Pfsense 2.1 lan subnets problem
-
Now I think I understand. The VLAN switch is a layer 3 device and is doing the routing between your VLANs. The switch should have the pfSense LAN IP as its upstream gateway.
You should not put the VLAN switch IP as an actual gateway on the pfSense LAN interface (doing that will make pfSense think the gateway is a possible route to the internet). Just have the gateway defined in System->Routing. Then add a Static Route to 10.1.0.0/16 through the VLAN switch IP. (It should be OK to specify 10.1.0.0/16 even though part of that is directly-connected LAN - pfSense will still deliver packets directly to the LAN subnet)
Now pfSense will know to send packets for the rest of 10.1.0.0/16 to the VLAN switch IP address, and the VLAN switch routing software will deliver them to the correct VLAN subnet.
The reverse traffic will come into pfSense from the VLAN switch routing, and you already have a pass rule on LAN to permit that.
Note: I think the Traffic Graph now displays only the IP addresses of devices on locally-connected subnets, so you might see the overall traffic, but not see all the individual IP addresses of clients in the VLANs displayed in the table. -
OK you NEVER create a gateway on a LAN - or pfsense thinks its WAN interface and would do nat on it, etc.
So what handles your local traffic? Your switch? This is where the gateways are for your local traffic? Does not seem like you have any vlans or even vlan tags running? Since there are only 2 tabs in your firewall, if you were tagging 29 some vlans you would see those tabs for the vlan interfaces.
So this close to how your setup?
Where you have a Layer 3 switch or some other router in your lan that handles routing your local traffic? You could then use a segment of your network that connects to pfsense. But I really wouldn't put any other devices on this segment - and it really should be a transient sort of network and I would personally would use a network outside of your 192.168 address space so you could make your route entries simple..
So in this setup where 192.168.1.0/24 is the leg to your pfsense.
Pfsense would have rules on its lan to allow 192.168.0.0/16 to the internet, etc.
It would then have it its route table entries for all the different 192.168.? networks your using to talk to your other routing device say a L3 Switch, which would have interfaces in all your different segments.This is how you would do it!! Or atleast a common way to skin the cat.. I don't see anywhere what you have posted any sort of vlan tagging at all.
If you draw out your network - I am sure we an fix it up for you ;)
edit: Seems I used 192.168 in my example - my bad.. I could redraw with your 10 address space, but should be simple enough to get the layout no matter what rfc1918 space being used on the local network.
-
yes this example draw like a my network sistem.
i said already, i only created vlans on switch and i connect to internet pfsense 2.0; but client don't connect with pfsense 2.1.
when i configured firewall local leg 10.1.1.1/16 i only connect internet on vlan 1.
-
I don't know how else to explain it to you dude.. Your NOT using vlans - are you tagging traffic?? I don't see it in pfsense, where do you have these tags setup in pfsense for it to understand?
You don't seem to grasp basic routing?? Or maybe its something in translation?
In my drawing if the route to 192.168.2.0/24 which is IP 192.168.1.1 on the L3 switch from pfsense 192.168.1.0/24 network with ip of 192.168.1.254, I can not tell pfsense that he is locally connected to 192.168.0.0/16 on his lan interface and expect him to send traffic to the switch to get to 192.168.2.0/24
-
I tested out VLANs with pfsense 2.1 and am getting weird things with my VLANs.
http://forum.pfsense.org/index.php/topic,70222.0.html
I'm not a network guru but have Vyatta working right now with my setup. Tested VLANs with isc-dhcp-server with Centos, Debian, and Ubuntu with success. Got packetfence VLAN management working.
Something doesn't seem right with the VLANs with pfsense.
-
You didn't setup any vlans in pfsense from what I can tell - that is what is wrong with it ;)
Draw your network out - since clearly we are loosing something in translation..
There is a difference between a network segment and vlan.. You only have 1 interface on pfsense - where are these vlans??
And no shit you would have to do manual NAT, since you only have 1 segment connected that pfsense knows about.. So why would it know how to nat other network segments unless you TELL IT!!
If you created the vlans or network on pfsense and it knew about these networks, then automatic nat would work.
Draw your network! And we can work through fixing it - from what I can tell its must be a complete cluster, unless we are just not connecting because of translation??
-
Hi again;
you asked me' where is the vlan on pfsense?'. but i said to you. i had already use pfsense without vlan previous version and i did not changed anything on pfsense, when i upgraded it.but this version not working. i have used pfsense in 6 location for 3 years. -
I have a network just like this - a Firebox (happens to be running pfSense) doing layer 3 routing internally. My ordinary LAN (called ICO in the screenshots) does not have a gateway set on the Interfaces screen. The gateway is just defined in System->Gateways and used as the target of a static route to the 10.99.0.0/16 network, which is split up in various pieces on LANs behind that Firebox. There are rule/s on LAN (ICO) that permit traffic from 10.99.0.0/16.
See the screenshots, ask more questions and, if you still have problems, describe how things are setup now and exactly what does not work.
-
^ exactly!!!
Which is what I showed in my drawing with 191.168 address space..
Not sure what part you don't get about stepping on routes with local masks..
Can you post up your route table.. How do you get to these other network segments of yours? You DON'T put gateways on the pfsense interfaces unless it is a WAN interface..
-
hi again.i added another location firewall lan and routing config.this firewall version is pfsense 2.0. this location network map same to pfsense 2.1 location.the pfsense working good here.but i know when i upgrade the pfsense, this config will not working
-
Your screenshots are not the way it was intended to be done. Maybe 2.0 allowed this and somehow it worked, I don't know, it has been so long since I used 2.0. I assume in this example:
a) The local LAN is not really "/8" - maybe the local LAN subnet is just "10.2.1.254/24"
b) There are other subnets available behind the router at 10.2.1.2 - that router might be a VLAN switch with L3 routing software also and lots of VLANs, or an ordinary router with lots of NICs or… The router hardware/firmware does not matter.For 2.1 (and it should work like this in 2.0 also):
- Change the "Gateway" setting on Interfaces->LAN to none.
- Leave LANGW defined in System->Routing (and make sure that WANGW is marked as the default)
- Add Static Routes to the networks behind 10.2.1.2, with gateway=LANGW.
Make sure that Firewall-Rules-LAN has rules to permit traffic from (source) the subnets behind 10.2.1.2.
If you get it working like this on 2.0 then it should upgrade to 2.1 with no trouble.
