Routing/Firewall stops working when VLANs introduced



  • Hi Everyone,

    I'm trying to convert an office install from a cisco router over to PF sense and am having a weird issue.

    Presently there are 9 different VLANS in the environment, all with their gateways configured on the PFsense box, that are trunked over to a Netgear switch which then has access ports setup for each VLAN.  There is also a local subnet that i left for managing the PFsense box and I connect a laptop directly to the NIC to get at that 'management' subnet.

    -DHCP, Routing and firewall NAT to the WAN always works fine on the management subnet.
    -DHCP works fine all the time on the 9 different VLANs that are trunked - clients can plug into an access port and obtain an IP address from the proper pool for their VLAN.  However routing from any of the trunked networks only works for a minute or two when the trunked link is first brought up and then stops work - to the point where i can't even ping the PFSense gateway address for that subnet.  However even after i can't ping the gateway if i introduce a new client to that VLAN it will obtain a DHCP address from the PFSense box.  Also all-the-while a laptop on the 'management' LAN segment that is on a seperate interface still can get into the PFSense GUI and NAT to the WAN just fine so its not like the box is locked up or anything.

    Has anyone else seen anything similar to this?


  • Netgate

    Nope. VLANs work fine. You will have to provide more information.

    When a segment is not working, perform basic connectivity troubleshooting and post what is actually failing.



  • @Derelict:

    Nope. VLANs work fine. You will have to provide more information.

    When a segment is not working, perform basic connectivity troubleshooting and post what is actually failing.

    clients on the VLAN can ping each other but not the gateway on the pfsense box
    clients on the VLAN can get a DHCP address from the PFsense box but not route through it to any other VLANS or ping the gateway for the local VLAN subnet that lives on the VLAN interface of the PFSense box.



  • Post the addressing schemes used on the different VLANs. Also post the firewall rules on the VLAN interfaces.


  • Netgate

    So is there ARP? Are the packets actually arriving at the pfSense interface to be forwarded? Are you policy routing? Are you bypassing policy routing for local networks?

    Going to need more, and more concrete, information. this can't ping that isn't going to be good enough here.



  • @Derelict:

    So is there ARP? Are the packets actually arriving at the pfSense interface to be forwarded? Are you policy routing? Are you bypassing policy routing for local networks?

    Going to need more, and more concrete, information. this can't ping that isn't going to be good enough here.

    right now there are no rules setup for the various local networks.  The end goal however is to have each of the local VLANs be able to NAT to the internet but not see each other.

    Each VLAN is its own entity that just needs to get to the Internet but NOT be able to route to any of the other local networks but no rules have been attempted to get this going yet.  If you think maybe them all trying to route between each other is an issue and have some suggested rules to apply to each interface i'm all for it.

    is there any config files that i can post that summarize my ip and rule configuration instead of trying to post screenshots?

    thanks all!!


  • Netgate

    If there are no rules on the interfaces assigned to the VLANs then no traffic will pass.

    Pick one and add a pass any any any rule like the one on LAN.

    If you have not changed outbound NAT from automatic you do not need to do anything there.

    In a nutshell:

    Create the VLAN
    Assign the VLAN to an interface
    Enable and configure the new interface
    Enable the DHCP Server
    Create a firewall rule
    Verify outbound NAT



  • Good tutorial with the diagrams: https://nguvu.org/pfsense/pfsense-2.3-setup/ and https://nguvu.org/pfsense/pfsense-router-on-a-stick-with-netgear-gs108/

    From my own experience - pfSense is not guilty for sure, check your switch configuration, capture/analyze traffic coming over the trunk from the switch, use tcpdump from shell with '-e' to see VLAN tags.