pfSense Is it possible to allow PCs on one interface/subnet local access to PCs on another?

Ok, so as of last night I have built and am now using a low powered PC as a pfSense machine. I bought a 4 port intel gigabit NIC to be used with this machine. I went from not even knowing how to install it to having it setup, on the internet and having each interface setup to have it’s own subnet, which I consider somewhat of an accomplishment for just poking around the interface a bit. So, here is my problem…

I have two houses next door to one another and they share the same internet connection via a Cat6 cable I trenched in conduit piping underground. One of the houses has roommates that need to be tamed when it comes to internet, which is why I am attempting to learn pfSense. So far, I have 3 interfaces set up for internet access and they work fine. One is for my house, one is for the house next door and one is dedicated to an AsusWIFI router exclusively for the roommates. Here is as good a map as I can make…

Internet—pfSense—LAN 192.168.10.0/24,OPT1 192.168.20.0/24,OPT2 192.168.30.0/24,OPT3 192.168.1.0/24

Now, LAN is reserved for myself and my own family in my house, OPT1 is My brothers connection in his house with his own subnet for his devices, OPT3 is the one for the roommates that will eventually have all the traffic shaping, throttling, blocking and locked down ports they need to have. See, it is not often but there are times that I need to be able to access devices on my brothers side of the network for some basic file sharing and such. I would like to be able to do exactly that.

TLDR; Basically, I need one subnet one one interface 10.0/24 to be able to access local only content from 20.0/24 and vice versa. I would assume I could just use the firewall rules to allow access between these networks. For many reasons I do NOT want to make them act like one big network because I need finer control over what is allowable to be accessed on my side.

Any help would be appreciated.

P.S. I am a total 100% noob with this so please, be kind and don’t laugh at me too hard if this should be simple. :stuck_out_tongue:

2 Likes

Yeah, you just need to make a firewall for it.

You make the rule on the source interface, so on your LAN interface you'd make a rule with your IP as the source, and the other IP, or the whole network, as the destination. If you need to do anything ore complicated with multiple IPs to multiple IPs (not whole networks but specific IPs) then you can create aliases for those IPs and use those aliases in the rules.

2 Likes

Unfortunately, this is exactly how my rules are right now but it simply doesn't allow local access at all. I can niether ping nor access network on any device on the other subnet. Do you think you could provide some sort of example rule that would allow local access between two subnets? Here is what I have set right now.

a similar setup is also mirrored on the other LAN I want access to.

This is going off of some very ancient memory of mine, and I am no networking pro, but this could have something to do with subnet masking. My understanding is that a subnet mask of 255.255.255.0 would segregate from the local (all IP's with the same first 3 sets of numbers) and other networks. Since you are using two tiers of local networking, then the segregation point would need to be one level higher, or 255.255.0.0 to allow traffic between those two local tiers of networks.

Like I mentioned, I am no expert on networking, but I would look into the subnet mask.

That bottom rule does nothing, you should get rid of it, the second from bottom rule also does nothing as that ip should be in the subnet of the first rule. Essentially that first rule is an allow any to any rule so anything on your LAN is allowed to access anything else.

Anyway, that should work so I'm not sure what the issue is.

You don't want to do that, you only need to make a rule on the source interface, unless you want devices from the other network accessing yours.

Can you post screen shots of all your firewall interfaces pages as well as the interface pages (with the ip and subnet info)

1 Like

This is precisely what I want to do, allow some devices to be accessed from my network. I have since removed the two bottom rules as they did not help in any way. I have since also tried bridging the two networks and that works to some small degree but still, local traffic cannot be passed through from devices plugged in one port to the other. Seems a little odd that literally no one on the internet wants this to happen. There is precisely zero documentation about how to do it or if it is even possible. Though I eould have assumed that a bridge should have done it at least at a whole network level. What if I plugged a server into one of those ports, why can't I access it from another network? I know for a fact this is possible as I used to have a network set up for this exact scenario with a bunch of hardware back when I had a fiber network run all over the place.

The real reason I need to access to the other subnet is because that is where the security system is located and I need ot be able to have access to it. I am not watching it 100% of the day or anything and only need to log into it when there is something going on I need to see. Sometimes it's just waiting for the mailman to bring a package as it is well over 115 degrees outside this time of year. I would also like to be able to print from the network printer that is also on the other network but I hardly ever use it, maybe once or twice a year. This is why I was asking about allowing a PC on one subnet/interface to access another that is on a completely different interface.

Not sure how this will help, at the time the bridge wasn't there OPT4 but even though it is there, I STILL can't have local access, even at the network level seeing as they are now setup as one network with the same IP ranges and everything, totally not what I want but I am willing to settle for that right now. If this is not possible via pfSense then I will have to find another piece of software that can. Seems like this would be a pretty common thing for people to want, especially considering the massive amount of things pfSense can do.

