1 wan, 2 Lans (LAN2 DHCP + transparent) LAN2 cannot ping pfsense or get internet



  • Hi All,

    New to pfsense and just setup my new test machine (4 nics + squid 3 package). I have a server running 1 WAN connection + 2 LAN connections.
    LAN1 and LAN2 do not need to interact but both need to access the internet through my proxy/

    LAN2 was added post initial setup up.

    LAN1 works as it should. IT's on 172.20.100.0 range with 172.20.100.160 as the proxy's ip. (I can access the web interface from LAN1 using 172.20.100.160)

    Lan2 I want on it's own network entirely in the 192.168.1.0 range. So I setup the new interface, gave it a static address. setup DHCP (leaving everything pretty much blank). Clients connected to this network get an address and can ping each other but cannot ping the server 192.168.253 or access the interface on this IP.

    I thought perhaps I am missing a fire wall rule?
    so I mirrored the rules from LAN1 to LAN2 in firewall–>Rules but no change.

    I am sure I am missing something simple but I have no idea where to look. I dont really want to wipe the machine and start again. I must just be missing a rule or something that gets created during setup but I have tried to match all the setting up I can see but I am at a loss now :(



  • Only your first LAN gets a rule that allows all access.  Subsequent LANs must have the rule added.  Post a screen of your LAN2 rules so we can see what you're done, and also post your LAN2 interface details



  • Thanks for the speedy reply. So I can only access the web interface from LAN1. Thats ok :)
    I have the issues whether there are identical firewall rules for LAN2 as LAN1 or no rules.
    Also making an interface group then changing LAN1 rules to the group stops both lans.

    Interface details
    WAN interface (wan, em1)
    Status up
    DHCP
    up    Release
    MAC address 00:0c:29:81:36:46
    IPv4 address 192.168.1.126
    Subnet mask IPv4 255.255.255.0
    Gateway IPv4 192.168.1.254
    IPv6 Link Local fe80::20c:29ff:fe81:3646
    ISP DNS servers 127.0.0.1
    192.168.1.254
    8.8.8.8
    8.8.4.4
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 26249/32214 (21.92 MB/3.14 MB)
    In/out packets (pass) 26249/32214 (21.92 MB/3.14 MB)
    In/out packets (block) 2983/0 (226 KB/0 bytes)
    In/out errors 0/0
    Collisions 0
    LAN interface (lan, em0)
    Status up
    MAC address 00:0c:29:81:36:3c
    IPv4 address 172.20.100.160
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::20c:29ff:fe81:363c
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 24359/26366 (2.86 MB/24.00 MB)
    In/out packets (pass) 24359/26366 (2.86 MB/24.00 MB)
    In/out packets (block) 81/0 (7 KB/0 bytes)
    In/out errors 0/0
    Collisions 0
    LAN2 interface (opt1, vmx0)
    Status up
    MAC address 00:0c:29:81:36:50
    IPv4 address 192.168.1.253
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::20c:29ff:fe81:3650
    MTU 1500
    Media autoselect
    In/out packets 4185/2 (318 KB/172 bytes)
    In/out packets (pass) 4185/2 (318 KB/172 bytes)
    In/out packets (block) 85/0 (5 KB/0 bytes)
    In/out errors 0/0
    Collisions 0</full-duplex></full-duplex>

    Rules LAN1 (This is the default rule pfsense added along with the lockout rule)
    action: Pass
    interface: LAN (this is LAN1)
    TPC/IP: IPv4
    Protocol: ANY
    address: blank

    Rules For LAN2
    action: Pass
    interface: LAN (this is LAN1)
    TPC/IP: IPv4
    Protocol: ANY
    address: blank



  • Your main issue is that you have OPT1 in the same subnet as your WAN.  They can't both be in the 192.168.1.0/24 network.  Make OPT1 192.168.2.1/24 and it should work.

    So you're running under VMware.  Why did you pick Intel E1000 for WAN and LAN, and VMX3 for OPT1?  I've had some weird issues in the past with VMX3 NICs under 2.2.x.



  • @KOM:

    Your main issue is that you have OPT1 in the same subnet as your WAN.  They can't both be in the 192.168.1.0/24 network.  Make OPT1 192.168.2.1/24 and it should work.

    So you're running under VMware.  Why did you pick Intel E1000 for WAN and LAN, and VMX3 for OPT1?  I've had some weird issues in the past with VMX3 NICs under 2.2.x.

    Pure incompetence in selecting VMX3. no idea why I did that! I will change the interface to E1000

    Just changed my subnet and DHCP and I can ping the machine now :) I am just getting an access control configuration prevents your request from being allowed at this time message now. So I am almost there.

    Love the quick replies to my issues. Thank you very much KOM. I love a good active forum!



  • I appear to be all up and running now!

    Thank you very much for the help  :)



  • Glad to hear it.