Hi David, I have switched the rules but I am still unable to ping 10.0.1.100 from any machine in 10.0.0.0 / 24
Yes I would like 10.0.1.100 to be able to initiate a conversion with machines in the 10.0.0.0 / 24 range. So if 10.0.1.100 tries to ping a computer 10.0.0.200 10.0.1.100 sends ICMP to pfSense (10.0.1.254 = OPT1) -- This happens because 10.0.0.200 is outside its subnet mask pfSense sees this request enter OPT1 and it says I see a packet from 10.0.1.100 and it is destined for 10.0.0.200. It checks its rules and says I have a rule that says OK let it thru. pfSense then picks up the packet from OPT1 and hands it to LAN (10.0.0.254) which sends it to 10.0.0.200 Since 10.0.1.100 was allowed to send packet to 10.0.0.200 this means 10.0.0.200 is allowed to send answer back to 10.0.1.100 I hope I have this correct now. -----Original Message----- From: David Burgess [mailto:apt....@gmail.com] Sent: Saturday, September 18, 2010 11:25 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon <r...@maplewood.com> wrote: > Action: Pass > Interface: LAN > Protocol: any (I assume this also include ICMP???) > Source: Single Host (10.0.1.100) > Destination: Network (10.0.0.0 / 24) > Gateway: default > > To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 > network about anything (ping, ftp, www, ldap, etc) Almost. In your original post you said that 10.0.1.100 is on OPT1. pfsense's firewall rules operate on packets entering the chosen interface. The rule above doesn't do anything until you change "LAN" to "OPT1". > On OPT1 tab I have > > Action: Pass > Interface: OPT1 > Protocol: any (I assume this also include ICMP???) > Source: Network (10.0.0.0 / 24) > Destination: Single Host (10.0.1.100) > Gateway: default > > To me this means that any machine in the 10.0.0.0 / 24 network can talk to > 10.0.1.100 about anything (ping, ftp, www, ldap, etc) As you may have guessed by now, if you change "OPT1" in the above rule to "LAN" I think you will be in business. Note also that in your original post you didn't say whether you wanted 10.0.1.100 to talk to LAN hosts. If not, then your first rule is not wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to respond, as pfsense is stateful.) Hope that helps. db --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org