Hi David,
I have switched the rules but I am still unable to ping 10.0.1.100 from any
machine in 10.0.0.0 / 24
Yes I would like 10.0.1.100 to be able to initiate a conversion with machines
in the 10.0.0.0 / 24 range.
So if 10.0.1.100 tries to ping a computer 10.0.0.200
10.0.1.100 sends ICMP to pfSense (10.0.1.254 = OPT1) -- This happens
because 10.0.0.200 is outside its subnet mask
pfSense sees this request enter OPT1 and it says I see a packet from
10.0.1.100 and it is destined for 10.0.0.200. It checks its rules and says I
have a rule that says OK let it thru.
pfSense then picks up the packet from OPT1 and hands it to LAN
(10.0.0.254) which sends it to 10.0.0.200
Since 10.0.1.100 was allowed to send packet to 10.0.0.200 this means
10.0.0.200 is allowed to send answer back to 10.0.1.100
I hope I have this correct now.
-----Original Message-----
From: David Burgess [mailto:apt....@gmail.com]
Sent: Saturday, September 18, 2010 11:25 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Allow Traffic Between Interfaces
On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon <r...@maplewood.com> wrote:
> Action: Pass
> Interface: LAN
> Protocol: any (I assume this also include ICMP???)
> Source: Single Host (10.0.1.100)
> Destination: Network (10.0.0.0 / 24)
> Gateway: default
>
> To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24
> network about anything (ping, ftp, www, ldap, etc)
Almost. In your original post you said that 10.0.1.100 is on OPT1.
pfsense's firewall rules operate on packets entering the chosen
interface. The rule above doesn't do anything until you change "LAN"
to "OPT1".
> On OPT1 tab I have
>
> Action: Pass
> Interface: OPT1
> Protocol: any (I assume this also include ICMP???)
> Source: Network (10.0.0.0 / 24)
> Destination: Single Host (10.0.1.100)
> Gateway: default
>
> To me this means that any machine in the 10.0.0.0 / 24 network can talk to
> 10.0.1.100 about anything (ping, ftp, www, ldap, etc)
As you may have guessed by now, if you change "OPT1" in the above rule
to "LAN" I think you will be in business.
Note also that in your original post you didn't say whether you wanted
10.0.1.100 to talk to LAN hosts. If not, then your first rule is not
wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to
respond, as pfsense is stateful.)
Hope that helps.
db
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
