Firewall Blocking Traffic between the LAN interfaces
I have a pfsense deployment, 2 WAN links (primary and secondary in WAN failover mode), 2 LAN, One Prod and One Guest. We have monitoring tool sitting in prod network and requires to monitor Guest network routers.
I have created a firewall rule on Guest, basically it's allow all, Source: Guest Network, destination any, port any, protocol any, gateway any
On production, I have created a rule to allow ICMP and UDP port 161 from LAN to Guest Network using Guest Gateway however pfsense is filtering the traffic. I am able to ping the routers in guest network from guest gateway but not from production gateway.
I have enabled the logging on the firewall rule and in the firewall logs, i can see the traffic is passing but somewhere the traffic is being dropped.
Can someone points out how to address this issue?
"i can see the traffic is passing"
Then how it is pfsense - more than likely you have issues with the clients themselves blocking or not knowing how to answer based upon your rules going out your wan.. If you set a specific GATEWAY in our rules, you have to allow the local traffic before a rule that forces traffic out a wan gateway.
Post up your rules is always the cleanest way for people to see exactly what you have going on, and can point out the problem.
i have attached the firewall rules for LAN and Guest_LAN interface.
I am able to ping the router in Guest LAN from a Guest Client however not able to do so from Production client.
I see only 1 set of rules.. That guessing your LAN – why would you block out part of a lan name???
Why are you trying to force Lan ____ out a gateway?? Pfsense clearly knows how to route traffic to its own network attached to it.. You forcing it out a gateway more than likely is your problem.
edit: I see your second post not..
You have to allow rules that allow your traffic between your lan segments before you force stuff out a gateway...
Why do you have source of lan and guest on an interface??? when is that ever in a million years going to happen? Rules are evaluated top down, first rule wins. INBOUND into that interface... When would pfsense ever see inbound traffic to its lan interface from a IP of guest??
i think i am confused with the concept of gateways. So I have Source (LAN) - Destination(Guest) then Gateway [which interface i want the traffic to go out] (or shall i leave it default)
Yeah I agree your completely confused with a gateway… Why would you have a gateway to get to a lan network that is directly connected to pfsense?
the pbr statement might help??
Really the only time you need to call out a gateway is when you want to route that traffic specific out that gateway in some sort of policy based routing.. If no gateway is set then pfsense will use its routing table to figure out where to go and what gateway to use.
If your going to force traffic to use a specific gateway because you have multiple wan connection, then you have to make sure you allow inter vlan traffic on your local interface before you send traffic out some specific gateway.
basically I want to reach to Guest Network Router for ICMP and Port 161 from LAN, i have been playing with the rules and I tried both with specific gateway and default it doesn't work.
Firewall rules on prod lan and guest lan are per the attached screenshots.
I have ran the tracert it passes out from prod gateway but then RTO.
Tracing route to 172.19.x.x over a maximum of 30 hops
1 2 ms 1 ms 1 ms gateway.domain.com [172.17.17.1]
2 * * * Request timed out. [ I expect to see gateway for guest here]
3 * * * Request timed out. [and guest router here]
I have no issues reaching to the guest router from guest network.
Post up your rules!! And post up your routing table from pfsense..
You do not have gateways set on your lan interfaces do you??
"Guest Network Router"
So you have downstream L3 networks?? Behind a nat or not? at that this guest network router?
Draw up this network would be the very simple thing to do..
I have attached the network diagram and pm you the rules and state table
what is the mask on the lan and guestlan? And there is no routers only AP..
Don't see any PM? And don't really need to see the state table..
I saw your emails and answered.. .You can not route to networks, that are your local network.. And AP don't route - if that is a wifi router, are you doing natting on it? if your connecting to downstream networks you really need to use a transit network.. Are these other networks 172.17.23/24 and 172.18.23/24 wifi networks??
You have a 172.17/16 and your trying to route to a 172.17.23.0/24 network???
Just so your clear - there is no reason ever to hide rfc1918 address space.. So not sure why you can not post up those routes here? And your rules, was not able to download it - there is no .ext on the file.. Its not a jpg.. So what type of file is it? Oh its just a text… Dude just post up your rules like the attached are some rules from some my different segments
You will notice for example I let my wlan talk to 1 IP on my lan for madsonic, and also allow it to talk to my ntp servers that are my my lan via ipv4 and ipv6.
Thanks mate, i will try to update the guest network to a different network and hopefully that will resolve the issue. btw, can you provide me some docs on pfsense rule understanding when multiple gateway or gateway groups are in use.
I am routing from 172.17.17.x/16 to 172.19.23.x/24. These are 2 different networks. So … why would pfsense won't route between these 2 different network.
Dude where are these networks you think you have?? An Access Point does not route…. AP are Layer 2 devices! They bridge 802.11 to 802.3 What device is that AP you list in your drawing??
I also have to question why you would think you need a /16 network in the first place?? Do you have some 65 thousands devices that are going to be on this same layer 2 network??
If your going to route to these remote networks, you really should use a transit network - or you going to have a asynchronous routing problem.
