Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Direct all traffic from VLAN to another host

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shiversc
      last edited by

      Hi,

      i have got a multi SSID access point. One SSID is for my colleagues notebook.
      All traffic from this SSID is getting tagged with a vlan and the clients can reach the pfsense and other networks.

      So far so good.

      Now i need a rule or are static route, because i want to direct all traffic with this vlan tag to another host (Gateway).

      What can i do?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        If that VLAN has its own subnet on the pfSense, then you will know the IP addresses on that VLAN - e.g. 192.168.12.0/24
        Add the gateway to whatever interface it is on.
        Add a firewall rule to the VLAN interface directing source 192.168.12.0/24 destination any to the Gateway (down in Advanced Features of Firewall Rules).
        Maybe it is not that simple - maybe you have a subnet bridged between VLANs or something, in that case it is trickier to know which IP address goes with which VLAN.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • S
          shiversc
          last edited by

          Yes, the vlan have its own subnet. In my case:

          net:                10.0.30.0/24
          default-gw:      10.0.30.1

          the alternate gateway in my test environment is 10.0.30.2

          So is right?
          http://picload.org/image/dwwipwd/gw-vlan.png

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Yes, that should work, but since the other gateway is in the same subnet as the the clients and access point, the router will end up sending redirects back to the client, letting it know that the gateway is directly reachable by the client (e.g. client 10.0.30.111 can talk directly to 10.0.30.2, and the gateway router at 10.0.30.2 will talk directly back to the client - bypassing pfSense). That should all happen OK.
            I guess that on this wireless AP the clients are all getting IP address from DHCP on pfSense. Another easy way to redirect them in this case is to put the gateway address in the DHCP Server config (and maybe also put it in as a DNS Server, if 10.0.30.2 provides DNS and you also want the clients on that VLAN to use 10.0.30.2 for DNS).
            Then there is no need for a firewall rule, and the clients will go straight to 10.0.30.2 without even having to send initial packets to pfSense at 10.0.30.1.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • S
              shiversc
              last edited by

              Okay i understand,

              Yesterday i tried to set the gateway by the DHCP, with success. But what is with clients they have configured the ip manually?
              I think i will block all other traffic to 10.0.30.1 by simple firewall rules and set the gateway still by dhcp.

              Do you think this is a secure way for my networks?

              Later, after testing in my test environment, i want to send the dhcp information through my MS TMG (DHCP Relay) from my intern dhcp server for the dhcp discover of the wlan clients. The tagged traffic gets route trough the TMG in my intern network. The MS TMG is checking for trustworthiness (AD Membership).

              Do you think this is a secure way to connect the wlan clients to my intern networks? To join the wlan the clients using wpa2 with radius authentication (MS Windows Server NPS/NAP with AD integration)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.