Unable to access Internet from virtual network
-
I would suggest you read up on vlans and tagging. A vlan only needs to created if there is going to be a TAG to interpret.. When you put the vlan ID on on a vswitch it will place that tag going to physical world for traffic coming from the vm side.. And traffic coming from the physical side it will hand off traffic tagged with that TAG to the devices connected to that port group/vswitch without the tag...
So no traffic going to pfsense vnic from vswitch with ID 10 for example will have any TAG on it - so how is the vlan interface of pfsense going to do anything with this traffic.
This is exactly how an access port works on any cisco switch with pvid set to your vlan ID..
Maybe proxmox or switches do not remove tags - but with esxi when you set a vlan id on a port group there are no tags sent towards the vm devices.. If you want tags to not be stripped you need to set 4095 on the port group/vswitch.
4095 makes sense when traffic will be coming from the physical world via a trunk port (cisco) with a tag on it - and you want pfsense to handle the traffic via what tag is on it.. When you create a port group with a ID, no tag will be sent towards the vm interface!! So how is vlan on pfsense going to have anything to work with?
Don't believe me if you don't want to - do your own research on how est and vst works in esxi.. But since your here in the first place it - I take their instructions are not working ;)
edit: the only way this could work is if you hairpin everything through your 4095 port group.. And all the other vlans are just portgroups on the same vswitch.. Or you actually go out to physical and come back.. Either way its all of useless hairpins..
Its not like vswitches or vnics cost you anything.. vs doing 1 vswitch with port groups and hairpins to vlans on pfsense just do native connections.. -
Back to update... a day or so after the discussion above, I was able to resolve the issues that I was having.
My best guess is that the issues that I was having related to my flipping the switch within pfSense to "Turn off the Firewall". Turning off the Firewall seemingly also turned off the NATting that I would have been relying upon.
Related, I had created "Any to Any" firewall rules, but then screwed up and had them only for TCP, and not for Any protocol.
With the rules changed to "Any" protocol, and not just TCP, things worked as documented (loosely documented, but with the pictures that were seen above, along with others) and the traffic flows as expected, from vlan to vlan, and from the vlans out to the internet as expected and desired in my case.
Another set of documentation (for Proxmox, which also uses pfSense in the same fashion) cover the use of multiple distinct firewall rules that would allow or restrict (default deny) traffic of various types. I had started with "Any / Any" allowed because I mostly am using pfSense as a router and didn't need to start with any blocking of traffic (I will get there eventually, but didn't need it to start).
This same configuration is used by several others (it numbers in the hundreds at this point) that are also running a home lab setup that normally would be using pfSense in the same way. Using it in this way allows for emulation of a larger corporate type network where traffic is isolated or at least the address ranges can more easily mimic what is typical in the corporate world.
Thanks for the assistance and discussion points along the way. It is valuable material to be aware of, and hopefully may help someone else in the future.
-
Not sure what guide you are following - but if its having users hairpin connections back and forth inside vswitches vs just crating native interfaces its not very efficient..
And is over complicating a simple setup..
-
@terpfan1980 said in Unable to access Internet from virtual network:
Back to update... a day or so after the discussion above, I was able to resolve the issues that I was having.
My best guess is that the issues that I was having related to my flipping the switch within pfSense to "Turn off the Firewall". Turning off the Firewall seemingly also turned off the NATting that I would have been relying upon.
Seemingly:
Disable Firewall
Disable all packet filtering. Note: This converts pfSense into a routing only platform!
Note: This will also turn off NAT! To only disable NAT, and not firewall rules, visit the Outbound NAT page.Related, I had created "Any to Any" firewall rules, but then screwed up and had them only for TCP, and not for Any protocol.
With the rules changed to "Any" protocol, and not just TCP, things worked as documented (loosely documented, but with the pictures that were seen above, along with others) and the traffic flows as expected, from vlan to vlan, and from the vlans out to the internet as expected and desired in my case.
Loosely documented:
https://docs.netgate.com/pfsense/en/latest/book