So is it a AP, and these networks on are SSIDs and should be vlans?? Or is that some actual wifi router that you turned off its nat?? If your going to nat, you have no need to route. How exactly do you have it connected to your network if it is some wifi router, did you try and turn it into an AP??
If your going to have downstream networks attached to a different router then you need a transit network, if your going to have hosts on your opt network talking to these other networks?? Or your going to run into asynchronous routing issues..
Here see some examples - this would be with a downstream wifi router providing other networks.. You would want NAT off if going to be setup like this.. 2nd pic is how you would do it with AP and vlans for wifi networks on different ssids. Normally your AP in the 2nd pic would have an IP in that management or native network.. In my example say 172.17.18.2 or .3 like you want to use.
So which is it do you actually have a downstream router, with wifi?? Or are you wanting to have multiple wifi networks that would be vlans??
There are no downstream routers on guest network but we do have access points. It's (172.19.23.3) a dd-wrt router which is configured in bridged Access point mode with wan/router function disabled. Pfsense is handing out DHCP addresses to guest clients/devices which connects via wifi AP (the dd-wrt router). It doesn't do any nat or routing stuff just provides wireless access while acting as dhcp relay. The dhcp address range excludes access points ip addresses. The access points are turned on and servicing the clients.
I don't require 65k addresses but that's how I inherited the network and devices.
does this help to visualize the network?
Ok then… That would be a typical wifi network or even wired on a leg in pfsense.. So why are are you asking about routing to these
I am routing from 172.17.17.x/16 to 172.19.23.x/24.
If all your talking about is networks directly attached to pfsense there is NO extra routing needed. There would be no gateways... Pfsense as a router knows what networks are attached to it..
So for example see all the networks I have connected to pfsense 192.168.9/24, 192.168.2/24, 192.168.3/24 etc.. Notice there is gateways to get there!! Since they are directly connected!!! Pfsense knows how to get to these networks, since it is directly attached to it..
So just create the firewall rules you want to allow between your networks on pfsense.. Remove all your gateways and routes to anything on your local side.. But again if your going to point to a GATEWAY in your rules then the rules that allow access between your local networks has to be above any rules that point traffic out your internet gateways...
Please post up your rules... After you have removed any extra routing or gateways to get to this network that is attached to pfsense.
So 2nd pic - I added a rule that sends all my traffic out my vpngateway.. So before that you notice I can ping my wlan network on 192.168.2/11 But if I have a lan rule that says hey GO here... Then how do I get to that network... Since as you can see from trace route it sends through that gateway..
Ok now look at pic 3, I create a rule that says I can ping wlan net before I route out a gateway.. So I can ping it, but if I try to go to the internet it goes OUT that gateway (vpn in my case)
kindly check the attached rules on lan and guest interface. I am still not able to reach guest ap from lan but i can from guest.
dude where in the hell is 172.18 ???? That is out some wan network?? So your natting to this? If its directly attached to pfsense why would you have a gateway on it… Do you use this network to get to the internet or other networks? If you just use it get to the internet why would you need a specific rule for it?? I take it this is some failover wan connection.. both wan connections can get to this 172.18.23/24 network???
Where is that in your drawing????? you have 2 networks 172.19.23/24 guestwlan and 172.17/16 prodlan
Your rules make NO sense at all... How is 172.18 a source on your lan network??? When your lan network is 172.17/16?
So you can get to your AP from its own network, but not from your lan... Does your AP have a gateway setup pointing to 172.17.23.1 ?? Quite often AP do not have gateways set, especially converted wifi routers, their lan interfaces don't normally have a gateway option even. Without a gateway on the AP to tell it how to get off its own network, you can only talk to it from its own network. If you can not set a gateway on the device and you want to get to it from your lan, then you would have to nat to that network so your traffic from 172.17/16 looks like its coming from pfsense 172.19.23.1 IP..
i also thought about the default gateway missing on AP but i can't even ping a windows 7 pc in guest network which has the correct gateway.
windows 7 machines by default firewall would block ping from network that is not local.
On a side note - pointing to anything other then your local dns, even 2nd or 3rd dns is going to bring you problems in resolving local stuff. Since googledns sure and the hell does not know anything about your local network.. And you can never be sure what dns a windows machine will use or latch on too. Also if your windows machines are part of a AD, then they really should only point to your AD dns..
Seems like whoever setup this network before you, left you a real mess ;)
phew…. i disabled the firewall and i was able to ping. Looks like those dd-wrt devices won't be reachable via lan as they don't have a gateway. Thanks a ton mate for helping on this.
No problem.. pretty sure if your running dd-wrt on those APs you would be able to set a gateway. Or you could always nat to get to them from your other network.
Have not used dd-wrt in quite some time… But like 99% sure they supported putting a gateway on the lan interface..
edit: Yup found an emulator so could see the screens, yup they can set a gateway
Also still confused on your whole fowan (dual wan setup) but with the rules on your guest wlan not pointing to to your failover group, not sure what would happen if your default wan went down for their internet access
i followed this but still no go https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point