Routing traffic between LAN and OPT1


  • Hello,

    I have been using pfsense for several years with a single WAN and single LAN configuration. Recently I added an OPT1 interface to use as a WAP. I configured DHCP for that interface and copied the "allow all" firewall rule from LAN to allow internet access on that interface. I am able to access the Internet on both interfaces and both networks seem to work well, except I cannot access anything on LAN from the OPT1 network and vice verse. I believe that I need to add a firewall rule to allow the routing to happen correctly, but I have tried what feels like every permeation of the firewall rule definitions and cant seem to figure it out.

    Here is my configuration:

    em0: WAN (DHCP)
    em1: LAN (Static) 172.16.0.1/22 [DHCP server range 172.16.2.1 - 2.255]
    em2: OPT1 (Static) 172.16.4.1/22 [DHCP server range 172.16.4.2 - 4.255]

    I'd prefer to stay away from bridging any interfaces because there are plans to modify the OPT1 network in the future and I don't want to disrupt the LAN network when that happens.

    Any advice at this point would be very appreciated. Thanks

  • LAYER 8 Netgate

    Post screen shots.  If it was as you say it is you would be able to at least access OPT1 from LAN.  And it you have pass any any rules on OPT1, you'd be able to access LAN from OPT1.

    Make sure block private networks isn't checked in the interface configs.

    No need to bridge.  You're doing it right.

    Are you sure you're not mistaking software firewalls on the client OSes for lack of routing?  If you can ping the OPT1 interface from LAN and the LAN interface from OPT1 it's probably not your rules.


  • Thanks for the reply, and sorry for getting back to the thread late…I was out of town.

    Here are some screenshots of what I have configured for LAN and OPT as well as firewall rules.






  • LAYER 8 Netgate

    Not much more to it than that.  LAN and OPT1 should be able to freely communicate.


  • Hi,

    try to set the source network on the rules to * (any network).

    Best,
    Rod Barbosa


  • I explicitly put a rule in to allow traffic to go between each LAN.  See attached screen shot.  Try that and see if it resolves it.  Put it above the ANY rule.

    ![Screen Shot 2014-11-24 at 11.58.20 PM.png](/public/imported_attachments/1/Screen Shot 2014-11-24 at 11.58.20 PM.png)
    ![Screen Shot 2014-11-24 at 11.58.20 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-24 at 11.58.20 PM.png_thumb)


  • Thanks Tim. Adding this rule above the any rule seems to have fixed the issue. Never thought about adding the rule above the existing rule…. :-\


  • And it works like that because you want those "internal" packets to be matched by that rule you now have first, so they are handed to the ordinary routing table.
    Then other general packets match the 2nd rule and are forced out the specified gateway.

    The other way around, everything was matched by the general rule and was forced out the gateway.

  • LAYER 8 Netgate

    But OP wasn't doing any policy routing to specific gateways so the LAN net to WAN net rule would be unnecessary.


  • @Derelict:

    But OP wasn't doing any policy routing to specific gateways so the LAN net to WAN net rule would be unnecessary.

    You are right - I was looking at tim.mcmanus screenshot and never went back again to look at the OPs original screenshots. So my explanation is relevant to why Tim's rules work - but we do not really know what was the real reason the OPs setup was not working and why it is now.