VLANS using 2nd WAN not able to access each other

gokallit

Hello, I cannot figure out why this is happening.

I setup a 2nd WAN (Spectrum) and 2 vlans (5,10). So currently my setup looks as follows:

WAN (ATT) (Default Gatway ATT)
LAN (.113) GW Default (ATT)
VLAN 5 (.117) GW (SPECTRUM)
VLAN 10 (.115) GW (SPECTRUM)
WAN2 (SPECTRUM) (Default Gateway SPECTRUM)

I forced each VLAN (5,10) to use the WAN2 (Spectrum) as their gateway in their (Advanced settings) and LAN to uses the DEFAULT gateway (ATT).

If each VLAN (5,10) is using the WAN (ATT) as their gateway, they CAN pass traffic to each other just fine.
If each VLAN (5,10) uses the WAN (Spectrum) as their gateway, they CANNOT talk to each regardless if there is a explicit firewall rule that says they can access each other.

VLAN10 Firewall rule
SOURCE:VLAN5... PORT:ANY.... DESTINATION:VLAN10...PORT:ANY..GATEWAY:SPECTRUM

VLAN5 Firewall rule
SOURCE: VLAN10... PORT:ANY.... DESTINATION:VLAN5...PORT:ANY..GATEWAY:SPECTRUM

Does anyone know why this would happen just because I switched the VLANS gateways to the 2nd WAN (SPECTRUM)?

johnpoz

if you want vlans to talk to each other you need to have a rule above where you force traffic out a wan to allow the traffic. On the interface vlan is connected to.

gokallit

Well I had tried that before but I decided to go back and try it again just in case. Still not working.

KSSG =VLAN5
GOKALLIT =VLAN10

Firewall rule.jpg

Derelict

Your rules are on the wrong interface and you need to bypass policy routing.

https://www.netgate.com/docs/pfsense/routing/bypassing-policy-routing.html

gokallit

Which interface should it be on because I applied the same rule on all 3 interfaces, KSSG, WANPECTRUM and GOKALLIT.

I also read the bypass policy routing and I will have to study up on this.

Derelict

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-troubleshooting.html

gokallit

OMG, DERELICT YOUR A GENIUS!!!!!!!!!!!!

So the log was saying that traffic was passing just fine with a green checkmark however I could not RDP, PING anything. So I clicked the + sign and it added a easy rule to the firewall and bingo.

Oddly, that rule I already had entered earlier today and in the past with the exception of the Gateway however they never worked. Not sure why using the "Easy Rule" allowed it to work. I have been beating my head on this for about a month now.

See Pic 1 before and Pic 2 after. The differences are in yellow.

johnpoz

Because as I already stated you need a rule before you FORCE traffic out a gateway that can not get to your other vlan...

How do you think shoving traffic out some wan is going to be able to get another local vlan on your network?

gokallit

Duh...Ah geez I wasn't thinking. Thanks again.