VLAN IP to LAN IP - Not pinging

johnpoz

Why do you say this??

default Gateway Linux Server)

Do you have a gateway set on the lan interface?

slkamath

Thank you once again.

Default Gateway is Linux Server because if i give pfsense ip as default gateway then all users will get internet (even after proxy not enable), and they can access all the sites. few users only send mails no internet, few users mails & few internet sites like government sites.

So i given Linux Server ip as Gateway, then default internet will not work. if proxy configured then only it will work. (any better solution please let me know)

In LAN interface I have not given any Gateway info, but in Routing - Gateways - i have added this Linux Server Ip Address. Please find the below picture for your reference.

LAN Interface
0_1535689168675_LAN Config.png

Routing - Gateways

Lokesh Kamath

slkamath

@johnpoz
Thank you very much. I selected Gateway for LAN Interface and it started pinging.

IT IS WORKING.

Once again Thank you very much. Very much appreciated.

Also please let me know how to close this thread.

Lokesh Kamath

johnpoz

@slkamath said in VLAN IP to LAN IP - Not pinging:

In LAN interface I have not given any Gateway info,

YOU SHOULDN'T!!!! If you give it a gateway you just created a WAN, and would be natting too it..

Seems you got a mess.. Please draw up this network.. You have a downstream network from this LAN to get to your vlans??? What is at 192.192.0.1?? When pfsense IP address in lan is 192.192.0.3

slkamath

@johnpoz

Ohhh Ok.
Thanks.

We have upstream & downstream network from LAN to VLAN.

Initially 192.192.0.1 was Gateway with squid proxy (due to some issues squid stopped working.) If we give this IP as gateway then users can not access internet. If i give PFSENSE ip address in gateway all users can use Internet. So in pfsense box i given 192.192.0.1 a gateway.

All the users have mail access but only few have internet access. in that few have full internet access & few have restricted access.

Network diagram (very poor diagram, please excuse)
0_1535733633647_network diagram.png

Lokesh Kamath

johnpoz

Yeah that is an asymmetrical mess.. Is this 180.x.x.x actually yours, your isp gave you this address space or its it like your 192.192 where you just used public space you picked out of the blue sky?

That needs to be fixed dude... Why do you have the 2 firewalls? If you want to use 2 firewalls then you should connect them with a transit network between So that your lan and other vlans can talking to each other without being asymmetrical.

Is this 180 network routed to you? I am not quite understanding the ISP 214.x.x.x and then lan of 180.x.x.x do you have devices on this 180 network or just your firewall/routers connected to it?

Please explain this 180 network and be happy to draw up diagram of how this should be connected.

slkamath

@johnpoz
Thank you very much.

Dear John,

WAN PORT of ISP is - 214.XXX.XXX.153 & Gateway - 214.XXX.XXX.154
LAN PORT of ISP is - 180.XXX.XXX.XXX - Gateway - 180.XXX.XXX.33 (only 6 IP Address included)
COMPANY LAN is - 192.192.0.1 / 24
VLAN1 - Finance - 192.168.20.1 / 24
VLAN2 - Marketing - 192.168.30.1 / 24
VLAN3 - Purchase - 192.168.40.1 / 24
VLAN4 - Moulding - 192.168.50.1 / 24
VLAN5 - Purchase - 192.168.60.1 / 24

WAN Port of ISP from L3 Switch - 214.Gateway (Configured here by ISP) in L3 Switch connected to System with 2 NW Cards (Ubuntu Server)

Ubuntu Server
1st NW Card - 214.XXX.XXX.XXX
2nd NW Card - 180.XXX.XXX.XXX - (Only IP Address & Subnet Mask Configured, NO Gateway. This is ISP LAN Gateway)

From 2nd NW Card connected to L2 Switch

From L2 Switch 2 Servers (1 Ubuntu Server, 1 PFSENSE Server)

UBUNTU Server
1st NW Card - 180.XXX.XXX.XXX & ISP LAN Gateway
2nd NW Card
IP Address -192.192.0.1
Subnet Mask - 255.255.255.0
No Gateway Configured for 2nd NW Card

PFSENSE - 10LAN Cards - 1000Mbps
1st NW Card - 180.XXX.XXX.XXX & ISP LAN Gateway
2nd NW Card - 192.192.0.3, Subnet Mask - 255.255.255.0
VLAN's
3rd NW Card - 192.168.20.1
4th NW Card - 192.168.30.1
5th NW Card - 192.168.40.1
6th NW Card - 192.168.50.1
7th NW Card - 192.168.60.1
8th NW Card - Empty
9th NW Card - Empty
10th NW Card - Empty

70 Client Systems are there and in that 20 Windows & 50 Ubuntu.

Please find the Network Diagram of the same (if anything wrong please suggest).

0_1535779747828_Network Diagram.png

Lokesh Kamath

johnpoz

So 180 is routed to you, and your using your wan for your ubuntu router your calling server.. If its routing - its routing!! If you have clients using it as gateway then you have asymmetrical problem.. When they want to talk to vlans

In your drawing What are these loops suppose to represent exactly??

So connect your 2 routers via a transit network - lets call it 172.16/30

Now you do not have asymmetrical.. Router on left says to get to that 192.192 talk to router on right 172.16.0.2... Route on right that says hey want to talk to vlans on left talk to router on left 172.16.0.1

BTW - FIX that 192.192 - that is NOT yours and PUBLIC... Use RFC1918!!!

slkamath

@johnpoz
Thanks John.

I created the drawing using jNetMap software.

when i am adding interface it shows like that. Firewall means RED right so may be it shows RED and other shows green.

I will try based on your suggestion. Will let you know by tuesday. Sure I will change the 192.192 series.

Thanks once again.

Lokesh Kamath

slkamath

@johnpoz said in VLAN IP to LAN IP - Not pinging:

So 180 is routed to you, and your using your wan for your ubuntu router your calling server.. If its routing - its routing!! If you have clients using it as gateway then you have asymmetrical problem.. When they want to talk to vlans

In your drawing What are these loops suppose to represent exactly??

So connect your 2 routers via a transit network - lets call it 172.16/30

Now you do not have asymmetrical.. Router on left says to get to that 192.192 talk to router on right 172.16.0.2... Route on right that says hey want to talk to vlans on left talk to router on left 172.16.0.1

BTW - FIX that 192.192 - that is NOT yours and PUBLIC... Use RFC1918!!!

Dear John,

How can i configure as per your diagram? Please suggest.

My Requirements

I want to place 1 Server pfsense and other I want to remove. Everything has to work through pfsense. Also I dont want to give full internet access to all. Only 5 users has to get full internet access and rest users has to get internet via SQUID. So Please guide me.

Thank you once again.

Lokesh Kamath

jvelez88

@slkamath I guess your problem is that you only allow TCP / UDP traffic and not ICMP, maybe you could allow ANY....

slkamath

@jvelez88
Thank you.

With that my issue is not solving. I tried that already.

Lokesh Kamath

slkamath

@johnpoz
Dear John,

Thank you. My issue solved.

I got confused and made everyone confuse.

WAN- 203 Series
LAN - 192 Series (192.192. series will change in few days to 192.168.) Currently Windows DC is running in that 192.192 series. So will change in few days.

Please find the below link.
https://forum.netgate.com/topic/134674/how-to-configure-3-ip-s-internet-restriction/20

Big Thanks to you John. No words to express my gratitude.

Lokesh Kamath