LAN routing to VLANS

michmoor · Dec 6, 2022, 8:49 PM

My first question/point is help in getting the 10.10.x.x networks to route correctly again.

Route to what exactly?

Is your 7100 going to be the default gateway for all of your VLANs?
For policy routing with NordVPN review this video. Its for PIA but the steps are the same. https://www.youtube.com/watch?v=TglViu6ctWE

SteveITS · Dec 6, 2022, 8:54 PM

help in getting the 10.10.x.x networks to route correctly again

pfSense will handle the routing for its own interfaces, as long as it is the gateway for each. For the VLAN1-3 interfaces you'll need to add firewall rules to allow traffic out, e.g. "VLAN1 Net to any" would allow to the Internet, pfSense, and other VLANs.

Malicair · Dec 6, 2022, 9:22 PM

@malicair Apparently I need to clarify a bit more on the configuration. The 7100 is functioning as the firewall and primary router to my site. Behind the 7100 is another switch (EX435) that is the Gateway for the internal networks. All internal 10.x.x.x networks are hosted on it. The 10.x.x.x network traffic that is on the EX435 switch is leaving that switch destined for the internet and through the 7100 but is unable to complete a connection. It may be the 7100 is not routing or NAT'ing the traffic out or simply not returning the traffic back.

Once again, my skills are rusty and I'm a complete "newb" to the PFSense software, so I'll need a bit more help in managing the interfaces and getting the changes applied properly.

viragomann · Dec 6, 2022, 9:34 PM

@malicair
Why don't you terminate all the VLANs on pfSense?

In your setup pfSense doesn't know the VLANs, because they are attached to the switch.
I assume, the switch does not nat the upstream traffic. So you have to add outbound NAT rules on pfSense for them.
Firewall > NAT > outbound.

Set it into the hybrid mode first.
Then add a rule to WAN interface for the source of 10.0.0.0/28, destination any, translation interface address.

michmoor · Dec 6, 2022, 9:36 PM

@malicair said in LAN routing to VLANS:

It may be the 7100 is not routing or NAT'ing the traffic out or simply not returning the traffic back.

Thanks for adding more color to your issue.

Do you have an outbound NAT policy on your 7100 to NAT those 10.X networks?
2.Do you have a firewall policy that permits traffic from your 10 nets to go out to the internet?
3.What do you see in the Status>System Logs>Firewall view on the 7100. Any blocks or passes for your 10 networks
Does the 7100 have a route to the 10.X networks that are located on teh EX435 switch?

Malicair · Dec 6, 2022, 9:59 PM

@michmoor said in LAN routing to VLANS:

Do you have an outbound NAT policy on your 7100 to NAT those 10.X networks?
(Malicair: NO, apparently I do need these...)

Do you have a firewall policy that permits traffic from your 10 nets to go out to the internet?
(Malicair: NO, apparently I do need these...)

What do you see in the Status>System Logs>Firewall view on the 7100. Any blocks or passes for your 10 networks
(Malicair: Yes I am seeing WAN and LAN blocks on all 10.x traffic.)

Does the 7100 have a route to the 10.X networks that are located on teh EX435 switch?
(Malicair: Yes, I built a default gateway for the LAN Switch of 192.168.50.2 and assigned a route of: Destination 10.10.0.0/16 to the 192.168.50.2 gateway.)

Can you help me out in getting these NAT and policies set?

Malicair · Dec 6, 2022, 10:01 PM

@viragomann I appreciate that thought. It had briefly crossed my mind but for expansion purposes and I have a ton more familiarity with that equipment and the CLI interface those are way easier for me to manage.

michmoor · Dec 6, 2022, 10:10 PM

@malicair The netgate documentation is really great in getting you set up with creating outbound NAT rules along with Firewall rules.

Worse case if this is for your business I would recommend https://www.netgate.com/support?

viragomann · Dec 6, 2022, 10:25 PM

@viragomann said in LAN routing to VLANS:

Firewall > NAT > outbound.
Set it into the hybrid mode first.
Then add a rule to WAN interface for the source of 10.0.0.0/28, destination any, translation interface address.

Is that really to hard to follow?

Again:

Enable the hybrid mode.
Add a rule:
interface: WAN
protocol: any
source: network - 10.0.0.0/28
destination: any
translation: interface address

There is no need for multiple rules. This one covers all your VLANs, expect that one that should go out to the VPN.
You will need a similar rule for the VNP network, but on the VPN interface. I assume, it is described in the video linked above.

A static route is only needed for inbound traffic. As I understand your requirements, this is not desired.
And if, you can also do it with a single route using the network I stated in the outbound NAT rule.

michmoor · Dec 6, 2022, 10:37 PM

@viragomann I think the static will be needed for return traffic when the 10 nets go out to the internet. Assuming he has a routed link between his switch and the 7100.

viragomann · Dec 6, 2022, 10:41 PM

@michmoor
Ok. I was assuming, that his L3 switch has set the pfSense LAN as default gateway and hence route all upstream traffic to it.
As I understood, he had a similar setup with a dumb router before. So the switch setup should already have worked in the past.

michmoor · Dec 6, 2022, 10:43 PM

@viragomann OP can chime in on that. I took it as the switch had a default route to the PFsense but the PFsense would need to know where to route to those 10nets on the way back.

viragomann · Dec 6, 2022, 10:46 PM

@michmoor
Ah yes, you're absolutely right. The route is needed pointing to the switch, of course.

Malicair · Dec 6, 2022, 10:51 PM

@viragomann @michmoor
Hey guys, appreciate you both stepping in to help me.
Viragomann, sorry for not catching before the NAT outbound you suggested.

Yes, the EX435 Switch and other equipment behind it worked perfectly before with the ASUS providing the routing between the WAN and the EX435. Yes I am aware I am doing a double NAT. With the network hardware on the 192.168.50.0 network and my clients connecting to one of the VLANS that are 10.x.x.x.

The Asus was a pretty simple setup but it has one fatal flaw in that it's only copper and an electrical spike killed one of those boxes already and luckily I had a spare that I put in it's place. So hence replacing it with this 7100 that has a fiber connection from the DMARC so I can avoid any electrical spikes in the future.

As I had replied to michmoor earlier I created a LAN gateway of 192.168.50.2 and setup a route for destination addresses of 10.10.x.x to that GW. Do I need this? all net traffic that I am doing currently is originating from internal and I don't want random external traffic onto my network obviously.

Virgomann, Did you have a typo when you suggested an outbound rule of 10.0.0.0/28? Wouldn't it be a 10.0.0.0/8 ? I did create that rule but it didn't get me anywhere from a 10x client.

viragomann · Dec 6, 2022, 11:00 PM

@malicair said in LAN routing to VLANS:

Virgomann, Did you have a typo when you suggested an outbound rule of 10.0.0.0/28? Wouldn't it be a 10.0.0.0/8 ? I did create that rule but it didn't get me anywhere from a 10x client.

Yes, it should be 10.10.0.0/28. It's late here...

Yes I am aware I am doing a double NAT.

We were not assuming this.
This would mean, that your switch translates the source IP in upstream packets into 192.168.50.2?

In this case you would neither need the manual outbound NAT rule, nor the static route. Because pfSense would only see 192.168.50.2 and there should be an automatic outbound NAT rule for the LAN subnet anyway.

Malicair · Dec 6, 2022, 11:04 PM

@viragomann
On my EX435 switch I have a static route to 192.168.50.1 which "was" the ASUS router and is now the 7100. So I believe it is simply putting the 10.x traffic directly onto the 7100 which it knows nothing about. (note: I'm stretching my brain here...)

viragomann · Dec 6, 2022, 11:22 PM

@malicair
The route on pfSense for the 10.10.x would not impair the functionality even if it was not needed. Neither the outbound NAT rules did. In this case, pfSense would never get a packet for 10.10.x.

However, you should know if your switch does nat.
If you default route on the switch is pointing to pfSense, packets should get directed to it.
So you could run a packet capture on pfSense LAN while you try to access an internet resource from a VLAN to see, what's going on.

Malicair · Dec 6, 2022, 11:30 PM

@viragomann
The 7100 is seeing 10.x traffic.

Here is the results of a LAN packet capture:
18:28:16.793704 IP 10.10.8.12.29620 > 8.8.4.4.53: UDP, length 32
18:28:17.952164 IP 10.10.10.11.49268 > 8.8.8.8.53: UDP, length 59
18:28:17.952415 IP 10.10.10.11.64554 > 40.97.190.2.443: tcp 31
18:28:17.952794 IP 10.10.10.11.52456 > 8.8.8.8.53: UDP, length 59
18:28:17.952800 IP 10.10.10.11.63862 > 8.8.8.8.53: UDP, length 37
18:28:17.952807 IP 10.10.10.11.58518 > 8.8.8.8.53: UDP, length 37
18:28:20.972454 IP 10.10.10.11.64554 > 40.97.190.2.443: tcp 31

And here is results from the firewall:
Dec 6 18:27:17 LAN Default deny rule IPv4 (1000000103) 10.10.10.11 17.253.5.202 ICMP
Dec 6 18:27:20 LAN Default deny rule IPv4 (1000000103) 10.10.8.11:47105 8.8.4.4:53 UDP

viragomann · Dec 6, 2022, 11:53 PM

@malicair
I see. Obviously pfSense doesn’t pass the packets.
You need a rule on LAN to allow it.
By default pfSense automatically creates a rule only for the LAN subnet. But 10.10.x.x lies outside of this.

Additionally you need the route and outbound NAT rule as mentioned above.

Malicair · Dec 7, 2022, 12:10 AM

@viragomann

I created a LAN gateway of 192.168.50.2 and setup a route for destination addresses of 10.10.x.x to that GW. Is this sufficient?