Allow traffic between VLANs
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.
As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.
That's because there's nothing hooked up to that VLAN right this second. There was earlier when I was testing. I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
-
Are you actually using VLAN tagging?
-
-
Can devices on your VLANs access the internet and their own gateway address?
-
@chpalmer said in Allow traffic between VLANs:
Can devices on your VLANs access the internet and their own gateway address?
Yes
-
@kingrazor said in Allow traffic between VLANs:
I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
If they can reach the Internet with a wide open any rule, and if there is no additional blockind rule created by you it's likely not a pfSense issue. Probably a local firewall on the devices preventing access from devices outside their subnet. Capture traffic on both pfSense interfaces and see what exactly happens there.
-
Just a heads up.. Im in an establishment with a really bright background so please forgive me if I ask something that is obvious above.. :)
-
What subnets are you working with??
Nothing overlapping is there?
-
@chpalmer said in Allow traffic between VLANs:
What subnets are you working with??
Nothing overlapping is there?
VLAN 1 is 10.0.0.1
VLAN 2 is 10.0.2.1
VLAN 3 is 10.0.3.1and so on
-
@kingrazor said in Allow traffic between VLANs:
VLAN 1 is 10.0.0.1
VLAN 2 is 10.0.2.1
VLAN 3 is 10.0.3.1You're missing half the information there. Is it /8 /12 /24 whatever.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
If they can reach the Internet with a wide open any rule, and if there is no additional blockind rule created by you it's likely not a pfSense issue. Probably a local firewall on the devices preventing access from devices outside their subnet. Capture traffic on both pfSense interfaces and see what exactly happens there.
Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
VLAN 1 is 10.0.0.1
VLAN 2 is 10.0.2.1
VLAN 3 is 10.0.3.1You're missing half the information there. Is it /8 /12 /24 whatever.
VLAN 1 is 10.0.0.1/24
VLAN 2 is 10.0.2.1/24
VLAN 3 is 10.0.3.1/24and so on
-
@kingrazor said in Allow traffic between VLANs:
Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.
No it does not. Next time test with a serious OS.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.
No it does not. Next time test with a serious OS.
Oh brother. I'm not going to bother installing an OS that none of my clients will ever use.
-
Windows will treat any out of subnet address as public
unless told otherwise..And Im striking that last comment as Im not sure you can make it treat anything out of its own subnet as a private network.. Others will know better than I..
-
Yep, Windows firewall was the problem. Apparently even allowing ping on public network connections wasn't enough.
So now on each interface I have an allow any rule at the bottom and block/reject rules above that to restrict traffic across VLANs (except where we want it)
