Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inter-VLAN traffic Client Isolation

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    14 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phonix66
      last edited by

      Someone please?

      1 Reply Last reply Reply Quote 0
      • P
        Phonix66
        last edited by

        for example:

        MBP ~ % ping 192.168.2.205
        PING 192.168.2.205 (192.168.2.205): 56 data bytes
        Request timeout for icmp_seq 0
        Request timeout for icmp_seq 1
        Request timeout for icmp_seq 2
        Request timeout for icmp_seq 3


        Traffic is being passed, but still I cannot reach clients on other vlans.
        Mar 13 18:59:09 LAN 192.168.1.154 192.168.2.205 ICMP - Pass
        Mar 13 18:58:05 LAN 192.168.1.154 192.168.2.205 ICMP - Pass
        The rule that triggered this action is:

        @105(XXXXXXXX) pass in log quick on Vlan_trunk inet all flags S/SA keep state label "USER_RULE"

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @Phonix66
          last edited by

          @Phonix66

          Do you have rules to allow traffic from one VLAN to another?

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            Post the LAN rules. You don't have a gateway selected under advanced, do you?

            1 Reply Last reply Reply Quote 0
            • P
              Phonix66
              last edited by

              Thanks for the answer.
              I have set for the troubleshooting Ipv4 allow all

              For example:
              On the Floating rules:
              Allow all IPv4 * * * * * * none

              Also on the trunk I created under interface group (Where I bond all sub interfaces with the LAN uplink) rules:
              Allow all IPv4 * * * * * * none

              In short I have fully allow all traffic, but still seeing the problem.
              On the logs nothing is being blocked, but still I cannot trace route or ping from and to clients.

              Thanks,

              1 Reply Last reply Reply Quote 0
              • P
                Phonix66
                last edited by

                Thanks,

                The only gateway I have under advanced is the next WAN modem I have, I can reach the internet from all VLANs.
                Here are the rules:

                rules.xls [0_1584124401963_Rules.rtf](Uploading 100%) [0_1584124167304_Rules.rtf](Uploading 100%)

                1 Reply Last reply Reply Quote 0
                • P
                  Phonix66
                  last edited by

                  A small correction, I was able to reach the internet, outbound traffic was ok yesterday for all vlans.
                  Now internet outbound traffic is only working on the LAN untagged.

                  1 Reply Last reply Reply Quote 0
                  • dotdashD
                    dotdash
                    last edited by

                    A few screenshots would have been fine. I Don't really have time to sort through the raw dump, but some things look goofy.
                    Not sure what you are doing with your 'interface group trunk'?? and floating rules. Why don't you start simple:
                    Firewall rules, vlan 100 tab, ipv4* vlan 100 net to any No advanced settings
                    vlan 200 tab, ipv4* vlan 200 net to any No advanced.
                    Then try to ping from vlan 100 to 200....

                    1 Reply Last reply Reply Quote 0
                    • P
                      Phonix66
                      last edited by Phonix66

                      The interface “Trunk-Group” is where I Bond all vlans on the only wire (uplink) I have:012F044C-0A8B-4511-B9C2-DA9F4CDEBCAD.png

                      Over there I have a full ipv4 pass rule
                      C4BF376B-3747-4F07-94A1-C4B8CEAA70A2.png

                      On the floating it’s the same, only that there are some public “bad” addresses that I have blocked, but that’s are only incoming from the WAN side, nothing internal.

                      1 Reply Last reply Reply Quote 0
                      • dotdashD
                        dotdash
                        last edited by

                        In the interest of trying to walk before flying, why don't you see if it works when you add the rules to the interfaces, like I suggested before.

                        1 Reply Last reply Reply Quote 0
                        • P
                          Phonix66
                          last edited by Phonix66

                          I do have the rules as you suggest on some interfaces for testing, when it works I’ll replicate to the other interfaces, but now it’s not working:
                          883A3219-0FE5-4D0D-BFF9-9A4C1ECCF7D4.png

                          I suspect that I would need to factory reset the pfsense if nothing produces results, what I couldn’t do on a big production environment.

                          Maybe backup the configuration.
                          Reset to default.
                          Test with minimal configuration.
                          If works, the go step by step.
                          If not working restore configuration and troubleshoot again

                          1 Reply Last reply Reply Quote 0
                          • P
                            Phonix66
                            last edited by

                            Here is an example where I ping to a client and I get no response:
                            D7F414F3-A1AE-483E-BDBC-E4B43359CC5E.png

                            But looking in the logs everything looks good, my iP as source is reaching the destination:
                            0FBC0ADC-B69C-4837-A9DA-4C8339B25A85.png

                            1 Reply Last reply Reply Quote 0
                            • P
                              Phonix66
                              last edited by Phonix66

                              Thanks everyone, I’ve got it sorted out.
                              Did as I explained in my previous post and added allow rules under every vlan, then it started working.
                              Still doesn’t explains the firewall logs showing green for passed while it wasn’t the case.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.