Multi-LAN / Single WAN - Can't ping single host

TimmZahn

Hello all of you smart people -

I have a conundrum that I cannot figure out. It's probably the old Forest/Tree idiom. I have attached a basic network diagram for reference.

The issue is that I cannot reach a single host (10.0.14.6) from my 10.0.13.0/24 segment and others not listed, such as OpenVPN (10.0.15.0/24), BGP-Gateway (192.168.0.0/16). I can ping this host, and access its web interface, etc., from any device on the 10.0.14.0/24 segment.

This is the only host on the 10.0.14.0/24 segment that I cannot reach from any other of my network segments.

The building owner threw in a NIC on the PBX server so that I could manage my own users, hunt groups and such. There is also a feature that allows the individual phone user to access a web interface to manage their phone, voicemail, etc.

If I do a ping, trace, etc. on the pfSense host to that IP (10.0.14.6), I can only reach it from the LAN (Eth1) interface. So it makes sense that I cannot reach it from any other segment. My question is why? How do I diagnose this?

Thanks to anyone that can point me in the right direction.
![ME-LAN Diagram 2016.png](/public/imported_attachments/1/ME-LAN Diagram 2016.png)
![ME-LAN Diagram 2016.png_thumb](/public/imported_attachments/1/ME-LAN Diagram 2016.png_thumb)

tim.mcmanus

Hit the low hanging fruit first:

Is the networking info on the 10.0.14.6 interface correct?

Is the routing/VLAN/bridge/etc. on the switches set up properly (on both switches).

Are there any rules in pfSense that may affect 10.0.14.6?

Also, have you tried pinging different devices from 10.0.14.6? Can you ping from an AP on 10.0.14.0/24 or 10.0.13.0/24 to 10.0.14.6? Might help you narrow down which device is giving you the headache.

Derelict

Check the default gateway on 10.0.14.6. It should be 10.0.14.1.

TimmZahn

@Derelict:

Check the default gateway on 10.0.14.6. It should be 10.0.14.1.

The device behind 10.0.14.6 is not mine. I don't have control over it, as it belongs to the building management. It has many NICs and it's default gateway belongs to the building management network (not mine). They added this 10.0.14.6 assignment for me to be able to access their device from my network. And I can… from my 10.0.14.0/24 machines.

So... since it doesn't have a gateway address on 10.0.14.1, does that imply that packets sent to it from my secondary network segment (10.0.13.0/24) are being replied to on its default gateway, which of course knows nothing about my network?

Derelict

Of course.

You can get around this by doing an outbound NAT on the 10.0.14.1 (VLAN1) interface so traffic to 10.0.14.6 appears to come from 10.0.14.1 which eliminates the need for the return traffic to be routed.