VLAN Routing
-
Hi Guys.
I have moved over to pfsense from Smoothwall and iPCOP setup. Have to say the pfsense setup seems far more grown up and like what i see so far. I require a little help as i am not sure how or what pfsense is doing here. I am having some issues routing between vlans.
pfsense
vmx0 = LAN
vmx1 = OPT1 which will be used a DMZ
vmx2 = WANI have a few VLAN's but for now to keep things simple lets just say i have VLAN1 and VLAN2
My pfsense LAN interface is on VLAN1 and i can get out to the internet fine with no issues.
I have a workstation on VLAN2 which i can ping the pfsense server, I am picking up an IP address from my DHCP server on VLAN1 but i cant get out to the internet. What do i need to change to allow this extra VLAN to get out?
Thanks in advance
-
You have a host on VLAN2 which gets a DHCP-ed IP from VLAN1?
How are VLAN1 & 2 connected to your pfSense? -
Hello.
Thanks for taking the time to reply.
Not sure if it is the correct setup but on my LAN I changed the subnet from /24 in the drop down to /22 and now all my subnets can get out to the internet. Let me know if this is a mis-configuration under pfsense. I am coming from Smoothwall type firewall where things are a little different. I do have a similar problem with my DMZ but will create a separate post for that.
To answer your question
I am running pfsense on VMware ESXi. The vSwitch that I am plugged in to connected to Cisco ports which are trunk ports. On the vSwitch I have created a connection for each VLAN.
From a Cisco point of view I can get to each vlan and back again. It was getting out to the internet on any other LAN subnet apart from the VLAN the pfsense was installed on.
Cheers
Craig
-
Maybe pfSense hasn't set the outbound NAT rules automatically for your further VLANs. On other firewalls this is often be called "Masquerading". You find it in Firewall > NAT > Outbound.
Or you've set the outbound NAT rule generation to "manual", so you have to add rules by yourself.There must be an outbound NAT rule for each internal network as source for the WAN interface or rather one rule with a subnet mask that covers all your internal subnets. This you will have achieved with the /22 for LAN, but with that, you will get routing issues between your internal subnets.
-
It looks like you've misconfigured your network.
How is VLAN2 getting an IP address from VLAN1? You need a DHCP relay server for this which has interfaces on both VLANs.
How is VLAN2 even able to ping pfSense on VLAN1? You need a router for this with interfaces on both VLANs. -
You don't have two separated VLANs anymore if you extend the netmask to /22 and serve all hosts from there. That's one big broadcast domain.
If you want or need to separate segments then your setup is wrong.BTW, subnetting has nothing to do with your router (pfSense or Smoothwall). They both just serve what you configured.
