VLANS on private subnet being able access Internet
-
Hello,
I have the following network illustrated in the attached file. My question is this, As you can see from the network diagram, I have a network comprising of two private networks that are connected together by a dedicated wan. The Morrisville network has 10 vlans located off the Morrisville switch. I am using the Morrisville router to do inter-vlan routing. On the Morrisville Cisco router, I have a link to the pfSense box. What I wish to be able to do is allow clients connected to a vlan to be able to access the Internet. The WAN interface of pfsense has an IP supplied by DHCP. I am able to ping the external public IP address of pfsense from the Morrisville outer, but when I try to ping the same address from a client on a Morrisville vlan,the packets get dropped at the Morrisville router. I have tried setting up static routes on the router, even gateway of last resort to get public IP addresses to go out the correct port on the Morrisville Router to goto the Internet. I feel that it is something simple on the router that i am missing to make this work properly. I think that NAT is configured properly on pfsense as like I said i am able to ping Google's IP from the Morrisville router and get back a response. I am also able to ping the dmz interface from a client on a vlan. Would appreciate it very much if anyone has any ideas on how o solve this, have been trying for a week to get this work and trying different things.
Thank you for anyones help
![network picture.PNG](/public/imported_attachments/1/network picture.PNG)
![network picture.PNG_thumb](/public/imported_attachments/1/network picture.PNG_thumb) -
Do you have static routes in pfSense for the Morrisville network or is pfSense participating in RIPv2?
Check the routing table in pfSense under Diagnostics > Routes to see if pfSense sees the network.Also, the default allow rule on the LAN interface only allows traffic from the LAN subnet. If you change the source from LAN subnet to 172.16.0.0/16, that should cover all of the traffic from the inside.
If the pings are successful from the Cisco router, it appears to have the correct routing table. If there aren't any ACLs on the router blocking traffic, the problem is likely that pfSense is dropping the traffic or it doesn't know the correct place to send the returning traffic.
-
Thanks! That seemed to work (I'm a member of the group also)
Adding the 172.16.0.0/16 allows us to ping the external interface on the pfSense computer but we can't get out to anything past that
-
Ok, to clarify the last post, we can now ping the outside interface on the pfsense box that is connected to the Internet from a client on a vlan off the Morrisville switch. But, we still are unable to ping past the the outside interface to ping Googles IP address or any other public IP. We are pretty sure it is a firewall rule we are missing, but not sure what it should be. Currently we have allow any any all rules on the WAN interface, but that is not working. Any help would be greatly appreciated.
-
The LAN is where the allow rule for that traffic would need to be. That is because the traffic arrives on that interface. Just set an allow from 172.16.0.0/16 to any on the LAN interface rules. However, if you can ping all of the way to the outside interface, that probably isn't the problem.
Please go Firewall > NAT > Outbound and change it to manual outbound NAT and click Save. Then edit the automatically created rule and change the source to 172.16.0.0/16.
This will make sure that pfSense is performing network address translation on those devices that aren't directly connected to one of the pfSense networks. -
blak111, Thank you so very much for all your help :) You suggestion worked for us and we are now able to access the Internet from a host off our Morrisville VLAN. We plan on putting together a little wiki on how we setup our pfsense to make it work and hope it might help someone in the future with a similar setup, and will credit you for your help.
-
Thanks. :)