Help with getting devices on differnt subnets to see each other

jwalhous

Hi,
I'm trying to get the following working.

Wan is currently using a USB 4g connection (Temp until my NBN is connected)
Lan (Wired Machine's) currently using 192.168.10.0/24 - Using Windows server 2012 for DNS & also DHCP
Opt1 (Wireless Clients Using Apple Airport Express) using 192.168.9.0/24 - Pfsense for DHCP & DNS

I can access the internet from wireless clients but can't see Lan clients.

If I run up Airport utility on Lan Computer it can't see airport express.

If I connect to wifi on my iphone and run up fing it can only see other devices connected to wifi.

If I plug the 2nd port of the Airport into the lan I can then see devices on lan and lan can see devices on wlan, however it causes other issues trying to download mail on iPhone.

I'm hoping it's something simple (Sorry I'm still learning )

Thanks in Advance for any help.

Regards
Jamie

johnpoz

and what is the rules you put on your opt1 interface?

You didn't set any gateways on your lan or opt1 interfaces on pfsense did you?

jwalhous

Hi Johnpoz,
Thanks for your reply, i didn't set any gateways.

I have attached a screenshot of my opt1

Regards
Jamie


johnpoz

yeah thats pretty wide open..

What do you mean "see" can you not ping them by IP, can you not access shares?  You do understand you wont be able to broadcast for netbios names when your on 2 different segments..

So can you ping them by IP address?  Do you have any host firewalls setup to allow ping or whatever other access you want to access?

jwalhous

Hi Johnpoz,
I don't seem to be able to ping the IP's no.
I don't have any other firewalls setup.
I have a Sonos (Music Sytem) which is connected to the 192.168.10.0 subnet
It uses an app on iPhone to control the sonos, however it can't see the sonos from the wifi subnet 192.168.9.0
if I load the windows controler on a PC on the 192.168.10.o subnet it sees the sonos no problem and it functions correctly.
like wise if I open the setup software for the airport express on a wired connection it can't see the airport express.

regards
Jamie

Derelict

Sounds like you're expecting broadcasts (like Bonjour and mDNS which Apple uses to discover devices) to cross subnet boundaries.  They don't.

In the Airport Utility you should be able to File > Configure other and enter the IP address of the Airport Express on the other subnet.  There is probably something similar for Sonos.

jwalhous

Hi Derelict,
I've tried your suggestion and it still doesn't work

Derelict

I guess post your LAN and OPT1 interface configs and rules then.

jwalhous

Hi,
I posted the Opt 1 config further up, here's the lan config.
As mentioned, I can't ping any IP's in  the opt 1 subnet from the Lan and vice versa.

Thanks for you help

Regards
Jamie


Derelict

Looks fine.  What about your opt1 rules?

Post a single, specific test you are doing that fails.  Including souce and destination IP addresses, what you're trying, and what you did to test it.  Be specific and keep it to one issue.

jwalhous

Attached is opt 1

If I try and ping the airport express 192.168.9.2 from one of the lan connected PC's say 192.168.10.3 it fails

Cheers
Jamie


johnpoz

"Looks fine.  What about your opt1 rules?"

Why do you always say that when there are clearly pointless rules..  His bottom two rules are completely pointless since he has any any rule above them that would already allow that traffic.  So I wouldn't call them "fine"  No there is nothing that would block his traffic but its not fine..

As to pinging your airport express - it has a gateway?  Ie it points to pfsense at 192.168.9.1?  Without a gateway there is no way to answer your ping.  Can you ping your airport express from pfsense.

jwalhous

Hi Johnpoz,
You can Ping the Airport Express in Pfsense from the Opt1 interface but not Lan

Regards
Jamie

johnpoz

so you have a gateway on the AirPort?  pointing to pfsense ip in that segment?

jwalhous

Yes it's set to 192.168.9.1

Derelict

Why do you always say that when there are clearly pointless rules..

I didn't say anything because it isn't something keeping it from working.  He had pass any any rules higher.  That's all I'm concerned with.

You can fine-tune his stuff with him.

johnpoz

Well makes no sense then your rules look to be any any.. Pfsense would clearly know the networks its attached too and you should be good.  This is normally click click all set.

Do you have any rules in the floating tab that could be blocking the traffic?

So when you run a traceroute from pc in lan to your airport IP for example – you see it hit your pfsense as its gateway.. And then it just dies?

example
So here is from my lan 192.168.9.0/24 pinging my wlan controller on my wlan segment 192.168.2.0/24

You see it hit pfsense IP on the lan 192.168.9.253, then the IP of the wlan controller 192.168.2.11

C:>tracert -d 192.168.2.11

Tracing route to 192.168.2.11 over a maximum of 30 hops

1    6 ms    <1 ms    <1 ms  192.168.9.253
  2    1 ms    1 ms    <1 ms  192.168.2.11

Trace complete.

Then in the other direction you will see it die after hitting pfsense in that segment 192.168.2.253 because I do not allow traffic from my wlan to my lan

user@uc:~$ traceroute -n 192.168.1.100
traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte packets
1  192.168.2.253  0.668 ms  0.608 ms  0.433 ms
2  * * *

jwalhous

Thanks Everyone for your help, I finally got it working, I had capitive portal turned on and had to add the IP's of lan computers trying to access Opt1 Computers/devices
The Sonos won't work on a different subnet so I will need to try and move it onto the 192.168.9.0 range.
Now that I have it working I will need to look at locking it down from some computers/devices.
How secure is the captive portal? if I turn off my wifi password how likely is it that someone could bypass it.

Regards
Jamie

Derelict

How secure is the captive portal? if I turn off my wifi password how likely is it that someone could bypass it.

Captive portal does nothing to protect the assets on the local subnet.

jwalhous

I'm looking at locking down the access from opt1 to lan now seeing it's working, I'm looking at only giving access to the lan from opt1 for certain hosts, just wondering if the captive portal can be easily bypassed
I'm using my windows server to auth users through the captive portal, and currently have a password on the wifi, if i remove the wifi password can people easily bypass the captive portal and connect through my internet connection, if they can I will just leave the wifi password on.

Cheers
Jamie