Problems with Firewall and VLANs
-
Setup:
________ / \ |Internet| \________/ | | +–---+ | WAN | | |DSL Router | LAN | +-----+ | | +-----+ | WAN | | |pfSense | LAN | +-----+ | +---------+---------+ |VLAN1 |VLAN2 |VLAN3 | | | +-----+ +-----+ +-----+ | LAN | | LAN | | LAN | | | | | | | +-----+ +-----+ +-----+ PC1 PC2 PC3
DSL Router:
WAN: ISP assigned IP
LAN: 192.168.178.1/24pfSense:
WAN: 192.168.178.100/24 (DHCP)
LAN: 192.168.0.1/24 (NOT USED)
VLAN1: 192.168.10.1/24
VLAN2: 192.168.20.1/24
VLAN3: 192.168.30.1/24PC1:
LAN: 192.168.10.100/24 (DHCP)PC2:
LAN: 192.168.20.100/24 (DHCP)PC3:
LAN: 192.168.30.100/24 (DHCP)Firewall rules:
VLAN1 interface:
PASS: IPv4; src VLAN1 net; dest VLAN1 address
PASS: IPv4; src VLAN1 net; dest WAN netWithout the first rule devices on the vlan couldn't even access the pfsense interface. But mysteriously they got an IP from it. I don't understand why.
The second rule should allow devices in the VLAN1 to access the internet but it doesn't work.
I can ping the pfsense interface on 192.168.10.1 and I can also ping the router on 192.168.178.1 but I can't ping 8.8.8.8.The only way I found so far to access the internet from VLAN1 is by allowing "src VLAN1 net; dest ANY" which is not what I want. The VLANs should be able to access each other.
How can I fix this?
This is a simplyfied setup. In reality I have a managed Switch on the pfSense LAN Port which is connected to the PCs. It converts the tagged VLANs on the Port which connects the switch with the pfSense to untagged VLANs on the switch ports to the PCs So that the PCs don't need to setup any VLANs.
-
WAN net is the network defined on pfSense WAN interface. To get internet access you need to set the destination to any, of course.
If you want to block access to other internal subnets, best practise is to define an alias containing all RFC 1918 networks (you should only use RFC 1918 internal) and use this alias in a block rule on the top of the interface rule-set.
Consider that this rule will also block access to the firewall itself and to the router. To allow that, set a pass-rule for it on the top of the rule-set. -
Can you put your DSL router into modem mode, you'll have a double NAT occuring currently.
-
"But mysteriously they got an IP from it. I don't understand why."
Because when you enable dhcp server on an interface, pfsense creates the firewall rules that allow that to work. If they didn't many users just wouldn't be able to get it working at all ;) Since they wouldn't know what rules to create to allow for dhcp, etc.
As stated wan net is just that - the wan net so in your case 192.168.178/24 – The internet is just that ANY.. well pretty much that..
Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.
create allow rules to what you need for clients to do on pfsense vlan interface. Ping maybe, dns most likely, ntp maybe... If you wanted you could do vlan net as source and vlan address as dest for any any rule.. Then all clients in that vlan could talk to any port or protocol on the vlan IP of pfsense.
You could then block rfc1918 space, or create specific rules blocking your different vlans, then at the bottom allow vlan net any.. To allow internet access.
-
Thx for the help guys. My setup seems to work fine now. I even removed the double NAT by setting the pfSense as an exposed hosts. Sadly I can't tell the ISP router to just be a dump modem.