Bug #12270
closed
Unidirectional connectivity with DHCP-assigned interface
0%
Description
[I did discuss this in the forum, and I am aware it sounds unlikely, but haven't found a solution so far. It does look like a bug. 'Works for me': I believe so. But here it doesn't and I would like to go to the bottom of it.]]
It is impossible to connect to pfsense box from DHCP-assigned client. (pfsense 2.5.2 out of the box)
3 interfaces: WAN, dhcp4 client. 2xLAN, as DHCP servers.
LAN1: 192.168.1.200/24, DHCP range 192.168.1.101-199
LAN2: 192.168.2.1/24, DHCP range 192.168.2.101-199
A client on LAN2 obtains a proper dhcp4 address (release-renew) of 192.168.2.101. Checks.
netstat rn among others says 0.0.0.0 192.168.2.1. Checks. > DHCP gives out proper address, nameserver, gateway. Link is up: gateway can ping client. BUT: client cannot connect to gateway.
However, ping 192.168.2.1 from that client fails. nmap -Pn says 192.168.2.1 is up, but all ports closed.
ping from 192.168.2.1 to that client works.
Firewall rules: only automatic, basic:
WAN 127.0.0.0/8 ::1/128 192.168.1.0/24 192.168.2.0/24 * * * WAN address * Auto created rule
IPv4 LAN net * * * * none Default allow LAN to any rule
What I have done so far:
Fresh install
Other, similar machine
Changing interface hardware (NIC)
Updated by Uwe Dippel over 2 years ago
I'm not able to correct the 'netstat minus rn' which converted into a strike-through instead of actually showing the netstat -rn. I didn't expect that I'd have to write this as code, my apologies!
Updated by Jim Pingle over 2 years ago
- Status changed from New to Not a Bug
It's not a bug, it's doing exactly what it's been told to do. You need rules on LAN2 to allow traffic from LAN2 to do anything. Keep the discussion on the forum.
Updated by Uwe Dippel over 2 years ago
Jim Pingle wrote in #note-2:
It's not a bug, it's doing exactly what it's been told to do. You need rules on LAN2 to allow traffic from LAN2 to do anything. Keep the discussion on the forum.
Okay, my oversight: I didn't mention that my rule 'LAN to any' is on LAN2. Can't be more open. First.
Second: LAN1 is configured identically, and there it works.
I was in the forum, and was correctly told it should work.
Of course, you have the prerogative of deciding that two identically configured interfaces are supposed to act differently. And that 'LAN to all' is insufficient, and that a client can't connect to its own gateway from where it got its lease 20 seconds earlier. Though, I don't have to be convinced.
Updated by Jim Pingle over 2 years ago
"LAN to any" won't match LAN2, it must be "LAN2 to any".
Updated by Uwe Dippel over 2 years ago
Now it is solved. Wouldn't have minded to learn elsewhere that 'LAN to ...' is not a mere description. I had set it on the correct IF from the start.
Thanks a bunch, and my excuses!