Problem routing an additional network
-
I have pfsense set up on a virtual machine to route traffic between several networks.
I have the WAN interface set up with an IP on my primary network.
I have the LAN configured with the first available IP on my secondary network, which is also a public network that is routed to the WAN IP of PFsense by my network provider.
I have NAT turned off for the LAN network as I dont need it because the IP range is a public one.
I now have a third network that I have also had routed to the WAN ip address of PFsense by the network provider.
And I have set up a third network port using OPT1, configured that with the first available IP address on the new network, but it does not seem to work - I have set up a virtual machine with the second usable IP on that network, configured PFsense OPT IP address as that machines default gateway, but I cannot ping to the internet, and also I cannot communicate with the VM on that IP from outside of the network.
Although I have used pfsense on several occassions I have only ever set up networks consisting of WAN and LAN. I would also consider myself a relative noobie when it comes to routing.
If tehre is any info I have missed that would be helpful, please let me know.
Thanks in advance
Dave -
The firewall rules on LAN that are automatically created when you install pfSense are not automatically created for additional interfaces like OPT1. By default, no traffic can enter OPT1. Check your Firewall > Rules, OPT1 tab. Compare it with those on LAN.
-
The firewall rules on LAN that are automatically created when you install pfSense are not automatically created for additional interfaces like OPT1. By default, no traffic can enter OPT1. Check your Firewall > Rules, OPT1 tab. Compare it with those on LAN.
Thanks for the quick reply.
I have added the same rules - allow all tcp4 from OPT1, allow all tcp6 from OPT1.Interestingly, I can ping the VM from pfsense, but I cannot ping pfsense from the VM, if that helps?
-
Interestingly, I can ping the VM from pfsense, but I cannot ping pfsense from the VM, if that helps?
Ping what from what? Sorry. That is pretty vague. WAN, LAN, OPT1 or ??.
Get a good handle on where pfSense firewall rules need to go and check that they allow the traffic in question.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Interestingly, I can ping the VM from pfsense, but I cannot ping pfsense from the VM, if that helps?
Ping what from what? Sorry. That is pretty vague. WAN, LAN, OPT1 or ??.
Get a good handle on where pfSense firewall rules need to go and check that they allow the traffic in question.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
Sorry. I can ping from opt1 to the VM that is on the same network as opt1.
But when I try to ping opt1 from that same VM, no reply.
So I take it that means the issue is definitely with Pfsense firewall rules for opt1?I'll read the link that you sent. Thanks.
-
Not sure. But the firewall rules on OPT1 will have to be in place to allow the pings to hit the OPT1 interface address. Absent such rules your description fits what you should be seeing.
-
Not sure. But the firewall rules on OPT1 will have to be in place to allow the pings to hit the OPT1 interface address. Absent such rules your description fits what you should be seeing.
Thanks. I'll read through the link you posted and have another look at the rules then post back here if that's ok?
Thanks for the help! -
Arghhh - Its hard to resolve these things when you know so little.
I just rechecked the rules for OPT1 compared to LAN, and I noticed a * next to IPV4 in LAN.
So I added "any" for protocol in OPT1 rule, and the ping started to respond!Probably simple but I had missed that one.
Now got to try and get inbound working…
-
Horray its working! I was trying to connect via RDP to the VM, on the IP address that is part of the OPT1 network, and it was timing out.
Just realised that I had not enabled RDP on the guest VM!
Now I have enabled that, its working.
I find that when I dont fully understand something, I always end up making stupid mistakes in relation to things that i do understand!
Thanks a lot for your help Derelict.
-
So I added "any" for protocol in OPT1 rule, and the ping started to respond!
When adding a new rule, it defaults to IPv4 protocol TCP. With a rule that just permits TCP you do not get ICMP (ping) or UDP or…
That is a common trick for new players :)