DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Cannot Access Pi from another Subnet

Sun Nov 27, 2016 7:31 am

I have a raspberry Pi connected to my pfSense Router at 192.168.1.4
My Laptop is connected to my pfSense Router at 192.168.2.124
I cannot Ping or SSH or otherwise connect to my Pi from my Laptop.
I can, however, Ping my Pi from my Router's built-in Ping utility.
I have these set in iptables-save on the Pi:

Code: Select all

-A INPUT -m iprange --src-range 192.168.3.0-192.168.3.255 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.2.0-192.168.2.255 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
And I have dhcpcd.conf set on the Pi:

Code: Select all

interface eth0
static ip_address=192.168.1.4/24
static routers=192.168.1.1
static domain_servers=192.168.1.1 8.8.8.8
I should also mention that I have a WiFi AP on another Subnet: 192.168.3.2, and I can ping it from my Laptop and from the Router.
Any help/suggestions/ideas/pointers are greatly appreciated!!!

Spit
Posts: 3
Joined: Tue Nov 22, 2016 11:04 pm

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 8:00 am

What are the subnet masks on each of them?

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 8:40 am

Each subnet mask is /24

User avatar
B.Goode
Posts: 9022
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 8:51 am

Maybe the router does not have a route from 192.168.2.x to 192.168.1.x ?

For comparison, how does the Router know how to route from 192.168.2.124 (laptop) to 192.168.3.2 (ap)?

Can you ping the router from the RPi?

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 9:00 am

All the routes on all the subnets are the same: Generic and open.
Image

The "Anti-Lockout Rule" only exists on the Sif LAN, everything else is the same on the two other Lans.

I can't Ping the Router from the RPi because I can't SSH into it :P
I have to pull it off the Lan, plug it into a monitor/keyboard, make changes and pop it back on again, sigh.

I know the Pi is alive and working as it sends me emails. So I know it can't get out onto the Internet.

Spit
Posts: 3
Joined: Tue Nov 22, 2016 11:04 pm

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 9:28 am

Try changing the masks to 255.255.0.0

User avatar
DougieLawson
Posts: 36820
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Cannot Access Pi from another Subnet

Sun Nov 27, 2016 12:03 pm

Spit wrote:Try changing the masks to 255.255.0.0
That isn't valid for a 192.168.xxx.xxx network, too many things are going to assume a /24 mask and it will break.

Use a 172.[16-31].xxx.xxx/16 network or a subnet from the 10.xxx.xxx.xxx/8 private range.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Mon Nov 28, 2016 2:27 am

yeah, can't really renumber my whole intranet. Thanks for the suggestion anyway.
I'm going to rebuild the Pi with a new/untouched Rasbian Lite image and see if it can be accessed across subnets - probably/hopefully something I've mucked up in the original config.
Thanks.

DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

Re: Cannot Access Pi from another Subnet

Mon Nov 28, 2016 4:12 am

Ok, found the culprit: OpenVPN Client.
If that's running, the Pi won't respond to requests from any other subnet.
When I stop it, I can Ping and SSH into from anywhere.
So.....
How do I set OpenVPN client to accept requests from other subnets?

Thanks!!

IanS
Posts: 234
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: Cannot Access Pi from another Subnet

Wed Nov 30, 2016 3:31 pm

At a guess you have OpenVPN configured to send any traffic outside the local subnet into the VPN tunnel. This is normally ok, but you have more than just a single subnet in your local environment. You need to look how to exclude a specific network from being tunneled.

Return to “Advanced users”