VLAN works only one direction?
-
diag, traceroute and then post output.. JFC dude that is a lot of work for what is clearly a bug in pfsense use of vlans.. Just search the internet and see how many problems you get with vlans.. ;) ROFL….
Agree ;D nearly fell of my chair when I read your post.
Anyhow, it's an intrguing design with enough routers to keep one busy. I've read this for the fifth time or so trying to see the picture (he's refusing to draw ::) ):
They are all LANs, 5 interfaces, all equals, for LAN subnet communication. When I dont set gateway, then I cant use policy routing, but pfsense is set up exactly only for LAN subnet policy based routing (source and destination important in routing decision). Also when I dont have set up gateways, then traffic dont come back into the same interface as it enters pfsense. My pfsense dont route only local subnets but also subnets behind other routers….........To internet I have 2 subnets before final routers, 192.168.3.0 and 192.168.10.0. Policy must choose gateway depending on source IP. For LANs I have 3 subnets 192.168.2.0 192.168.1.0 and 192.168.4.0 Between pfsense and computers I have more routers. Some 192.168.12.0 subnet computers reach pfsense through 192.168.1.0 subnet and some through 192.168.2.0 subnet. Usual routing table is unable to choose interface because they are all 192.168.12.0 subnet computers, going to internet through different LANs and different WANs.
And now I'm in doubt my request for traceroute is going to bring anything usefull. I also fail to see why he thinks it's a vlan issue, this is clearly routing stuff. And not even sure one can accomplish what he wants by using pfSense?
Maybe we should ask for a drawing ;)
-
-
@doktornotor: Where do you keep finding them ;D Hilarious…
Lan interfaces would not have gateway.. What do you think is the next hop??
Well… Not always true :o
If it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed.
So the next hop for the LAN could the SVI of the vlan (on the L3 switch), and that is not on pfSense (but the subnets are known by pfSense (System:Routing:Routes). And so on.One thing is true however. You cannot ping the vlan ;D ;D (sorry, couldn't help myself 8))
So magnifico, how about a drawing?
--edit: cleaned up, removed non relevant info--
-
Problem is resolved, thanks all for help and still never undervalue bugs. There are still lots of bugs. Captive portal example dont work but no problem, I use Kerio portal, its better stuff….The problem with ping wasn in WiFi router, there was firmware upgrade before......And also before I noticed that switching off state and making double rules for both direction wasnt worked in first try, but this is also not very important, usually I like to use statefull mode....Pfsense is good, but it can be even better when developers write documentation, test it more and then it can be usable also for enterprises. So, good luck and thank you all, I hope I can now configure it myself in a while.
-
Captive portal example dont work but no problem, I use Kerio portal, its better stuff….The problem with ping wasn in WiFi router, there was firmware upgrade before......
Because your wifi router should NOT be routing, as I already told you. It should be set up as a dumbed-down AP with no DHCP, no firewall, pretty much everything turned off, and connected via LAN to a switch.
-
So your "bug" was actually the config in another device and you still blame pfSense, the pfSense Developers, and pfSense documentation. Nice.
Is there a bug in pfSense VLANs? Inquiring minds want to know.
-
The problem with ping wasn in WiFi router, there was firmware upgrade before…..
Right. No vlan bug?? :o
Oh well… Good thing is you didn't had to make a drawing... ::) -
The problem with ping wasn in WiFi router, there was firmware upgrade before…..
Right. No vlan bug?? :o
Oh well… Good thing is you didn't had to make a drawing... ::)Yes, there wasnt needed drawing.
-
"f it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed."
That would not be a "gateway" that would be a ROUTE you set to the specific network.. When you add a gateway to an interface it becomes a WAN interface..
-
"f it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed."
That would not be a "gateway" that would be a ROUTE you set to the specific network.. When you add a gateway to an interface it becomes a WAN interface..
No, it doent become WAN interface. What is exactly "WAN" interface? What is WAN? Do you mean Internet? No, I example dont have any internet in pFsense, Internet is long-long away from pFsense, there is only LAN, bottomless LAN with no edge….....In pfsense wiki (altough its no any documentation, its crap) I was readed that when I want to use policy routing, then I must put gateway address into interface where this gateway locates. First I tried without this, not worked, then readed about that and then worked. Second rule is when you want use reply-to, then rule must be set in interface tab, not floating tab. Of course all those requirements are only bad GUI implementation. Not at all all peole know this without first experiment and read about it. Its just big mess and not at all good practice to make administration interface. Those requirements are stupid, all this can be mede automatic and no more mess, forums questions and misunderstandings. ...p.s. Switch are usually L2, not L3
-
there is only LAN, bottomless LAN with no edge….....
Pretty much explains it. Thanks for wasting everyone's time and no need to come back any time soon.
P.S. The WAN is the interface with default GW. You cannot have a pfSense box without one. ::)
-
there is only LAN, bottomless LAN with no edge….....
