DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Cannot Access Pi from another Subnet

Sun Nov 27, 2016 7:31 am

I have a raspberry Pi connected to my pfSense Router at 192.168.1.4
My Laptop is connected to my pfSense Router at 192.168.2.124
I cannot Ping or SSH or otherwise connect to my Pi from my Laptop.
I can, however, Ping my Pi from my Router's built-in Ping utility.
I have these set in iptables-save on the Pi:

Code: Select all

-A INPUT -m iprange --src-range 192.168.3.0-192.168.3.255 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.2.0-192.168.2.255 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
And I have dhcpcd.conf set on the Pi:

Code: Select all

interface eth0
static ip_address=192.168.1.4/24
static routers=192.168.1.1
static domain_servers=192.168.1.1 8.8.8.8
I should also mention that I have a WiFi AP on another Subnet: 192.168.3.2, and I can ping it from my Laptop and from the Router.
Any help/suggestions/ideas/pointers are greatly appreciated!!!

Spit
Posts: 3
Joined: Tue Nov 22, 2016 11:04 pm

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 8:00 am

What are the subnet masks on each of them?

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 8:40 am

Each subnet mask is /24

User avatar
B.Goode
Posts: 10124
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 8:51 am

Maybe the router does not have a route from 192.168.2.x to 192.168.1.x ?

For comparison, how does the Router know how to route from 192.168.2.124 (laptop) to 192.168.3.2 (ap)?

Can you ping the router from the RPi?

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 9:00 am

All the routes on all the subnets are the same: Generic and open.
Image

The "Anti-Lockout Rule" only exists on the Sif LAN, everything else is the same on the two other Lans.

I can't Ping the Router from the RPi because I can't SSH into it :P
I have to pull it off the Lan, plug it into a monitor/keyboard, make changes and pop it back on again, sigh.

I know the Pi is alive and working as it sends me emails. So I know it can't get out onto the Internet.

Spit
Posts: 3
Joined: Tue Nov 22, 2016 11:04 pm

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 9:28 am

Try changing the masks to 255.255.0.0

User avatar
DougieLawson
Posts: 38821
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 12:03 pm

Spit wrote:Try changing the masks to 255.255.0.0
That isn't valid for a 192.168.xxx.xxx network, too many things are going to assume a /24 mask and it will break.

Use a 172.[16-31].xxx.xxx/16 network or a subnet from the 10.xxx.xxx.xxx/8 private range.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Mon Nov 28, 2016 2:27 am

yeah, can't really renumber my whole intranet. Thanks for the suggestion anyway.
I'm going to rebuild the Pi with a new/untouched Rasbian Lite image and see if it can be accessed across subnets - probably/hopefully something I've mucked up in the original config.
Thanks.

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Mon Nov 28, 2016 4:12 am

Ok, found the culprit: OpenVPN Client.
If that's running, the Pi won't respond to requests from any other subnet.
When I stop it, I can Ping and SSH into from anywhere.
So.....
How do I set OpenVPN client to accept requests from other subnets?

Thanks!!

IanS
Posts: 248
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: Cannot Access Pi from another Subnet

Wed Nov 30, 2016 3:31 pm

At a guess you have OpenVPN configured to send any traffic outside the local subnet into the VPN tunnel. This is normally ok, but you have more than just a single subnet in your local environment. You need to look how to exclude a specific network from being tunneled.

Return to “Advanced users”