Can't ping LAN to OPT1



  • Hi everyone.

    Need help on this set up.

    I have Pfsense V2.1 Installed with 3 NICs

    WAN - To my DSL Modem
    ADMINLAN - 10.11.1.0/24
    GUESTLAN - 10.10.1.0/20

    The problem is I cannot ping any IP on ADMINLAN from GUESTLAN and vice versa.
    As I understand PFsense automatically has a rule on every interface that allows all traffic from one interface to any interface.
    And, What if I want a specific IP (ex 10.11.1.4) only to access or PING the GUESTLAN, What rule should I create?



  • That the not true. Only the lan gets an allow all rule. By default, without this rule, it would block also. So, the default action is to block unless there is a rule in place. You are going to need to create the rule on the opt1 interface.



  • This would fall in to routing, if you set the routing correctly, then rules can be applied. But correct me if I'm wrong. Otherwise, open any traffic souce from ADMINLAN to/from GUEST on the firewall rules.



  • @AYSMAN:

    Hi everyone.

    Need help on this set up.

    I have Pfsense V2.1 Installed with 3 NICs

    WAN - To my DSL Modem
    ADMINLAN - 10.11.1.0/24
    GUESTLAN - 10.10.1.0/20

    The problem is I cannot ping any IP on ADMINLAN from GUESTLAN and vice versa.
    As I understand PFsense automatically has a rule on every interface that allows all traffic from one interface to any interface.
    And, What if I want a specific IP (ex 10.11.1.4) only to access or PING the GUESTLAN, What rule should I create?

    One question: What is the OS for the computers you are trying to ping between? One issue I ran into was Windows Firewall, if you're pinging between Windows PCs. ICMP can be allowed, but it is set to only accept ICMP from the current subnet. Try temporarily disabling Windows Firewall on both computers to test if this is the issue.

    Also, as for allowing only one host to ping to the other VLAN, you could set up a rule that blocks all communication between the VLANs, then above that put a pass rule using ICMP protocol from designated IP address (in your example, 10.11.1.4) to GUESTLAN subnet. I believe this would accomplish that goal…


Log in to reply