networks are they not?

    And what is the address of the client of vpn - if he has an addressin a 4.x or 5.x network that your going to want him to use the tunnel for your going to have problems if you don't force all traffic down the tunnel.. And even then you could run into conflicts.

    As to pinging stuff on the wan network?  What are you trying to ping?  Your lab rule only allows TCP, so no your not going to be able to ping anything.. Change the rule to just IPv4 if you limit outbound to only tcp, then no you would not be able to ping anything since that is (icmp) and not sure how your even talking dns.. Since that is UDP..

    see attachement

    Dear John,
    The VPN client recieve IP from the virtual Network 192.168.200.0/24 as i configured,
    i used Vyatta for 8 years always works fine when the client connect over VPN recieved automatically my LAN IP. i am happy it works ( doesnt matter which IP it recieved as its secure )

    what rules do i need to create on LAN and LAB and WAN to makes them one Network and listen to each others?
    ICMP and TCP been already created and it didnt works so that why i removed them.

    LAN 192.168.4.0/24 is my Production Network
    192.168.5.0/24 is my LAB test ( testing stuff).
    192.168.2.0/24 is my ISP router home wifi network ( kids and wife Phones and laptop ).

    when you said force the traffc down the tunnel what do you mean ?



  • @phil.davis:

    Maybe for some reason you have a group of systems on the subnet between pfSense and the ISP device (pfSense WAN), and maybe you want those to act like another "LAN" on pfSense, routing to/from LAN and LAB? And that way you can have 3 different "LAN-style" networks running on a pfSense piece of hardware with just 3 NICs while still having an internet connection, and without using VLANs.
    If so, then read this other post - https://forum.pfsense.org/index.php/topic,72574.0.html - to make the devices in the WANnet talk back through pfSense.

    And your rule on WAN from WANaddress to LANaddress - I suspect you mean to put WANnet to LANnet. Similarly you might want a rule allowing WANnet to LABnet. And similar rules in the other direction on LAN and LAB tabs… to allow all the subnets to talk to each other (or whatever you want to allow).

    Dear Phil
    on the WAN side i have some devices they need to be connected to the ISP Modem otherwise they won't work,( like iTV and Phones). also the ISP Modem is Firmware closed and can't turn DHCP off.
    my Open VPN works fine i forwarded the port from ISP modem to the Pfsense and it works fine.

    is it possible that my vpn client when they connect to recieved my LAN IP 192.168.4.0/24 rather than my Virtual tunnel IP 192.168.200.0/24 ?


  • Rebel Alliance Global Moderator

    Dude look at your rules and settings - you don't even advertise that
    192.168.5.0/24 is my LAB test ( testing stuff).

    Is available to your vpn client - see attached

    Already went over your other nonsense in your rules.  And that your not even allowing icmp outbound from your lab as to why you can not ping.

    As to the rules you need, Its not my network.. Create whatever rules you want that allow traffic between your segments..  Use any any like your lan is what I would suggest because from your other rules posted your not understanding the basic concepts here.  You only allowed tcp on your any rule, and your rule under that where you sourced the lab net for icmp you told it it dest was only lab net.. So no your not going to be able to ping anything, because pfsense not talked too from lab net if dest is lab net.

    You need to tell the vpn client what networks are on your end of the vpn tunnel.. You didn't tell it about 192.168.5.0/24 so how would the client know to go down the tunnel to get to that network??

    Again I will ask what IP is the vpn client on..  Where you run into issues if they are on the same network on their end that your running on your end..  As to force it down the tunnel, exactly that - it uses the vpn server as its default gateway to get to any network.




  • @johnpoz:

    Dude look at your rules and settings - you don't even advertise that
    192.168.5.0/24 is my LAB test ( testing stuff).

    Is available to your vpn client - see attached

    Already went over your other nonsense in your rules.  And that your not even allowing icmp outbound from your lab as to why you can not ping.

    As to the rules you need, Its not my network.. Create whatever rules you want that allow traffic between your segments..  Use any any like your lan is what I would suggest because from your other rules posted your not understanding the basic concepts here.  You only allowed tcp on your any rule, and your rule under that where you sourced the lab net for icmp you told it it dest was only lab net.. So no your not going to be able to ping anything, because pfsense not talked too from lab net if dest is lab net.