It is possible, that first rule should allow it so something isn't configured properly.

Put it back the way it was and post screen shots of each firewall page for each interface as well as the interface page for each interface, and don't blank out the IP address as that's the important part. (blank out your WAN address)

Basically I want to see this:

and this:

for each interface.

1 Like

Also could you draw a quick diagram of the whole network? (just a sketch will do)

For one, you are awesome for helping out, thanks! I will draw up a network diagram later tonight and post it here for you because I am 100% sure my ability to explain it is sorely lacking. :smiley:

You will hear from me by tomorrow morning.

1 Like

Ok, so this is the best I can do right now... The two bottom rules you mentioned before were not saved in my config backup because those were just what I was fiddling with.

Network map

And the rest, but as I said earlier, these have pretty much been wiped clean and just have internet right now alone.

RULES

INTERFACES

The roommate LAN can stay the way it is for now, I will be using traffic shaping and such to handle them after I can get this working.

Both Kevin and Micheal network needs access to the camera/file server and the printer. I would like the ability to also share files between Micheal and Kevin networks but not with fill impunity. Maybe one PC on it needs access but even if it is a full network access, I can deal with that as it is my brother and I hope he and his wife can manage their own crap.

Mostly, the way this is set up is pretty much non-changeable since I am pretty limited in the physical placement of each device, switch and such. Since they are spread across two houses with a mix of devices that need to be blocked and yet others that need to be allowed.

Basically, if I can figure out how to get local LAN access between Michaels network and kevins network then I can probably take it from there. I just need a working example of how to configure it and I can run with that. Again, my knowledge of these things is only theoretical and my practical knowledge is decades old so I am just totally confused...

THANK YOU! You really are going above and beyond here for me and I am most appreciative of it.

Actually, it's like this, I have never visualized a network before so I can be forgiven being a little bad at it, right? :smiley:

In your diagram are those routers or switches?

Your rules all allow all traffic to all networks. What you need to do it make rules above the allow rules to block traffic to the other networks, then make allow rules above those for the traffic you wish to allow between networks.

But that doesn't explain why you can't get local traffic between networks because as it is its all allowed. So I'm going to guess those are routers in your diagram in which case you need to be using switches, so either replace them or don't use the wan port on them and disable things like dhcp (essentially just use them as switches).

1 Like

That what I thought the problem was, the original poster has three routers in his network where he should only have one. I thought from the very beginning the original poster was using more than one router, but I wasn't sure because the original poster didn't post a diagram of his network, since he has it is very obvious what the problem is.

1 Like

Nope, not routers, those are basic 25$ TP link switches. Literally, nothing being done to the traffic at all. The only router on the network is for the WIFI and I want that to remain separated and completely isolated 100%.

This is the crux of my issue, I WANT traffic to pass between networks yet pfSense seems hell bent to block it without giving me the ability to change it in any way. I can't start making proper rules as to what I want and don't want to pass through till it allows, well, literally anything.

Again, not the case. Those are normal everyday switches and not routers, trust me, I know the difference and would have taken them out of the equation if I had three routers.

REVISED

This is pretty weird. It should be working no problem.

Have you deleted the bridge?
Have you made any other changes to the default configuration?
Pfsense is acting as the dhcp server and is giving its address as the default gateway to your devices? This should be the interface address for each network, as in each network should have a different address as the default gateway.

I assume you're not having any problems with internet access?

Well, at this second I removed the bridge because it wasn't working at all. I tried getting rid of all of the static assignments on the different ports, selecting none and then running DHCP right on the bridge instead, still didn't work. I have tried 100% everything I can even think of and there is no way to have one local device and another plugged into two separate ports on the pfSense box to communicate any kind of local traffic between them. I am at my wits end here and desperately need to get this working. COX is handing out insane overage charges if we go over bandwidth and a pfSense box is the only way I can have the traffic control I need to properly manage my connections and they start charging next month.

Most people wouldn't know they shouldn't have more than one router per IP block of address. Today most devices have built in routers, wireless switches, and access points. It is quite easy to have the device setup as the wrong devices or overlook it is setup as the wrong device. Since my guess was wrong I don't know why pfsence isn't behaving like you want it.

Yeah, I get it, most people aren't as aware of those things. I thought I knew enough about networking that I should be able to get into this a little to have that much greater control I need. I am no expert, far from it but I know enough I should be able to get this working unless pfSense is bugged.

Is there any way you could tell me exactly what would be required to make this work, assuming it will work? Is a bridge really required? If so, isn't, is there another way to go about it? How would YOU set this up if you wanted to from a clean install?

And sorry if I sounded a little frustrated before, this is really starting to annoy the hell out of me, as you might imagine. :frowning: