VLAN works only one direction?
-
It's not a bug, dude.
Draw a diagram.
Post your rules and interface configs.
Rules:
Floating:
IPv4 TCP * * This Firewall 80 (HTTP) * none
IPv4 TCP * * This Firewall 443 (HTTPS) * none
IPv4 * NO_GAIA_hosts * * * OPT2_WAN2_GW none
IPv4 * NO_GAIA_networks * * * OPT2_WAN2_GW noneOther interfaces:
All allow.VLAN8 interface config:
There is nothing set more than IP 192.168.2.1 and gateway 192.168.2.2
-
Instead of posting what you think you've done, post what you've actually done.
If you really have pass any any any rules on the VLAN interface it would be working. That or you need to bypass policy routing for something.
I'll ask again for a diagram.
Why are you messing around with floating rules? What interfaces are they on in what direction?
-
Instead of posting what you think you've done, post what you've actually done.
If you really have pass any any any rules on the VLAN interface it would be working. That or you need to bypass policy routing for something.
I'll ask again for a diagram.
Why are you messing around with floating rules? What interfaces are they on in what direction?
What you mean about "diagram"? Do you want to say that "floating rules" are in beta testing and actually dont work? Rules in interface tabs there are only one rule in every interface tab and this rule allows all traffic, any direction, any protocol. Floating rules apply for every interface and processed prior other rules (I have set quick option). Two fires rules allow connection to pfsense. Two last rule direct some computers traffic (source) to WAN2 (destination). As I understand I dont need rule for pinging from pfsense to local subnet directly connected to pfsense. Altough I tested also to explicitly put rule from pfsense to vlan8 subnet but it wasnt changed nothing.
-
Floating rules work fine if you've configured them correctly.
Good luck.
-
Floating rules work fine if you've configured them correctly.
Good luck.
How is "correctly" to be able to ping from pfsense ping tool to computer directly connected to pfsense interface?
-
You are not giving me the information I am asking for to help you find what you have configured wrong so good luck. Maybe someone else's crystal ball is working.
-
You are not giving me the information I am asking for to help you find what you have configured wrong so good luck. Maybe someone else's crystal ball is working.
What information you want? Also, I disabled last two rules temporarily but still no ping.
-
A diagram of your network including all gateways and downstream routers.
Proper screen captures of your firewall rules on both the VLAN8 interface and all the floating rules. For floating rules you need to capture the actual rule config screen so we get interfaces and directions on which the rules apply.
If not screen captures then a detailed listing of all fields on the rule config screens.
Look at the diagram in my signature if you need to know what information is necessary to properly help you.
My pfsense dont route only local subnets but also subnets behind other routers
We need to know what all that is - at least insofar as it relates to the 192.168.2.xxx subnet.
-
A diagram of your network including all gateways and downstream routers.
Proper screen captures of your firewall rules on both the VLAN8 interface and all the floating rules. For floating rules you need to capture the actual rule config screen so we get interfaces and directions on which the rules apply.
If not screen captures then a detailed listing of all fields on the rule config screens.
Look at the diagram in my signature if you need to know what information is necessary to properly help you.
My pfsense dont route only local subnets but also subnets behind other routers
We need to know what all that is - at least insofar as it relates to the 192.168.2.xxx subnet.
This diagram is big work and I myself dont have complete powerpoint or paint about it made, only free painted picture in piece of paper. But I think this is not important because rules dont have any meaning when I want to ping locally connected computer. I think the problem is in pfsense VLAN communication with my L2 switch or VMWare Workstation. Altough before pfsense there, in the same place was Mikrotik virtualmachine and I was able to ping. In VMWare host I have also always removed VLAN support from network cards - when there is support for VLANs, then Windows removes tags, but if its disable, it dont. And with Mikrotik it worked, so its must not problem with network cards configuration.
-
Okay. Good luck. If it's too much work for you it's certainly too much work for me.
-
A few minutes with Gliffy would suffice for a basic diagram to show what you're trying to do.
I'm guessing you can't ping the local IPs because of your policy routing rules. Policy routing forces traffic to the specified gateway, which won't get you a reply on local interfaces since you're sending it out to your upstream router.
-
@cmb:
A few minutes with Gliffy would suffice for a basic diagram to show what you're trying to do.
I'm guessing you can't ping the local IPs because of your policy routing rules. Policy routing forces traffic to the specified gateway, which won't get you a reply on local interfaces since you're sending it out to your upstream router.
No, I disabled those policy-routing rules, I have no rules now, it dont change noting, still cant ping. Policy routing in pfsense dont force ping reply to other interface, because in pfsense policy routing is statefull. This was the most reason why I installed pfsense. This is unique. Previously I had Mikrotik. In Mikrotik and in all other firewalls policy routing is always stateless, and I have tested many fiewalls.
The "reply-to" is also unique, to revert back to the interface where packets enter pfsense. This is because FreeBSD is more powerful than Linux. It just gives such extra features and possibilities. Most firewalls are Linux based and lack those possibilities. So, pfsense have very good potential to become good or even one of the best enterprise firewall. But you dont have normal documentation and it contains now too much bugs for enterprise work. This VLAN problem is BUG!!! I had there Mikrotik before and was not ping problem. This on VLAN stuff. Also I find out that captive portal dont work and was problem with switching off state checking (to switching firewall into stateless mode wasnt possible - rules just dont worked). Those are all bugs and you cant fix them in this way, hoping only to forum where nobodi dont care. You must test this software yourselt or hire someone tester. …..Those bugs are not very catastrophy and I still proceed using pfsense, altough traffic lack into VLAN is little frustrating but most important functionality that Im interested are working (especially statefull policy routing and reply-to). -
This VLAN problem is BUG!!!
That's a hard statement. VLAN = layer 2, from what you describe I would tend to think this is a Layer 3 issue.
What about scanning that hand-made drawing? That will be the key to get better support, make people understand your setup.
Also, did you traceroute your paths? Some output from the issue would be nice. (you can insert images here) -
This VLAN problem is BUG!!!
That's a hard statement. VLAN = layer 2, from what you describe I would tend to think this is a Layer 3 issue.
What about scanning that hand-made drawing? That will be the key to get better support, make people understand your setup.
Also, did you traceroute your paths? Some output from the issue would be nice. (you can insert images here)Seems that Im the first user who tested pinging VLAN.
-
Yeah, definitely…@magnifico:
Seems that Im the first user who tested pinging VLAN.
Yeah, definitely… ;D ::)
-
Yeah, definitely…@magnifico:
Seems that Im the first user who tested pinging VLAN.
Yeah, definitely… ;D ::)
This is not funny, I talk seriously. Usually some commercial company says thankx for that and fix the problem. This was happened before in reality. This is exactly the reason why freeware have so much bugs. Because they dont care and dont test software before release. Some companies even never give beta versions to public….. I say what is needed to do - just install pfsense, set up VLAN into some interface and ping it....that all, no more chemistry needed.
-
Yeah. It is extremely funny. Instead of wasting time with similar ridiculous claims, you could have produces the repeatedly requested network diagram about 10 times already.
-
You ping an IP, not a VLAN. At best, you ping the SVI (which belongs to the VLAN) on your L3 switch, or an IF on pfSense.
Look, your setup seems… complex to understand by description.
Do yourself a favor, get that paper scanned, or take a photo of it. Or work on it in excel or something similar.
Keep it simple though, blocks with ranges, devices (with ip's an cidr), gateways. Shouldn't be that hard, and can serve for other things than just this topic.IMHO that will be way more productive, and might give the people here the opportunity to help you out. (bug, design or config issue)
-
And while at it, kindly post the rest of the requested info as well…
-
Yeah. It is extremely funny. Instead of wasting time with similar ridiculous claims, you could have produces the repeatedly requested network diagram about 10 times already.
You dont need this diagram, you are not able anyway to fix this bug. To ask diagram for such simple bug only shows your uncompetency.
Only hope is when some developer sees this thread and she/he knows what to do and fix the bug, without any diagram. I searched internet and sees lots of forums where problems arise related to VLANs.