[SOLVED] Can't access device in WAN



  • Hey guys

    I'm just a fresh user of pfSense and have some trouble with just one device. I tried everything I know already and might miss something. That's why I would really appreciate some help concerning my problem.

    Situation:
    I have installed a pfSense firewall in my already existing home network. So I haven't replaced the ISP router but instead created another internal network. The wireless devices are still conected right to the ISP router, everything else going over ethernet is behind pfSense.
    Take a look at the attachment "homelan.jpg", where I tried to draw how my network currently looks like.

    Problem:
    I would like to get access to my printer (172.16.1.12) from my PC (192.168.1.100) over HTTP or 9100 or anything. Unfortunately I don't get any reply of that device. The network configurations of that device have already been checked multiple times.

    Status Quo:
    On the pfSense I have created two rules which should technically open everything that goes from/to this device:

    Firewall Rules
    On WAN port:

    | Protocol | IPv4 any |
    | Source | 172.16.1.12:* |
    | Destination | LAN net:* |

    On LAN port:

    | Protocol | IPv4 any |
    | Source | LAN net:* |
    | Destination | 172.16.1.12:* |

    Firewall Logs
    On the firewall logs I see no blocked traffic from/to the printer. But it shows me passed connections, which means for me that everything looks fine.

    Packet capture
    So after everything I checked the packets itself. The only thing I see is that there is communication happening between PC and printer but only in one direction (from PC to printer). I've added another attachment (homelan_capture.png) where you can see a screenshot of wireshark. The capture you see is from the WAN port obviously where I tried to ping the network printer. As you can see, the printer also tries to multicast my network and sends some ARP requests.

    So if you guys see anything I'm doing wrong or if you need some more information, I'd love to hear from you.

    Thank you in advance.

    Cheers,
    wenga





  • Do you still have Block private networks checked on Interfaces - WAN?  Double NAT is generally not recommended if you can avoid it.



  • Negative. Disabled this option already and have created those rules on my own (one for 10/8, 172.16/12 and 192.168/16). The second one would interfere with my printer but I make use of the priorisation of the rules (the printer rule is on top of all other block-rules).



  • Is there a reason you aren't putting the ISP router into bridge mode and putting all your devices on pfSense to avoid double NAT?  Wireless AP, I'm guessing?



  • Yes, you are right.

    Honestly, I would like to try solving it this way. Switching the ISP router to bridge mode would be the last resort.


  • LAYER 8 Global Moderator

    "So if you guys see anything I'm doing wrong "

    IMHO that whole setup is wrong ;)  So did you disable natting in pfsene and just routing/firewall?  If sniff on the pfsense wan - then clearly your printer just never answered the ping.  Or you have something else blocking it on your isp router, or you have routing issue where masks are wrong in putting pfsense wan and those devices on the same network?

    If me I would put isp device in bridge mode and put everything on lan side of pfsense, even if you don't put in bridge mode and double nat.  Use another interface or vlan switch and put your networks on the lan side of pfsense.

    In this setup you have a routing problem, if your not doing nat.  Does your isp router support routing, you would most likely end up with hairpin even if it does.  If you nat you don't have to worry about routing but you have to forward any traffic you want to get to pfsense lan.

    This setup is much easier if what you want to do is firewall between your lan devices - is to put them all on different lan segments behind pfsense.  Then all you need is firewall rules, etc..

    As to your multicast - that is most likely just your printer saying hey I am a printer - here is info if you want to print to me..  That sure is not going to work through your pfsense nat.  You would have to setup IGMP proxy, etc.



  • Hey johnpos

    I really appreciate your reply. Everything you've mentioned in your post was already checked. As of now, I simply think that the ISP router isn't able to handle my current network.

    I just bought some wireless extensions for my pfSense so I can build up my network like you and KOM have recomendet.

    I'm still quite curious why it was not working and which part of the network was causing these troubles. But I will try that later on and not just with a printer but with a notebook in the WAN network. This would give me the chance to capture the traffic on both ends which would probably reveal the problematic device.

    Thank you johnpoz and KOM for helping me anyway. If I have news about this, I will write again in this topic to let others know about a possible solution/fix.

    Cheers,
    wenga


  • LAYER 8 Global Moderator

    "I simply think that the ISP router isn't able to handle my current network."

    What ..  So you checked what exactly.. I didn't tell you to check anything..  What part do you not understand about not seeing your printer answer to your pings..  Your not routing anything your not natting anything at this point..  You have a printer connected to a routers switch ports.  So why did you not see an answer to your ping?  My guess would be it didn't answer.

    As to you printing to it, that has nothing to do with wan or forwarding rules.  Your client behind pfsense would be the one creating the traffic to the printer - creates state on pfense, which allows printer return traffic to get back to your client.

    So why is this thread marked solved.. I don't see anything in your post that says it is working now??



  • Sounds like you need to add a static route on the isp modem telling it where to find your 192.168.1.0 network. If that is possible?



  • This is marked SOLVED even though there wasn't a resolution to the problem.



  • @KOM:

    This is marked SOLVED even though there wasn't a resolution to the problem.

    Not true.

    @thermo:

    Sounds like you need to add a static route on the isp modem telling it where to find your 192.168.1.0 network. If that is possible?

    Thank you a lot because it is probably exactly what you are saying. Unfortunately the ISP router is branded with custom software and there I cant see any routing table and can't modify it.

    And there you have it. This is a solution, thus -> SOLVED.


Log in to reply