Routing between interfaces (LAN, VLAN)
-
You do understand that lan net to vlan170 net is pretty pointless right.. Since below it you have a any any rule..
So you lan has downstream networks on it? With that allow 192.168.30/24 rule?
What about your other vlans - they are all having this problem?
You sure lan trying to talk to vlan172 is just not an IP listed in restricted?
Your saying that client on vlan172, has internet but can not ping pfsense Lan IP 192.168.1.1?
-
Routes:
default MyISPAddress
192.168.1.0/24 link#4 U igb3
192.168.1.1 link#4 UHS lo0
192.168.172.0/24 link#13 U igb3.172
192.168.172.1 link#13 UHS lo0 -
Yes, I understand that there some useless rules for now but there were some blocking rules which I deleted for testing purposes.
RestrictedIPs list contains only 2 hosts .1.31 and .1.87.
All the VLANs have the same problem. -
maybe play with offloading?
<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO> -
These are all vlans on the same parent interface?
What is your esxi switch settings? Did you set the vlan id to 4095 so it doesn't strip tags? Why do you not just create new vnics for your pfsense vm so there are no tags in pfsense and do the tags on esxi via port groups on your vswitch?
What version of esxi are you running?
-
ESXi 5.5.
It has vlan id 172 currently. Before I set 4096 but I need to set vlan id inside a VM to 172.
The behaviour is the same. -
4096? For the vswitch to not strip tags its 4095.. Not sure where you got that?
Does 5.5 list support for freebsd 11? You should really be running current 6.7
I ran pfsense on esxi for many many years.. I have since moved away from it when I updated the old hardware I was running 6.5 on to just a synology nas and using their VM manager for my VM needs..
If your going to set vlans in pfsense then the vswitch should be 4095.. Then connection on your phy switch vlans would be tagged.. Except for your native vlan if using that - looks like igb3 is your lan.. which is untagged (native).
Then in your switch your devices ports would be untagged in the vlan you want those devices in..
You need to decide if you want pfsense to handle the tags or esxi.. If pfsense then vswitch would be 4095 and pfsense would see the tags..
If want to let esxi to do the vlans then you would create port groups with the tags and connect new vmnics in pfsense to these different port groups.
If internet is working, and your not sending out a gateway something is very strange.. why internet would work but not other networks directly attached to pfsense.. Are you using a proxy on pfsense?
I would sniff on pfsense to validate that your tagged traffic gets there still tagged.. And then reply is sent with tag as well to your switch.. A correct setup with vlans being done on pfsense your vswitch vlan ID would need to be set to 4095.
-
My PFSense is on the Supermicro platform.
VM is on the ESXi. -
So your pfsense is physical... Then what are you trying to do with esxi put vms on different vlans?
Please draw up how you have everything connected... Do a simple sniff of traffic... If you client can get to pfsense and to the internet then it can get to pfsense IPs on its other interfaces. Unless you block it with a rule..
-
I found the cause :).
It was IPSEC. I took wide network range 192.168.0.0/16 so all the traffic goes there.
Thanks for your help. -
Zero mention of IPsec in your OP.. Just saying..
-
C cpohle referenced this topic on
