Routing from non-VLAN network to VLAN network
-
Hi all,
I'm having some trouble routing from a LAN that to a VLAN network connected to pfSense via a HP Switch. I just can't seem to figure out what the problem is. Here is my exact setup below along with details of the issue, if anyone has any ideas I appreciate it!
Network 1: LAN, 10.20.20.0/24
Network 2: DMZ, 10.20.30.0/24, VLAN 2030- Network 1 is connected to pfSense directly to interface em1.
- Network 2 is connected to pfSense via interface VLAN 2030, which is setup on em2, em2 is only used for this VLAN. The interface is directly connected to a HP switch with it's port set to trunk mode.
- Outbound NAT is set to automatic
- Rules on both DMA and LAN interfaces are set to allow any IP and any protocol, in both directions.
Diagnosis:
In pfSense, pinging a machine on the DMZ, e.g. 10.20.30.2, results in a response if the source address is set to the VLAN address (DMZ: 10.20.30.1). However, if the source address is set to LAN (10.20.20.1), there is no ping response. The same happens if trying to ping from within LAN via a different client computer.Routing between another two non-VLAN networks works fine.
Conclusion:
For some reason pfSense is not automatically routing packets from the LAN to the DMZ.What am I doing wrong?
Thanks!!
-
If em2 is only being used for 1 vlan, why do you have it as trunk port to your hp switch? Just use the em2 native, set your port on your switch to be in that vlan..
The only reason to trunk is when your tagging and have more than 1 vlan on the same physical port.
-
That's true, but the reason I have just one VLAN on the trunk was for testing purposes - I intend to have more VLANs running through the trunk later.
After trying everything I could think of, I decided to reboot pfSense. Magically, it now works!
Very strange.
Edit: Well it seems something is still off. I could access the HP switches interface IP in the VLAN after the pF reboot, but not other devices on the VLAN. I rebooted the HP switch and now back to the original situation. Perhaps there is a problem on the switch side, but I can still ping the switch from pF with the VLAN as the source address!
-
Well, I've found the problem apparently. The devices connected to the switch had their gateway set to pfSense's interface IP rather than the HP (layer 3) switch's interface IP, so they were unreachable. Changing that seems to have solved the issue.
Is it normal practice to have two interfaces within a network e.g.:
pfSense: Interface em1 IP: 10.20.20.1 /24 connected to:
HP switch: Interface IP: 10.20.20.2 /24There is also a static route on the switch: 0.0.0.0 0.0.0.0 10.20.20.1
Any issues with this kind of setup?
Thanks
-
Why do you even use the HP switch as a router and apparently in the same subnet with pfSense? It would be so much simpler if you had just one broadcast domain with a single subnet on the pfSense's LAN.
-
Yes, I think you're right kpa. I've now done just that. At first I couldn't get the switch to forward traffic to pfSense without adding interface IPs on the switch and using the layer 3 functionality, but I found my configuration error in the switch, and now it's essentially acting as a layer 2 switch with only one broadcast domain per VLAN.
But there must be some situations where it can be useful to selectively use the layer 3 switches' ability to route without pfSense, in particular for high-bandwidth traffic between two internal VLAN networks connected to the switch. Right?
-
Yes of course but you have to do the subnetting properly so that all subnets are non-overlapping and pfSense knows the routes to the subnets via static routes. This is not specific to VLANs, you would have to get the subnetting and routing right with non-VLAN equipment exactly the same way.
-
Thanks kpa, that's makes total sense.
-
I really would not suggest you use your switch in layer 3 mode doing routing until you fully understand routing.. Once you do you will most likely see there is no point for the switch to be doing it, and you loose all the nice features of pfsense doing the routing/firewall between your segments.
If you do decide to use your switch for routing, that keep in mind pfsense will need to be connected to it via a transit network or your going to run into asymmetrical routing issues.
