• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trying to create two subnets in VMware - what firewall rules?

Firewalling
3
12
2.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mewsense
    last edited by Mar 28, 2014, 2:31 PM Mar 28, 2014, 2:27 PM

    I have a home lab with ESXi 5.5 installed. I have created two virtual networks in VMware that I want to create two subnets on and I want pfSense to connect the subnets together and act as a router.

    So in VMware I have:
    Lab Network 1
    Lab Network 2
    Internal Network (my LAN)

    All those networks are connected to pfSense interfaces as
    Lab Network 1 (10.0.1.4)
    Lab Network 2 (10.0.2.4)
    LAN (10.0.0.4)

    Here are the interfaces (ignore the WAN ports)

    I then created some rules to allow Lab1 to connect to Lab2 and Lab2 to connect to Lab1.

    When I try and ping a from machine 1 in Lab1 net to machine 2 in Lab2 net, I get an error:

    C:\Users\mark>ping 10.0.2.2

    Pinging 10.0.2.2 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.0.2.2:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    If I ping the LAB1 interface on pfSense from a machine in LAB1 subnet I get nothing too:
    C:\Users\mark>ping 10.0.1.4

    Pinging 10.0.1.4 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.0.1.4:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    Any ideas what I have missed?

    Thanks!

    EDIT:
    I'm wondering if I need to set Default Gateway? I thought that was only for internet access. So I have set the default gateway for machines in LAB1 to be 10.0.1.4 and the default gateway for machines in LAB2 to be 10.0.2.4. Is that right?

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Mar 28, 2014, 2:29 PM

      You allow TCP, try ICMP (ping) and wondering why's it blocked?

      1 Reply Last reply Reply Quote 0
      • M
        mewsense
        last edited by Mar 28, 2014, 2:42 PM

        OK, good catch, but still not working. I changed LAB2 rules to:

        If I ping from LAB2 to LAB1, I get ping timeout.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Mar 28, 2014, 2:53 PM

          Did you flush the states or reboot?

          1 Reply Last reply Reply Quote 0
          • M
            mewsense
            last edited by Mar 28, 2014, 3:05 PM

            @doktornotor:

            Did you flush the states or reboot?

            When I added the virtual NICs in VMware, I rebooted the pfSense VM because it had two new NICs in it. When I changed the TCP rule to allow all protocols I didn't reboot or flush the states. I have now flushed the states, but I still can't ping either the LAB2 interface on pfSense, or a machine in the LAB1 subnet. I would rather not reboot the pfSense VM because people are using it.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by Mar 28, 2014, 3:12 PM

              You will need a rule to allow source LAB2net destination LAB2address to allow you to ping LAB2 address from a LAB2 client. You could just make that ICMP. If you make that protocol all then it will have access to pfSense webGUI also (so depends on your requirements.
              But the LAB2 to LAB1 rule on LAB2 interface so be good to go - I would check the LAB1 system (is it Windows which may not reply to ping outside its own subnet), and do some packet capture to see where your ping/echo request and reply appear.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • M
                mewsense
                last edited by Mar 28, 2014, 3:24 PM

                Phil

                Does it matter if the destination is address or net? I changed it to address like so:

                On the machine (Windows Server 2012) in LAB2 subnet, I ran the following:

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Mar 28, 2014, 3:32 PM

                  Yes, of course there is huge difference between "address" and "net". Otherwise:

                  There. Your ping problems solved. Nothing more needed and nothing useful achieved by blocking ICMP. Now, you can turn off firewall on the Windows boxes and ping again. After that, you could perhaps try some better tests than ping.

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by Mar 28, 2014, 3:37 PM

                    You want destination LAB1net (the whole of the LAB1 subnet), or do what doktornoktor illustrates and allow ICMP for anything.
                    Your Windows Server "ipconfig /all" has no default gateway set - that is going to really stuff you up getting anywhere outside the subnet.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • M
                      mewsense
                      last edited by Mar 28, 2014, 4:03 PM

                      OK guys, thanks for your patience. I'm not a networking professional. I did find a clanger of a mistake. The LAB1 and LAB2 interfaces were on /32 networks. I've changed those to /24 and rebooted the pfSense box.

                      So, this is what my LAB2 interface looks like in pfSense.

                      I added the default gateway to the interface on my Windows box in LAB2 subnet to be 10.0.2.4 (is that right?). Windows firewalls off. I then try and ping the pfSense interface and the machine in LAB1:

                      So, success now pinging the pfSense interface on LAB2 subnet, but it can't route traffic to LAB1 subnet. Any more ideas, and thanks for the great replies!

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by Mar 28, 2014, 4:05 PM

                        Well, go to machine on LAB1 and turn off the firewall there.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mewsense
                          last edited by Mar 28, 2014, 4:21 PM

                          Firewalls are off. I rebooted pfSense again and now it's all working.  ;D

                          Thanks so much for your patience and help. Much appreciated. Let me know you bitcoin address and I'll send you a beer.

                          1 Reply Last reply Reply Quote 0
                          1 out of 12
                          • First post
                            1/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.