Trying to create two subnets in VMware - what firewall rules?



  • I have a home lab with ESXi 5.5 installed. I have created two virtual networks in VMware that I want to create two subnets on and I want pfSense to connect the subnets together and act as a router.

    So in VMware I have:
    Lab Network 1
    Lab Network 2
    Internal Network (my LAN)

    All those networks are connected to pfSense interfaces as
    Lab Network 1 (10.0.1.4)
    Lab Network 2 (10.0.2.4)
    LAN (10.0.0.4)

    Here are the interfaces (ignore the WAN ports)

    I then created some rules to allow Lab1 to connect to Lab2 and Lab2 to connect to Lab1.

    When I try and ping a from machine 1 in Lab1 net to machine 2 in Lab2 net, I get an error:

    C:\Users\mark>ping 10.0.2.2

    Pinging 10.0.2.2 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.0.2.2:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    If I ping the LAB1 interface on pfSense from a machine in LAB1 subnet I get nothing too:
    C:\Users\mark>ping 10.0.1.4

    Pinging 10.0.1.4 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.0.1.4:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    Any ideas what I have missed?

    Thanks!

    EDIT:
    I'm wondering if I need to set Default Gateway? I thought that was only for internet access. So I have set the default gateway for machines in LAB1 to be 10.0.1.4 and the default gateway for machines in LAB2 to be 10.0.2.4. Is that right?


  • Banned

    You allow TCP, try ICMP (ping) and wondering why's it blocked?



  • OK, good catch, but still not working. I changed LAB2 rules to:

    If I ping from LAB2 to LAB1, I get ping timeout.


  • Banned

    Did you flush the states or reboot?



  • @doktornotor:

    Did you flush the states or reboot?

    When I added the virtual NICs in VMware, I rebooted the pfSense VM because it had two new NICs in it. When I changed the TCP rule to allow all protocols I didn't reboot or flush the states. I have now flushed the states, but I still can't ping either the LAB2 interface on pfSense, or a machine in the LAB1 subnet. I would rather not reboot the pfSense VM because people are using it.



  • You will need a rule to allow source LAB2net destination LAB2address to allow you to ping LAB2 address from a LAB2 client. You could just make that ICMP. If you make that protocol all then it will have access to pfSense webGUI also (so depends on your requirements.
    But the LAB2 to LAB1 rule on LAB2 interface so be good to go - I would check the LAB1 system (is it Windows which may not reply to ping outside its own subnet), and do some packet capture to see where your ping/echo request and reply appear.



  • Phil

    Does it matter if the destination is address or net? I changed it to address like so:

    On the machine (Windows Server 2012) in LAB2 subnet, I ran the following:


  • Banned

    Yes, of course there is huge difference between "address" and "net". Otherwise:

    There. Your ping problems solved. Nothing more needed and nothing useful achieved by blocking ICMP. Now, you can turn off firewall on the Windows boxes and ping again. After that, you could perhaps try some better tests than ping.



  • You want destination LAB1net (the whole of the LAB1 subnet), or do what doktornoktor illustrates and allow ICMP for anything.
    Your Windows Server "ipconfig /all" has no default gateway set - that is going to really stuff you up getting anywhere outside the subnet.



  • OK guys, thanks for your patience. I'm not a networking professional. I did find a clanger of a mistake. The LAB1 and LAB2 interfaces were on /32 networks. I've changed those to /24 and rebooted the pfSense box.

    So, this is what my LAB2 interface looks like in pfSense.

    I added the default gateway to the interface on my Windows box in LAB2 subnet to be 10.0.2.4 (is that right?). Windows firewalls off. I then try and ping the pfSense interface and the machine in LAB1:

    So, success now pinging the pfSense interface on LAB2 subnet, but it can't route traffic to LAB1 subnet. Any more ideas, and thanks for the great replies!


  • Banned

    Well, go to machine on LAB1 and turn off the firewall there.



  • Firewalls are off. I rebooted pfSense again and now it's all working.  ;D

    Thanks so much for your patience and help. Much appreciated. Let me know you bitcoin address and I'll send you a beer.


Log in to reply