DUAL WAN - vlan problem
-
I have an pfsense box connected to two different ISP. I created an routing group and configured wan1 as tier 1 and wan2 as tier2.
I configured the default lan firewall rule to use the routing group and wan fail over is working fine.
sinds i changed the lan default firewall rule to use the routing groep the devices in different vlan's cannot connect the devices in the different vlan's. Only the devices in their own vlan.
can you help me with this?
-
Put a rule above your forced gateway rule that allows access to your vlan(s).
-
like this?
-
yeah as long as you only want tcp and there is nothing above that blocking it sure that would work. Normally I use the source network vs any... But yeah that would do it.
-
when i change the gateway from default to the failover routing group i cannot ping from the lan network to the vlan43 network. also not with the rule i just applied.
-
well no your not going to ping with that rule - like I already stated if you only want to allow tcp, then that rule will work - ping would be icmp ;)
if you want to ping, then allow icmp in another rule - or change that rule that allows access to vlan to allow any protocol
-
omg, that I have not seen that.
i changed it and indead adding this rule solves it. i only do not understand why i have to add this rule. why is the default rule not covering this? -
Because your forcing traffic out your wan.. Your wan doesn't get you to your vlan only out your wan. When you force gateways like that, or a groupwan, etc. Then you have to allow a rule that lets the normal routing of the router work.
Rules are evaluated top down, first rule to trigger wins, no other rule are evaluated.
https://www.netgate.com/docs/pfsense/routing/bypassing-policy-routing.html
-
what is the difference than when default gateway is connected? and is there an other way to make fail over working?
anyway great thx for helping me out!
-
Using failover, you do have to call out the group in the firewall rule. So yes if you want to allow traffic to your local vlans and not go out the specific gateway this is how its done.
Its gone over here
https://www.netgate.com/docs/pfsense/routing/multi-wan.htmlAnd in the book with more detail - everyone now has access to the book... I would suggest you take a look ;)
https://www.netgate.com/docs/pfsense/book/multiwan/index.html
