VLAN won't communicate with LAN

DjJoakim

@bingo600 No, i am not changing the goal - this is exacly what i was trying to explain in my main post, i only used the WIFI example for johnpoz response, since the wifi wasn't forced out of any gateway. (Since he said the problem was becouse of that on FAST interface)
Anyway, i am sorry for the confusion - not having english as my first language sometimes makes everything 10x harder aswell. I will try and explain exacly what's my plan is:
(Ignore all that PoolVPN for now, since that's "quirks")

I have 3 VLAN networks.
VLAN30 (FAST) 172.18.0.1
VLAN40 (EJFAST) 172.19.0.1
VLAN60 (WIFI) 10.0.0.1

And then there is my LAN network 192.168.1.1

So all devices placed under VLAN30 and VLAN40 must be forced through different VPN Clients, they can not leak into my orignal WAN.
Everything so far seems to work, all devices i place under VLAN30 can access internet fine, but i can't access them thought my PC that's placed in LAN.
(Some devices that will be in VLAN30 have webui witch i need to access from my PC, that's why i need to access some of the IP adresses)

Now, when i have changed some of the settings (see pic below) i can ping my PC (192.168.1.103) from one device on FAST (172.18.0.124), but i can't ping 172.18.0.124 from my pc (192.168.1.103).
So somehow, i managed to get it working one way, but not the other way back.. And i can't figure out what i have done wrong.

Thanks

bingo600

@djjoakim

The config you showed above , ought to work for LAN <--> FAST.
Have you tried to reboot the firewall , or "Clear the states" ?

And it seems you haven't enabled loggong on all the "deny" lines , that can be super helpfull during debugging an issue like this.

DjJoakim

@bingo600 Yes i just did that, and still dosen't work..
I have also tried to make the same rules for WIFI, just to be sure there was nothing wrong with the device on FAST that i tried to ping, but the problem remains - i can ping LAN but i can't ping the VLAN..
Edit: Hmmm.. Now i can access FAST from WIFI (VLAN60), but i can't reach WIFI from FAST, So, in this equation the problem is on the other way.
LAN - FAST Can't ping
FAST - LAN Can ping
FAST - WIFI Can't ping
WIFI - FAST Can ping

Sorry, i have now enabled the logging for those.

Thanks

bingo600

@djjoakim

What can you ping from Lan (your 192.168.1.103)

Can you ping 192.168.1.1
Can you ping 10.0.0.1
Can you ping 172.18.0.1

How does your RFC1918 definition look

/Bingo

DjJoakim

@bingo600 Hmm, strange.
I did an edit on my last post, i tried to "reduce" the issue so i tried the same thing on my other vlan, WIFI. And when i did that, the problem is on the other way. From WIFI i can reach FAST, but from FAST i can't reach WIFI, something is really strange here.

To answer you'r question, from my PC (LAN) i can only ping 192.168.1.1, it dosen't respond on anything else. (While on my WIFI, i can ping 172.18.0.1, 172.19.0.1, 192.168.1.1, and the same on FAST)
Sorry, i am not trying to confuse the situation by starting to talk about the WIFI vlan, i just think it's strange that the problem is on the other way around there.

Anyways, here is my RFC1918

DjJoakim

Hmm okey, well - forget about that WIFI connection, i used my brain and figured out that it probably had something with windows firewall to do, said and done - when i turn off the firewall on that WIFI device, i can reach it from FAST - so clearly it was something wrong at that side.
So, since everything works with the firewall settings in that VLAN, it seems like there is something really wrong with my LAN, and maybe not PFsense fault...

bingo600

@djjoakim

That RFC1918 rule is outright "Sick" .....

RFC1918 should be defined like this.

Dammm

DjJoakim

@bingo600 I followed this "guide" https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
Isn't it how i should do it?

DjJoakim

@bingo600 Ooops.. Well, fixed now

bingo600

@djjoakim

@djjoakim said in VLAN won't communicate with LAN:

@bingo600 I followed this "guide" https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
Isn't it how i should do it?

Yes but do as they write

Can i see your RFC1819 rule now please

DjJoakim

@bingo600 Yeah sorry, i am new to this.. one step at a time

bingo600

@djjoakim

Would work ...

But please don't call it RFC1918

Call it LOCAL_LANS or something

RFC1918 is

DjJoakim

@bingo600 Yep, changed it... I saw RFC1918 was on the "WAN" rule, so i didn't wan't to confuse it, so now it's called Local_lan.

bingo600

@djjoakim

The guy making this RFC1918 Alias should be .......

I'm 90% sure that every "professional" in here would expect a RFC1918 alias to contain :

bingo600

@djjoakim said in VLAN won't communicate with LAN:

@bingo600 Yep, changed it... I saw RFC1918 was on the "WAN" rule, so i didn't wan't to confuse it, so now it's called Local_lan.

If it's used on the WAN
Did you remember to change it back to the hosts it contained , not the networks you made.

bingo600

@bingo600

How is your pfSense behaving now , with pings etc ....
Should behave as expected now ....

DjJoakim

@bingo600 When i mean't i saw it on WAN, i mean't this. This is nothing i have put there.

Yes, well.. something else is wrong in my setup, i just realised, it's not related to PFsense. Bc now with my WIFI unit, i can reach FAST, and from FAST i can reach my WIFI.
But, from FAST i can reach LAN and from LAN i can't reach FAST, so the problem lays in my PC, i just need to figure out where it is...

bingo600

@djjoakim
Ah ... That alias is a pfSense internal , no worries.
But the home made RFC1918 Alias , not being the full range ....

I'd try to reboot the firewall first , before ripping the PC apart.
Real reboot , not just clear states.

bingo600

@bingo600

A Tip of Experience....
Move your lan away from 192.168.1.0/24
Move your WiFi away from 10.0.0.0/24

They are always used , and might "Bite your ..." if/when you have to run a VPN to a buddy , that also uses those two

And why have you used a network from each of the 3 RFC1918 ranges ??
Why haven't you used all your internal nets in the same range ...

Ie.

10.42.0.0/16 = Home Lan

10.42.1.0/24 = Lan
10.42.64.0/24 = WiFi
10.42.128.0/24 = Fast
10.42.129.0/24 = EJFast

etc ......

Er du norsk ?

DjJoakim

@bingo600 Alright, thanks.

Yeah well since i am very new to this, i have watched alot of youtube guides, and a friend of mine who is somehow better at this then me, has helped alot aswell.
But yeah, i understand how you mean - that do sound better.. I will figure out why my PC won't communicate with the other subnets and then i will re-do my ip adresses in my firewall.
I think the problem maybe something wrong in my switch..

Since you seem to be alot better at this then me, can you just confirm this settings(?) I think i have done it like netgate site says it should be done, i have set Do not create rules when gateway is down in the settings. My goal here is that if my vpn client goes down, the devices connected to it can't leak into my regular WAN.

Inte norsk, men väldigt nära granne... ;)