Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Isolating VLANs

    General pfSense Questions
    3
    6
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jakecharmanuk
      last edited by

      Hi,

      I have a very annoying problem that I'm struggling to troubleshoot even after reading multiple posts on multiple forums.

      I'm trying to learn VLANs by creating an isolated guest VLAN which can access only the Internet. I've created this VLAN (VLAN40) on my switch and also VLAN10 for trusted devices. In these VLANs, I have the client ports untagged with their PVIDs set to the correct VLAN. The port connecting to the physical LAN port of the pfSense box is set as a tagged port in both VLANs.

      My firewall rules are set on each interface (trusted and untrusted) and are set to block any to the subnet of the other VLAN and allow anything else.

      I've tried many firewall configs but all seem to allow traffic between the VLANs. Even a single rule blocking everything. I'm fairly sure it's pfSense doing the routing as disconnecting the pfSense machine seems to stop traffic flowing between the VLANs.

      Thanks in advance.
      Jake

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        How about you post screenshots of your rules? It's very easy for you to say that your rules are supposed to do this and that but we have only your word for it.

        1 Reply Last reply Reply Quote 0
        • J
          jakecharmanuk
          last edited by

          Thanks for your reply,

          Screenshots of my rules are attached.

          ![untrusted rules.PNG](/public/imported_attachments/1/untrusted rules.PNG)
          ![untrusted rules.PNG_thumb](/public/imported_attachments/1/untrusted rules.PNG_thumb)
          ![trusted rules.PNG](/public/imported_attachments/1/trusted rules.PNG)
          ![trusted rules.PNG_thumb](/public/imported_attachments/1/trusted rules.PNG_thumb)

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Those rules look reasonable.

            Do you have anything on the Floating rules tab?

            Do a traceroute from a client on one TRUSTED to a client on UNTRUSTED and vice-versa to see what hops the packets are going through. That might give a clue about what is not connected/routed as expected.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • J
              jakecharmanuk
              last edited by

              This is actually one of the weirder parts of the issue, I had thought this myself.

              When using ping or tracert in Windows to test between VLANs, I get request timed out. However, I can still access the pfSense web interfaces using either IP from both VLANs and can access my WAP in the TRUSTED network from the UNTRUSTED network.

              1 Reply Last reply Reply Quote 0
              • J
                jakecharmanuk
                last edited by

                Okay, I found what was screwing me up…

                Whilst thinking about something completely different, I realised I had Squid Proxy Server running in pfSense.

                Turning off Squid fixed the issue, I'll have to try and reconfigure that for VLANs later when I have more time.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.