Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between opt and lan

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elektrongyorsito
      last edited by

      Dear All,

      I have a strange issue, and I did not find any solution on the google. I have an opt and a lan interface, and I have rules on those interfaces that accept everything ingress. However it works from lan to opt, it doesn't work backward from opt to lan. We have a physical machine with pfsense 2.1.5, but i checked it, and it happens the same on a vbox machine with pfsense 2.1.5 and 2.1.4 as well. The config:
      WAN - i think irrelevant
      LAN - 192.168.70.1/24 (the bogon and private networks unchecked)
      OPT1 - 172.16.0.1/16 (the bogon and private networks unchecked)

      Lan rule:
      Proto Source Port Destination Port Gateway Queue
      IPv4 * * * * * * none
      LAN rule: ACCEPT everyting from any source to every destination

      OPT1 rule:
      Proto Source Port Destination Port Gateway Queue
      IPv4 * * * * * * none
      OPT rule: ACCEPT everyting from every source to every destination

      I think NAT is irrelevant, because the packets from the OPT to LAN should go through if pfsense translate the LAN address to OPT interface address or not. However both of inside subnet should go to the internet so I want only nat to the internet direction, I have these NAT rules:

      Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
      WAN  192.168.70.0/24 * ! 172.16.0.0/16 * WAN address * NO
      WAN  172.16.0.0/16 * ! 192.168.70.0/24 * WAN address * NO

      FROM the LAN side everything is ok:
      -I can ping the pfsense LAN interface address
      -I can ping the pfsense OPT interface address
      -I can ping a host on the OPT subnet

      FROM the OPT side:
      -I can ping the pfsense LAN interface address
      -I can ping the pfsense OPT interface address
      -I CAN NOT ping a host on the LAN subnet

      There is no FIREWALL on the hosts at all, and I can not reach any services on the LAN subnet from the OPT.
      (Sorry I wrote "services on the opt from lan" previously by misstake, i corrected to "services on the LAN from OPT" now)

      I have checked many times the subnet mask, rules etc.
      Could you please suggest something to solve this misterious error?
      thank you very much

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You don't need those NAT rules.  They will only be in effect for traffic out WAN, which will not include the LAN <-> OPT1 traffic.  In your case it's sufficient to use automatic outbound NAT.

        Be sure to check your windows or other firewall settings on the clients themselves.  People never get tripped up by them because they trat the local subnet as friendly.  As soon as you do multiple subnets, the software firewalls start blocking "local" traffic because it's from a different subnet.

        People compensate by doing all sorts of things in pfSense.  Those pass any rules on LAN and OPT1 are all you need.

        You say there's no firewall on the hosts at all but SOMETHING's blocking that traffic and it's not pfSense.  If it was, it'd be in the firewall logs.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.