Pretty much explains it. Thanks for wasting everyone's time and no need to come back any time soon.
Or you mean "WAN" not Internet but instead outbound-destination direction related to connection state. So, this should be bad restriction when router can work only one direction.
-
RTFM. Ktnxbye.
-
Or you mean "WAN" not Internet but instead outbound-destination direction related to connection state. So, this should be bad restriction when router can work only one direction.
WAN equals Wide Area Network. LAN = Local Area Network. Basic terminology, if you are doing such stuff with pfSense that should not be a secret to you. Not going into detail here, google it if it is not clear.
That would not be a "gateway" that would be a ROUTE you set to the specific network..
I disagree, a LAN can also have a gateway. You call it a route, fine. In pfSense, that is anyway a gateway. And then you need routes for each subnet or supernet. Without defining that as a gateway, where do you think pfSense is going to send its data to when it needs to answer on receives packets from other subnets? It is also the key for using PBR, or at least to my knowledge.
But if you know different ways of doing this with pfSense, please enlighten (or correct) me, always open to learn new things ;) -
gateways should, imho, never be used for known networks …. then you use routes (even if you have to add a lot / or use a routing protocol to handle them)
pbr (ie policy based routing) is not even required when dealing with plain routes as pfSense doesn't support multiple routes towards the same destination. you can failover when using a routing protocol.
the only reason where you would want to mess with gateways for "known networks' is when you'd want to loadbalance .... but honestly http is almost the only protocol that doen't give issue's with loadbalancing, everything else fails miserably (including https/smb/ftp/....)
-
gateways should, imho, never be used for known networks …. then you use routes (even if you have to add a lot / or use a routing protocol to handle them)
pbr (ie policy based routing) is not even required when dealing with plain routes as pfSense doesn't support multiple routes towards the same destination. you can failover when using a routing protocol.
the only reason where you would want to mess with gateways for "known networks' is when you'd want to loadbalance .... but honestly http is almost the only protocol that doen't give issue's with loadbalancing, everything else fails miserably (including https/smb/ftp/....)
Loadbalance is completely different story. Yes gateways are always needed when you make policy routing. This is not "default gateway", its just also route like other routes in table, but difference is in that in routing table you can set only destination but in policy routing you can also filter by source and ports. Its more accurate, dynamic. Default gateways are anyway only one, regardless how much gateways you set in interfaces. Default gateways are more than one only when you set gateway group. This is for loadbalance. Settings in pfsense are little confusing. Example in new R77 CheckPoint there is also policy routing, but you can set in policy route rule any IP as gateway and for every rule any IP as gateweay. I dont know why in pfsense there is only one gateway for interface. Maybe in next version there is different story. Also policy routings are completely different types. In CheckPoint and in most firewalls policy routes are all stateless. In pfsense they are statefull. This is that so called "reply-to", to remember where to route reply packets. This is very good and powerful feature, thanks to FreeBSD. But should be nice when pfsense example in next version put also stateless policy routing rules additionally to stateful rules. As more features than more powerful and nice software to compete with rivals. Never know when you need some feature. And also must note that usula routing table is also stateless stuff. This is also reason why to use pfsense policy routing instead of routing table.
-
Loadbalance is completely different story. Yes gateways are always needed when you make policy routing. This is not "default gateway", its just also route like other routes in table, but difference is in that in routing table you can set only destination but in policy routing you can also filter by source and ports. Its more accurate, dynamic. Default gateways are anyway only one, regardless how much gateways you set in interfaces. Default gateways are more than one only when you set gateway group.
what? why? when? how? wth?
it seems to me everyone has been helpful and giving you pointers …. yet you appear to know everything better and don't wish to accept any advice that gets thrown your way.
fine ... enjoy your stay
-
gateways should, imho, never be used for known networks …. then you use routes (even if you have to add a lot / or use a routing protocol to handle them)
Ok, I guess here is the clue. Totally agree, when it is a known network you don't want a gateway.
But (it might not been have clear all the time) I am talking about addressing networks not direclty known to pfSense. Without gateway, there is no routing possible towards those networks? Wetter you do this by static or routing protocol, you need a gateway.
You go and try to add a route in pfSense. (System:Routing:Routes)
There are 2 mandatory entries, I'll leave it open for discovery for every reader of this topic what those are.pbr (ie policy based routing) is not even required when dealing with plain routes as pfSense doesn't support multiple routes towards the same destination. you can failover when using a routing protocol.
No going to step in here about the need, IMHO that is outside the scope of the topic. I don't even understand what his setup is or what he's trying to acomplish (gave up after a while)…
the only reason where you would want to mess with gateways for "known networks' is when you'd want to loadbalance …. but honestly http is almost the only protocol that doen't give issue's with loadbalancing, everything else fails miserably (including https/smb/ftp/....)
Is that so? Haven't needed it up-to now, but seems good to know. Tnx for sharing…
