pfSense rules? - unable to access IoT LAN

Ultra nubee to pfSense, toyed with the idea for a long time but just dove into it this weekend. Anyhoo. . .

Used the 2018 Getting started vid as the basis for my first effort. Most everything seems to have fallen into place, though I am unable to access any devices in the IoT LAN (aka CrapNetwork) from the primary LAN. Cannot ping any devices from the outside (I do see them in the Switch’s address table) other than its gateway, 10.10.20.1. Angry IP Scanner from the outside also comes up empty other than the gateway.

From within the IoT (CrapNetwork) LAN, I can ping everything in the primary LAN, have internet access, etc.

I’ve checked the LAN rules, don’t see anything out of order. I even made an additional “Wide Open” rule and set in first place, just below the Anti-Lockout Rule “just-in-case”. Still no joy.

Guessing it’s something stoopid-easy that I’m just not seeing, but after 5 or 6 hours, gotta ask someone smarter

TIA - flyy

Also maybe should have added that the couple devices I presently have connected in the IoT LAN are receiving addresses, so DHCP is working,

Screenshots of your interface rules would help.

1 Like

You didn’t specify it, but from the name of the network I assume this behavior is not intended. Keep in mind that any includes other local networks, not just networks beyond the WAN interface, aka the Internet. So if you have an allow rule with any destination for the Crap network, that would be why you can reach your primary LAN.

Also keep in mind that rules in pfSense apply to traffic entering the respective interface. So if you want to allow connections from the main LAN to CrapNetwork, the rule for that must be on the main LAN interface, not the CrapNetwork interface.

Just as it was after original setup:

I’m just trying to get everything talking to each other (i.e. everything totally open) before restricting the IoT side. Yes, the IoT side needs to be restricted once I can access it from the outside. Right now, there’s nothing “unsafe” on it, just a laptop for testing. At this point ,ANY is fully intended.

And, yes, I know the rule restricting the IoT side must be in the LAN interface. I just can’t find in the existing rules anything that should block access to the IoT.

On the LAN interface you need to have your source as LAN NET and not * for the IPv4 rule.

Then if you want to block your lan TO IoT then you also will set the rule source as LAN NET.

What you can do to further troubleshoot this is to enable logging on the default allow rule and see if your pings etc. show up in the logs. Make sure that the firewall on the device in the IOT network allows incoming connections (e.g., if it’s a Windows laptop it shouldn’t be set to public network) or disable it entirely for testing.