Help with getting devices on differnt subnets to see each other



  • Hi,
    I'm trying to get the following working.

    Wan is currently using a USB 4g connection (Temp until my NBN is connected)
    Lan (Wired Machine's) currently using 192.168.10.0/24 - Using Windows server 2012 for DNS & also DHCP
    Opt1 (Wireless Clients Using Apple Airport Express) using 192.168.9.0/24 - Pfsense for DHCP & DNS

    I can access the internet from wireless clients but can't see Lan clients.

    If I run up Airport utility on Lan Computer it can't see airport express.

    If I connect to wifi on my iphone and run up fing it can only see other devices connected to wifi.

    If I plug the 2nd port of the Airport into the lan I can then see devices on lan and lan can see devices on wlan, however it causes other issues trying to download mail on iPhone.

    I'm hoping it's something simple (Sorry I'm still learning )

    Thanks in Advance for any help.

    Regards
    Jamie


  • LAYER 8 Global Moderator

    and what is the rules you put on your opt1 interface?

    You didn't set any gateways on your lan or opt1 interfaces on pfsense did you?



  • Hi Johnpoz,
    Thanks for your reply, i didn't set any gateways.

    I have attached a screenshot of my opt1

    Regards
    Jamie

    ![Screenshot 2015-06-23 08.03.53.jpg](/public/imported_attachments/1/Screenshot 2015-06-23 08.03.53.jpg)
    ![Screenshot 2015-06-23 08.03.53.jpg_thumb](/public/imported_attachments/1/Screenshot 2015-06-23 08.03.53.jpg_thumb)


  • LAYER 8 Global Moderator

    yeah thats pretty wide open..

    What do you mean "see" can you not ping them by IP, can you not access shares?  You do understand you wont be able to broadcast for netbios names when your on 2 different segments..

    So can you ping them by IP address?  Do you have any host firewalls setup to allow ping or whatever other access you want to access?



  • Hi Johnpoz,
    I don't seem to be able to ping the IP's no.
    I don't have any other firewalls setup.
    I have a Sonos (Music Sytem) which is connected to the 192.168.10.0 subnet
    It uses an app on iPhone to control the sonos, however it can't see the sonos from the wifi subnet 192.168.9.0
    if I load the windows controler on a PC on the 192.168.10.o subnet it sees the sonos no problem and it functions correctly.
    like wise if I open the setup software for the airport express on a wired connection it can't see the airport express.

    regards
    Jamie


  • LAYER 8 Netgate

    Sounds like you're expecting broadcasts (like Bonjour and mDNS which Apple uses to discover devices) to cross subnet boundaries.  They don't.

    In the Airport Utility you should be able to File > Configure other and enter the IP address of the Airport Express on the other subnet.  There is probably something similar for Sonos.



  • Hi Derelict,
    I've tried your suggestion and it still doesn't work


  • LAYER 8 Netgate

    I guess post your LAN and OPT1 interface configs and rules then.



  • Hi,
    I posted the Opt 1 config further up, here's the lan config.
    As mentioned, I can't ping any IP's in  the opt 1 subnet from the Lan and vice versa.

    Thanks for you help

    Regards
    Jamie

    ![Screenshot 2015-06-23 17.54.00.png](/public/imported_attachments/1/Screenshot 2015-06-23 17.54.00.png)
    ![Screenshot 2015-06-23 17.54.00.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-23 17.54.00.png_thumb)
    ![Screenshot 2015-06-23 18.05.30.png](/public/imported_attachments/1/Screenshot 2015-06-23 18.05.30.png)
    ![Screenshot 2015-06-23 18.05.30.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-23 18.05.30.png_thumb)
    ![Screenshot 2015-06-23 18.06.04.png](/public/imported_attachments/1/Screenshot 2015-06-23 18.06.04.png)
    ![Screenshot 2015-06-23 18.06.04.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-23 18.06.04.png_thumb)


  • LAYER 8 Netgate

    Looks fine.  What about your opt1 rules?

    Post a single, specific test you are doing that fails.  Including souce and destination IP addresses, what you're trying, and what you did to test it.  Be specific and keep it to one issue.



  • Attached is opt 1

    If I try and ping the airport express 192.168.9.2 from one of the lan connected PC's say 192.168.10.3 it fails

    Cheers
    Jamie

    ![Screenshot 2015-06-23 08.03.53.png](/public/imported_attachments/1/Screenshot 2015-06-23 08.03.53.png)
    ![Screenshot 2015-06-23 08.03.53.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-23 08.03.53.png_thumb)


  • LAYER 8 Global Moderator

    "Looks fine.  What about your opt1 rules?"

    Why do you always say that when there are clearly pointless rules..  His bottom two rules are completely pointless since he has any any rule above them that would already allow that traffic.  So I wouldn't call them "fine"  No there is nothing that would block his traffic but its not fine..

    As to pinging your airport express - it has a gateway?  Ie it points to pfsense at 192.168.9.1?  Without a gateway there is no way to answer your ping.  Can you ping your airport express from pfsense.



  • Hi Johnpoz,
    You can Ping the Airport Express in Pfsense from the Opt1 interface but not Lan

    Regards
    Jamie


  • LAYER 8 Global Moderator

    so you have a gateway on the AirPort?  pointing to pfsense ip in that segment?



  • Yes it's set to 192.168.9.1


  • LAYER 8 Netgate

    Why do you always say that when there are clearly pointless rules..

    I didn't say anything because it isn't something keeping it from working.  He had pass any any rules higher.  That's all I'm concerned with.

    You can fine-tune his stuff with him.


  • LAYER 8 Global Moderator

    Well makes no sense then your rules look to be any any.. Pfsense would clearly know the networks its attached too and you should be good.  This is normally click click all set.

    Do you have any rules in the floating tab that could be blocking the traffic?

    So when you run a traceroute from pc in lan to your airport IP for example – you see it hit your pfsense as its gateway.. And then it just dies?

    example
    So here is from my lan 192.168.9.0/24 pinging my wlan controller on my wlan segment 192.168.2.0/24

    You see it hit pfsense IP on the lan 192.168.9.253, then the IP of the wlan controller 192.168.2.11

    C:>tracert -d 192.168.2.11

    Tracing route to 192.168.2.11 over a maximum of 30 hops

    1    6 ms    <1 ms    <1 ms  192.168.9.253
      2    1 ms    1 ms    <1 ms  192.168.2.11

    Trace complete.

    Then in the other direction you will see it die after hitting pfsense in that segment 192.168.2.253 because I do not allow traffic from my wlan to my lan

    user@uc:~$ traceroute -n 192.168.1.100
    traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte packets
    1  192.168.2.253  0.668 ms  0.608 ms  0.433 ms
    2  * * *



  • Thanks Everyone for your help, I finally got it working, I had capitive portal turned on and had to add the IP's of lan computers trying to access Opt1 Computers/devices
    The Sonos won't work on a different subnet so I will need to try and move it onto the 192.168.9.0 range.
    Now that I have it working I will need to look at locking it down from some computers/devices.
    How secure is the captive portal? if I turn off my wifi password how likely is it that someone could bypass it.

    Regards
    Jamie


  • LAYER 8 Netgate

    How secure is the captive portal? if I turn off my wifi password how likely is it that someone could bypass it.

    Captive portal does nothing to protect the assets on the local subnet.



  • I'm looking at locking down the access from opt1 to lan now seeing it's working, I'm looking at only giving access to the lan from opt1 for certain hosts, just wondering if the captive portal can be easily bypassed
    I'm using my windows server to auth users through the captive portal, and currently have a password on the wifi, if i remove the wifi password can people easily bypass the captive portal and connect through my internet connection, if they can I will just leave the wifi password on.

    Cheers
    Jamie


  • LAYER 8 Netgate

    Well, you have a problem.  Captive portal has nothing to do with what the firewall will allow from OPT1 to LAN.  That traffic is still governed by the firewall rules on OPT1.

    Captive portal can make it easier to filter on MAC addresses, but MAC addresses can be spoofed so that adds no real security.

    The OPT1 firewall rules can filter on IP address, but anyone can just statically assign an IP address so that provides no real security.

    It sounds like you are trying to make OPT1 both a trusted and an untrusted network.  That simply cannot be.

    That said, allowing access to "certain hosts" and allowing access to those hosts with users who successfully authenticate to AD are two completely different things.

    If you can leave your Wi-Fi secured with WPA2 why would you make the network open?

    I am also unclear on what you're trying to accomplish.  First you talk about "locking down access from OPT1 to LAN" then talk about "connect through my internet connection."  What is it, exactly, precisely, in detail, that you're trying to do?


  • LAYER 8 Netgate

    I had capitive portal turned on

    And that, my good friend @johnpoz, is why I decided to stop worrying about things that don't really matter to the question at-hand.  Would have been two pages of crap about the nuances of firewall rule order when in actuality OP had CP enabled, without saying so, on OPT1.



  • Hi I'm happy for users who auth through captive portal to have access to my internet and also some users who auth  to also be able to access my Lan.
    Just wondering if there was a way that someone could bypass the captive portal and use my internet or connect to my lan.
    I don't want my users to also need to enter a wifi password if possible as well as auth through captive portal.
    if there is a risk they can bypass the captive portal somehow then I guess it's a silly idea and I will forget about it, just wondering at this stage that's all.

    Cheers
    Jamie


  • LAYER 8 Netgate

    With WPA2 there's little need for captive portal in a casual environment now is there.



  • Thanks Derelict, I appreciate your advice and help :-)


Log in to reply