Inter-VLAN traffic Client Isolation
-
Someone please?
-
for example:
MBP ~ % ping 192.168.2.205
PING 192.168.2.205 (192.168.2.205): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Traffic is being passed, but still I cannot reach clients on other vlans.
Mar 13 18:59:09 LAN 192.168.1.154 192.168.2.205 ICMP - Pass
Mar 13 18:58:05 LAN 192.168.1.154 192.168.2.205 ICMP - Pass
The rule that triggered this action is:@105(XXXXXXXX) pass in log quick on Vlan_trunk inet all flags S/SA keep state label "USER_RULE"
-
Do you have rules to allow traffic from one VLAN to another?
-
Post the LAN rules. You don't have a gateway selected under advanced, do you?
-
Thanks for the answer.
I have set for the troubleshooting Ipv4 allow allFor example:
On the Floating rules:
Allow all IPv4 * * * * * * noneAlso on the trunk I created under interface group (Where I bond all sub interfaces with the LAN uplink) rules:
Allow all IPv4 * * * * * * noneIn short I have fully allow all traffic, but still seeing the problem.
On the logs nothing is being blocked, but still I cannot trace route or ping from and to clients.Thanks,
-
Thanks,
The only gateway I have under advanced is the next WAN modem I have, I can reach the internet from all VLANs.
Here are the rules:rules.xls [0_1584124401963_Rules.rtf](Uploading 100%) [0_1584124167304_Rules.rtf](Uploading 100%)
-
A small correction, I was able to reach the internet, outbound traffic was ok yesterday for all vlans.
Now internet outbound traffic is only working on the LAN untagged. -
A few screenshots would have been fine. I Don't really have time to sort through the raw dump, but some things look goofy.
Not sure what you are doing with your 'interface group trunk'?? and floating rules. Why don't you start simple:
Firewall rules, vlan 100 tab, ipv4* vlan 100 net to any No advanced settings
vlan 200 tab, ipv4* vlan 200 net to any No advanced.
Then try to ping from vlan 100 to 200.... -
The interface “Trunk-Group” is where I Bond all vlans on the only wire (uplink) I have:
Over there I have a full ipv4 pass rule
On the floating it’s the same, only that there are some public “bad” addresses that I have blocked, but that’s are only incoming from the WAN side, nothing internal.
-
In the interest of trying to walk before flying, why don't you see if it works when you add the rules to the interfaces, like I suggested before.
-
I do have the rules as you suggest on some interfaces for testing, when it works I’ll replicate to the other interfaces, but now it’s not working:
I suspect that I would need to factory reset the pfsense if nothing produces results, what I couldn’t do on a big production environment.
Maybe backup the configuration.
Reset to default.
Test with minimal configuration.
If works, the go step by step.
If not working restore configuration and troubleshoot again -
Here is an example where I ping to a client and I get no response:
But looking in the logs everything looks good, my iP as source is reaching the destination:
-
Thanks everyone, I’ve got it sorted out.
Did as I explained in my previous post and added allow rules under every vlan, then it started working.
Still doesn’t explains the firewall logs showing green for passed while it wasn’t the case.
