2 lan routing issue



  • I started a topic like this in the general forum, I will post a link to it but don't want it to confuse the issue as I seem to have polluted it with too many variables.  So in a hope to get more of a viewing audience, I am posting this in the correct forum…

    Here is the link to the last topic, but as mentioned, I don't want it to confuse anyone... https://forum.pfsense.org/index.php?topic=111096.0

    I have searched the forums for the issue, of which I see lots of people with the same issue.  Trouble is, nearly all of the people that had this issue have never responded with the fix to the issue.

    So, my issue is this...  I have a 4 port network card, HP original hardware, not some cloned junk off eBay.  3 ports are in use one is my Wan port Lan1 is on 192.168.0.0/24 - Lan2 is on 192.168.1.0/24.

    From my machine on the 0.0/24 network, I can ping the 1.1 adapter but I can't ping any devices or access any devices on the 1.1 adapter.  I can however ping devices on the 1.0/24 network using the ping option within PFSense, selecting the adapter and it works.  I can also ping any device on any network using the ping function also.

    ARP table is populated with all networks and devices, routing table is also populated with information.

    I did set up rules on the 1.0/24 adapter to allow all from anywhere before starting any other rules, the same is also set up on the 0.0/24 adapter.  Both of these rules are also at the top, just to be clear...

    So, traffic will flow from 1.0/24 network to the 0.0/24 network, traffic will not flow past the 1.1 adapter from the 0.0/24 network.

    I know this is not rocket science, it should work out of the box by adding a rule or two.  I have spent the best part of probably 10 hours in total trying to get this to work, had some good help from people but thus far I am stuck and about to give up on it.

    Please, if you have some ideas, I would love to hear them.  I will get some screen grabs when I get home and get them on here to help diagnose the issues.

    I appreciate your time and experience in this matter.














  • The personal firewall on your client machines maybe the problem. Try disabling it to see if that fixes the problem.



  • Yeah, I read about that, also thought about it.  Same thing, even disabled Kaspersky with the same results.  But, from PFSenses Ping option, if I use the 192.168.0.0/24 port, it will not ping the device on the 192.168.1.0/24 port.  So it would seem a local issue with the router…

    Thank you for replying..  Much appreciated.



  • Uploaded some screen shots.



  • No that's likely a client firewall not allowing pings sourced from off-subnet. Ping something with no local firewall on it in the same fashion, almost certainly works.

    The other possibility is the devices being static IP with the wrong subnet mask, like 192.168.1.x/16 rather than /24, so they won't route back to their gateway.



  • What is the IP on your wan interface? Is it a private IP? Does it overlap your LAN IP? Why is your firewall's IP in the middle of your IP range?



  • The wan is ppoe, so dynamic.  It's range is well away from anything i have.

    No reason for the weird address of the router, this is temporary at this time, i will be implementing a new range at a later date.  At this time it should not affect the working of the router.

    I can understand the pings being blocked, but i can't access the webpage of the device on 192.168.1.232 either.



  • Typically I have seen dsl modems at like nat routers giving out private IP addresses. If you have the same network on two different interfaces then that would cause your issue. Simply changing the 192.168.1.0/24 network to 192.168.2.0/24 should fix the issue. Don't forget to adjust dhcp. Currently I don't think pfsense will warn you if you have overlapping IP ranges across interfaces but I could be wrong.



  • Yes, I am with you, but my modem is in bridge mode.  PFSense handles the PPOE and is assigned an IP in the 184.13.x.x range.

    I put another device on my network, for testing purposes with an IP of 192.168.1.100, it is a Cisco smart switch.  Same thing, can't access the webpage or ping the device.

    The ARP table in PFSense populated with the IP of the unit, also has the other device which I plugged into the back of it also.

    So confused about this, I am not sure why it is acting this way…

    Was there anything in the images that looked out of place?  I have tried several times to make sure I followed instructions and that is what I ended up with.



  • @cmb:

    No that's likely a client firewall not allowing pings sourced from off-subnet. Ping something with no local firewall on it in the same fashion, almost certainly works.

    The other possibility is the devices being static IP with the wrong subnet mask, like 192.168.1.x/16 rather than /24, so they won't route back to their gateway.

    Most devices I have does not have the option to change the Mask bit, but I thought most class C devices that operate in the range of 192.168.X.X only have limited Mask bits, like 24 though 30?  I could be wrong, I am no network guru.. lol  So please let me know if this is incorrect.

