Netgate SG-1000 microFirewall

Author Topic: Unable to access a host on another subnet but can from pfSense [SOLVED]  (Read 519 times)

0 Members and 1 Guest are viewing this topic.

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
I have pretty much a standard vanilla home setup WAN/ LAN1 /LAN2 which works, as I can access the internet from each LAN subset.
However I cannot access my host on LAN2 from LAN1.

192.168.0.3 --> 192.168.1.2:80  ===> , however I can ping it from pfSense 192.168.1.2 OK

Setup:
LAN1: 192.168.0.0/29  - Rule: Protocol: IPv4+6/Source: LAN1 */Port: * / Dest: */Port: * / Gateway: * /Queue: none
LAN2: 192.168.1.0/28 -  Rule: Protocol: IPv4+6/Source: */Port: * / Dest: */Port: * / Gateway: * /Queue: none

I am new to this so am obviously missing something basic. :-[.

Any help would be much appreciated, thank you.
« Last Edit: November 08, 2017, 08:22:44 pm by lavito »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9059
  • Karma: +1034/-306
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #1 on: November 01, 2017, 12:52:32 pm »
Probably a firewall local to 192.168.1.2 (think along the lines of windows firewall) blocking access from other than it's local subnet.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #2 on: November 01, 2017, 01:13:59 pm »
Interesting thought ...

This host is actually a simple Access point router which provides WAN access via its WiFi to my tablet, phone etc and it works OK. Also I can obviously access it's port 80 from LAN2. Firewall and NAT are switched off.

The problem is that I cannot see the connection coming trough in Status> System> Logs> Firewall> Normal View.

Am I looking in the wrong place?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9059
  • Karma: +1034/-306
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #3 on: November 01, 2017, 01:31:23 pm »
That will normally only show blocks. If you want to examine active connections you probably want Diagnostics > States.

Or to troubleshoot state establishment, Diagnostics > Packet Capture.

It could also be that the "AP" does not, itself, have a default gateway set.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online kejianshi

  • Hero Member
  • *****
  • Posts: 4908
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #4 on: November 01, 2017, 01:34:43 pm »
Those can have a setting called "AP Isolation" or something basically acts like a firewall.  Find it if its there and turn it off.

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #5 on: November 01, 2017, 02:08:09 pm »
@Derelict
Thank you - What I found in there is this:

192.168.1.2:64267 (192.168.0.3:64267) -> 192.168.1.2:80   SYN_SENT:CLOSED   3 / 0   152 B / 0 B

I am still searching now to see what this means.

@kejianshi
I have specifically switched of the Firewall and NAT and the gateway inside the AP is set to 192.168.1.2.
« Last Edit: November 01, 2017, 02:11:44 pm by lavito »

Online kejianshi

  • Hero Member
  • *****
  • Posts: 4908
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #6 on: November 01, 2017, 02:15:17 pm »
What kind of AP are you using?

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #7 on: November 01, 2017, 02:25:00 pm »
It's BrightBox2.

Fortunately, this router has a specific option to switch off NAT & Firewall. (which may not work  :-\)
I also switched off its DHCP, as I am using the one in pfSence for the LAN 2 interface.

The option to set the AP gateway is in its DHCP section, as I think on most routers.

« Last Edit: November 01, 2017, 04:01:22 pm by lavito »

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #8 on: November 01, 2017, 04:00:19 pm »
A very good spot both thank you!!

I added another Web sever, this time a PC, and the request went trough with no issues from LAN1 to LAN2.
So the AP is somehow being "clever", despite its firewall being "switched-off".

So, is there a way for me to access my AP, as there is no other setting I see which can solve this.
E.g.  rewrite the source IP  or some other special pfSence function?
« Last Edit: November 01, 2017, 05:06:54 pm by lavito »

Online kejianshi

  • Hero Member
  • *****
  • Posts: 4908
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #9 on: November 01, 2017, 05:34:34 pm »
I've never been able to get around one that was doing that. 

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #10 on: November 02, 2017, 04:54:56 pm »
OK, cheers and thank you for your help.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9059
  • Karma: +1034/-306
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #11 on: November 02, 2017, 06:56:07 pm »
Yes. Outbound NAT on the pfSense interface that the AP is connected to.

Connections to the AP will appear to the AP as coming from the pfSense interface not the remote subnet.

I'd prefer to just use a "real" AP but that's probably just me.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online kejianshi

  • Hero Member
  • *****
  • Posts: 4908
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #12 on: November 02, 2017, 07:00:25 pm »
I've had hit and miss results with DD-WRT in exactly this same situation. 

My last version blocked everything but my current version works fine.  As you said, a real AP designed to be just an AP would be be$t. 

Offline lavito

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #13 on: November 08, 2017, 05:25:20 pm »
Yes. Outbound NAT on the pfSense interface that the AP is connected to.

Connections to the AP will appear to the AP as coming from the pfSense interface not the remote subnet.

I'd prefer to just use a "real" AP but that's probably just me.

I just noticed your response Derelict. Great!!!

I tried it and of course it did not work  :-[, so I just need a bit of help with setting up the NAT OUTBOUND to achieve => "AP will appear to the AP as coming from the pfSense interface not the remote subnet"

Issue: I am trying to access AP on 192.168.1.2:80 from 192.168.0.3.

Setup:
  • Outbound NAT -> Hybrid
  • Outbound NAT Interface: LAN2
  • Outbound NAT Source: Network: 192.168.0.3/24 Port:80
  • Outbound NAT Destination: Network: 192.168.1.2/31 Port:80
  • Translation\Other subnet: 192.168.1.2/31
« Last Edit: November 08, 2017, 05:50:06 pm by lavito »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9059
  • Karma: +1034/-306
    • View Profile
Re: Unable to access a host on another subnet but can from pfSense
« Reply #14 on: November 08, 2017, 06:12:26 pm »
Don't set a source port.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM