Traffic blocked between LAN and vlan interfaces
-
I have 1 physical LAN interface and 3 vlan interfaces.
LAN
vlan2
vlan3
vlan4Traffic from vlan 4 is not able to ping any devices on LAN interface.
Rules in place.
LAN
IPv4 * LAN net * * * SA_Gateway_Group none Default allow LAN to any rulevlan4
IPv4 * AGENTWIFI_V4 net * * * SA_Gateway_Group none Allow AllThere are no deny rules
AGENTWIFI_V4 is using captive portal but after successful login to captive portal users are still unable to accessIP's on LAN subnet
They can ping LAN Gateway.
Lan 192.168.7.1/24
vlan4LAN interface (vr0)
Status up
MAC address 00:0d:b9:31:6b:d0
IPv4 address 192.168.7.1
Subnet mask IPv4 255.255.255.0
IPv6 Link Local fe80::20d:b9ff:fe31:6bd0%vr0
Media 100baseTX <full-duplex>In/out packets 4215974/4763915 (906.03 MB/4.38 GB)
In/out packets (pass) 4215974/4763915 (906.03 MB/4.38 GB)
In/out packets (block) 3253/39 (273 KB/5 KB)
In/out errors 0/0
Collisions 0AGENTWIFI_V4 interface (vr0_vlan4)
Status up
MAC address 00:0d:b9:31:6b:d0
IPv4 address 192.168.27.1
Subnet mask IPv4 255.255.255.0
IPv6 Link Local fe80::20d:b9ff:fe31:6bd0%vr0_vlan4
Media 100baseTX <full-duplex>In/out packets 492031/672604 (244.01 MB/653.45 MB)
In/out packets (pass) 492031/672604 (244.01 MB/653.45 MB)
In/out packets (block) 77/0 (9 KB/0 bytes)
In/out errors 0/0
Collisions 0127.0.0.1 link#7 UH 0 21262 16384 lo0
192.168.7.0/24 link#1 U 0 4790952 1500 vr0
192.168.7.1 link#1 UHS 0 0 16384 lo0
192.168.26.0/24 link#9 U 0 0 1500 vr0_vlan3
192.168.26.1 link#9 UHS 0 0 16384 lo0
192.168.27.0/24 link#10 U 0 673113 1500 vr0_vlan4
192.168.27.1 link#10 UHS 0 0 16384 lo0
192.168.28.0/24 link#8 U 0 411241 1500 vr0_vlan2
192.168.28.1 link#8 UHS 0 0 16384 lo0</full-duplex></full-duplex> -
You need rules above your gateway groups to allow the traffic between local segments - so pfsense can use its own routing table. If you put a gateway on a rule.. It can not use that.
So if you have multiwan like I assume, and you have a gateway group you use.. Above those rules you need to create rules that DONT USE a gateway to allow traffic between your local segments.
-
You mean add the following rules? This is above the rule with the gateway group
LAN interface rule
IPv4 * LAN net * AGENTWIFI_V4 net * * none LAN to vlan4 (Using Default)
vlan4 interface rule
IPv4 * AGENTWIFI_V4 net * LAN net * * none vlan4 to LAN
-
Yes, that should work.
Anything you push into a gateway group will be forced out whatever is the highest tier available gateway/s in the group, regardless of the fact that its destination might be right there on a local LAN. -
Still not able to ping. :o When physically connected to LAN no problem access devices.
LAN Interface Rules
IPv4 * LAN net * AGENTWIFI_V4 net * * none LAN to vlan4 (Using Default)
IPv4 * LAN net * * * SA_Gateway_Group none Allow LAN to any rulevlan4 Interface Rules
IPv4 * AGENTWIFI_V4 net * LAN net * * none vlan4 to LAN (Using Default)
IPv4 * AGENTWIFI_V4 net * * * SA_Gateway_Group none Allow All -
Did you clear states after applying changes? That looks like it should work.
-
Also make sure that the host your trying to ping doesn't have its own firewall blocking ping.
-
I also think it overly complicates things to have tagged and untagged VLAN traffic on the same physical interface. You might have to do something special in your switch to allow it.
I would create a VLAN for the LAN interface, assign it, make it tagged on the switchport and leave the untagged interface (vr0) unassigned to any pfSense interface.
ETA: But if DHCP and pings to the gateway work properly on LAN and AGENTWIFI_V4 then this is likely not your problem.
-
Yeah it was the states! Once that cleared up everything was ok with the newly added rules. Luckily it does not affect IPSec. I do not have to create special rules for the interfaces going to IPSec tunnels.
Thanks guys!