    Thanks



  • Everything looks good to me. I know that your router is 192.168.0.35 but I'm seeing a 192.168.0.1 ip in your arp table as well, do you know what that device is? So from what I can tell you can ping from 192.168.1.1/24 interface to anything on your 192.168.0.0/24 network, but from any device on your network you can not ping the 192.168.0.0/24 network. In your arp table I see all your devices on the 192.168.1.0/24 devices. What type of clients are you working with? If you are using windows what does the output of the ipconfig command what does it look like? Maybe your DHCP configuration is not configured correctly and the their gateway is assigned incorrectly. Your gateway should be 192.168.0.35. Do you have anything like OpenVPN setup or IPsec tunnels configured? If so those routes may take preference may be preferred over the directly connected network. It is not clear to me the routing preference of PfSense. You would naturally think that directly connected networks would be preferred but I can remember having IPsec tunnels enabled by accident and even the tunnel was not up it was the preferred route which was causing me issues.



  • My Windows 2008 server sits on 192.168.0.1 as of right now, that is the one you are seeing.  It handles my DHCP of which assigns clients on my 192.168.0.0/24 addresses, gateway information of 192.168.0.35 and DNS information.

    From within PFSense, If I use the ping command or traceroute, I can select lan2 (192.168.1.0/24) and ping any device on my lan1 network (192.168.0.0/24) with successful replies.  Doing it the other way around, yields failures, 100% packet loss.

    So, traffic does pass 100% from Lan2 to Lan1, I can ping lan2s adapter from lan1, but no traffic passes from there on.

    No, I have no VPNS set up at this time, no funky routeing is in use for VPNS at this time either.  I did check to make sure, as I did at one time play with open VPN, but it is empty right now.



  • You said you vpn info is empty but is it disabled? I believe my problem at one time was that it was enabled even though I believe I felt like I removed all info. This is a really interesting problem. Like you have said before this should be a fairly straightforward setup. If you look at the arp table on your clients, do the entries for 192.168.0.35 match the actual mac address of your firewall's interface?



  • I have my laptop on the 192.168.0.0/24 network, I can ping 192.168.1.1 from here, I checked the Mac with the Physical Mac and they do match….

    I can't find a way to make sure it is turned off, I checked through the 3 options under VPN and all are empty.



  • Here is something interesting, I just ran advanced IP scanner…..  It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges.

    ARP table shows the MAC, so it would seem something is blocking something external to the PFSense box.....

    Just moved the adapter address to 192.168.2.1, same thing, no MAC shown using advanced IP scanner.

    I am going to swap out the port for another one on the same card tomorrow, will try that and report back.



  • I could not wait, I moved the port over to the spare, still not working….. something has to be blocking it.  I have no idea what it is.



  • Unless you added block floating rules, it's not possible for Diag>Ping traffic to be blocked, it's the device in question not replying to off-subnet traffic. Switch is probably a good one to troubleshoot with since it shouldn't have a local firewall of any sort, though verify that's the case. It's probably statically configured, make sure it has the correct 255.255.255.0 subnet mask, and has the gateway set to 192.168.1.1. And make sure you don't have anything conflicting on 192.168.1.1.



  • I did run a program to check over all networks in question, just in case something was wild on my network, i am finding no devices flaring around that is not meant to be there, so no conflicts.  My switch is set for the right network, gateway is also set correctly.
    I am going to try as you suggested earlier and put a laptop on that network and see what happens with it.

    I appreciate all the help i am getting…. Thank you all!



  • I did a factory reset on the router this evening, now traffic is passing in both directions!  YAH…. Progress.  Obviously, there was some issue with the config file, what I do not know.

    There are hardly any rules on this fresh setup, the basic allow all to any rules on both networks are in place, as was before.  I am going to start feeding my old rules back in, one at a time and see what breaks it.

    Should be fun to do, seeing as I am going to read them off of the config file to put them back.. lol

    The only thing I can think of, is this router has had hardware changes and upgrades, the config originally came off of another unreliable router I had, possibly the reason for this?

    Anyway, got some work to do...



  • congrats, keep us updated.


  • LAYER 8 Global Moderator

    "It does not show a MAC for the 192.168.1.1 adapter, now that is odd, it shows others in the other ranges."

    Huh???

    Why are we talking about this…  This is 2 seconds to trouble shoot..

    This is your network??  See attached..  Are you plugging em0 and em1 into the same switch?  You have different switches?

    Can devices on each network ping pfsense IP in that network?  Is that IP of pfsense set as their default gateway?  Your saying device on network A can not ping device on B, but B can ping A?

    Why don't you sniff on pfsense and validate your traffic is sent to the client your trying to get to..  Does that client answer back?  Your firewall rules for lan1 and lan2 look open..  So either you have client firewall blocking the traffic.  Or a wrong mask, or wrong gateway, etc..  Or your your trying to run different L3 or over the same L2 and have some sort of async issue going on?

    So please state how these networks are connect to pfsense, and what devices are connected to in each network.  And what the clients settings are.. You mention another dhcp server - sure its handing out the right gateway??

    This is quite often a local firewall issue.. Clients not allowing traffic from other than the local network.




  • Thanks for the reply, but i resolved the issues with a reload of pfsense.


Log in to reply