    You need to tell the vpn client what networks are on your end of the vpn tunnel.. You didn't tell it about 192.168.5.0/24 so how would the client know to go down the tunnel to get to that network??

    Again I will ask what IP is the vpn client on..  Where you run into issues if they are on the same network on their end that your running on your end..  As to force it down the tunnel, exactly that - it uses the vpn server as its default gateway to get to any network.

    Dear John,
    things see different from my side now,
    i've create ICMP rule from the WAN to allow the PING to the LAN
    Interface = WAN
    TCP Version IPV4
    Protocol ICMP
    ICMP Type = Any
    Source = WAN subnet
    Destination = LAN subnet
    do i still need to create the same rule from the LAN side to allow the ping between the two interfaces?

    about the VPN when the client dial in, recieved the IP 192.168.200.0/24 and now can reach both networks WAN and LAN,


  • Rebel Alliance Global Moderator

    And you don't want to get your LAB?

    "recieved the IP 192.168.200.0/24 and now can reach both networks WAN and LAN,"

    "i've create ICMP rule from the WAN to allow the PING to the LAN"

    Why??  Your NATTING between lan and wan, and lab and wan..  Did you create a port forward, your only going to be able forward ICMP to 1 machine behind pfsense.

    Dude you do understand your networks NAT between lan and lab when they talk to WAN.. So all traffic to wan looks like it came from pfsense wan IP.  Its not a normal segment..  So you can not just create rules on wan to allow access into lan or lab, you have to create a forward and a firewall rule to allow traffic from wan to either lan or lab network IPs.

    And no you would not create a rule on the lan side..  All firewall rules (other than floating rules) are inbound to an interface ONLY.. from the top down.

    So from wan to lan traffic wold go INTO your wan interface, and OUT of lan – so rule is only on WAN.  So if traffic is from lan to lab, the IN interface of the traffic would be LAN and out interface would be LAB.. So rule goes on LAN..  If your lab wants to create a connection to IP on lan where does the rule go?



  • "i've create ICMP rule from the WAN to allow the PING to the LAN"

    Actually in this situation, a rule like that will work. The WAN is direct on pfSense, so both WAN and LAN have addresses that pfSense can route between quite happily. As long as the client device on WAN knows that pfSense is the gateway to LANnet, then it will direct that traffic to pfSense, and as long as the firewall allows it in, it will send it out onto LAN. There will not be any NAT applied, because the NAT is done as connections are established outbound, and there are no NAT rules outbound on LAN.
    If you make the rule/s on WAN wider (like allow all with source WANnet destination LANnet) then clients on WAN should be able to initiate connections to systems on LAN.


  • Rebel Alliance Global Moderator

    "and there are no NAT rules outbound on LAN."

    Where did you get that idea from? From the other thread
    "In NAT->Outbound make sure you have Automatic Outbound NAT selected - then pfSense will automatically generate NAT rules from LANnet to WAN and from LABnet to WAN."

    And then him posting his nats are auto

    That looks like nat is applied on traffic leaving the lan or the lab to me.



  • Yes:
    a) states originating from LAN going out WAN have NAT applied.
    b) states originating from LAB going out WAN have NAT applied.
    but
    c) states originating from WAN going out LAN do not have NAT applied.
    d) states originating from WAN going out LAB do not have NAT applied.

    You can originate from a client on WAN straight to an address on LAN and no NAT will happen.
    The reason this does not work from the real internet is that the LAN addresses are private addresses, so a client out on the real internet will not reach 192.168.1.1 or whatever private address because the real internet routers have no route to it, so they quickly drop the attempt at sending.
    In the OPs case, the only router in the chain to his LAN subnet is his own pfSense, which does know the route to his LANnet, and so can deliver the packet/s.


  • Rebel Alliance Global Moderator

    But I doubt his clients on wan have route to his lan or lab networks to be honest..  From the posting some of the rules he has tried to put in place, the basic understanding is just not there.