Cannot Ping LAN from WAN



  • Dear members,

    I have problem to access dvr behind pfsense using vmware.

    PC1–--------------SERVER --------------- WAN ----------- PF ------- LAN ----------------- DVR

    192.168.1.133    192.168.1.8    192.168.1.137              192.168.10.1        192.168.10.50

    • I can access internet and server from LAN.
    • I can access web pfsense from LAN and WAN.
      Unfortunatelay, I cannot access DVR from PC1.
      Any ideas?

    Your help is much appreciated.




  • LAYER 8 Netgate

    How does PC1 know to send traffic for 192.168.10.0/24 to 192.168.1.137?  What is its default gateway or routing table?

    Same question applies to DVR and 192.168.1.0/24.



  • Gateway : 192.168.1.2

    Nothing done with routing.





  • LAYER 8 Netgate

    That's great for pfSense.  It doesn't need a route for LAN to WAN or WAN to LAN.  They're both connected interfaces.

    I ask again:

    How does PC1 know to send traffic for 192.168.10.0/24 to 192.168.1.137?  What is the default gateway on PC1?



  • Pc1 default gateway =192.168.1.2


  • LAYER 8 Netgate

    So it's not going to work.  When PC1 has traffic for 192.168.10.50, it sends it to 192.168.1.2.  192.168.1.2 (whatever that is) has no idea where to forward the traffic so it's discarded.

    If you want PC1 to talk to your DVR, set its default gateway to 192.168.1.137.  I don't know what this will break (probably all internet access from PC1) because I don't know the details of your network.

    Alternately, add a static route on PC1 that sends traffic for 192.168.10.0/24 to 192.168.1.137.  No idea what client you're using.  Google "adding static routes for my_operating_system"


  • LAYER 8 Global Moderator

    did you disable nat?  Our of the box pfsense would nat between wan and lan..

    So you would setup a forward for whatever services you want to access on dvr to be forwarded.  If you disable nat on pfsense and just using it as router/firewall then as Derelict clearly you have problem because your PC1 really has no idea how to get to the 192.168.10 network - since its not his network and he would just route the traffic to his default gateway that is outside your description of your network..  And really wouldn't be a good idea to send to anyway since your doing a hairpin and 192.168.1.2 would need to send to 1.137 (pf)  But the return traffic from your dvr wouldn't take the same path back..  It would get traffic from 1.133 and say oh send that to pfsense.  Pf sense would say oh thats a locally connected network I said it direct to 1.133..  133 would say hey didn't I send this traffic to my gateway why am I getting a direct response?

    Its a bad sort of setup.  You could setup a host route on your pc1 saying hey if you want to talk to 192.168.10 send it to 192.168.1.137, etc..

    Its always better to have all your segments off your core or central router vs lots of downstream routers, etc.  Why can you not connect your internet to pfsense (wan) and then just have your 192.168.1 and 192.168.10 as lan segments off pfsense?



  • Thank you Derelict


Log in to reply