Pfsense with two different LANs. Second LAN cannot access rest of network

[Ewurama]

I have a server with three NICs running PfSense. The first NIC connects to my ISP, the second NIC connects to local computers in my office (LAN-1). For the third NIC(LAN-2), i have connected it to a computer and i want it to be able to connect to the second NIC(LAN-1) as well as the first(WAN).

**NIC 1 = gateway = WAN
NIC 2 = LAN-1 = 172.30.0.3/16
NIC 3 = LAN-2 = 172.40.0.3/16**

Problem is that is that i can ping LAN-2(172.40.0.3) from LAN-1(172.30.0.0/16) but i cannot ping or trace anything from LAN-2 to LAN-1, or even to the internet. When i ping from LAN-2, there is no reply, not even a timeout.. it stays blank till i disconnect and it give an destination host unreachable message.

The pfsense version is 2.2.3-RELEASE (amd64)

Kindly help me out.

 

[Tcinator]

I run pfsense religiously but by no means am I an expert. it sounds like the default gateway for lan 1 is properly set. as it would be because its set up during initial setup. the second lan however may not have a default gateway set in pfsense. this would cause it to be able to reply to a ping if it came from lan 1, because the ping has the path back to lan 1, but if something originates from lan 2, it does not know where to go.

The settings are under System/Routing

I will take a look and attempt to duplicate your issue. Hope you get it all figured out.

EDIT: im sorry... im forgetting my basic routing.. disregard all of what I just said. -_-. two networks touching the same router obviously should be able to talk. I will investigate further.

 

[jsmithepa]

If you issue a ROUTE PRINT command on the LAN2 PC box, you will see its routing table, and the 2 entries that takes it to the Internet is the DEFAULT GATEWAY, and/or the one above it that says (in order to get to) 255.255.255.255 255.255.255.255 (basically ANY IP) (go through THIS gateway) x.x.x.x, and x.x.x.x needs to be the IP of the pfsense LAN2 NIC. So either entry containing the "correct door" will work.

How to you accomplish this? I don't use pfsense, but it will be natural for this configuration item to be in the pfsense box.

Just to test, you can make this change in the PC box, modify its routing table, but that's like using a static IP. The correct way is to have your router box to set up this table correctly.

The routing table is resolved top to bottom. A series of, "to get to x, you need go to through door y." and the bottom 2 entries are the catch-all.

 

[Tcinator]

I didn't even think of the lan devices not working properly, are you running dhcp for both lans? are they set up properly with 172.40.0.3 as the gateway? pfsense automatically sets the WAN as the default gateway for all traffic that it cant match to a network so there is no issue there. you may want to check your nat rule generation. if that isn't set to automatic, or if you haven't added in the .40.0.0/16 network, you wont get out. as far as lan 2 to lan 1, do as jsmithepa said and check the gateway of the pc on the lan 2, make sure your dhcp is set up or all fields are properly set if you are running static.

 

[naus.hgc]

The solution is in DNS resolver you need select Network Interface : All.
and in the option
Outgoing Network Interfaces: just select you interfaces WAN

and the rules in the firewall are
NIC1 sourcer : NIC1 net
destination : NIC2 net
gateway: default

NIC2 source : NIC2 net
destination : NIC1 net
gateway: default

thats it


Tell me what happend

 

[failboat]

There are a lot of youtube videos on pfsense vlans.

you likely need firewall rules in place. you might of created one allowing a vlan to make an inbound, but then didn't do the same on the other.

What are you trying to accomplish with the vlans? complete separation, 1 way connection establishment, IDS, less broadcasts, etc are common reasons for vlans.

 

[androbourne]

I also run pfsense at my house for firewall protection for my servers. I have it setup in a similar manner.

On top of setting the DNS as mentioned above. You may need to also make a policy to allow cross communications between the primary and optional networks for traffic to pass. (an all/all rule or restricted ruling depending on what services you need to cross subnets)

Also it may be obvious but can be easily missed. Make sure there is a DHCP source enabled for the LAN2 subnet. I do not believe it enabled it by default and if the address you are trying to ping is not static, no devices on that other subnet will get an IP.