Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall/Routing Between Connected VLANs

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cursor
      last edited by

      I can't seem to find any relevant threads, at least not recent ones for 2.3.3…

      I have a pfSense box, with 2 NICs, both Intel Gigabit CT Adapters.

      The WAN connection is em0.
      I have configured 3 VLANs on em1 (111, 112, 113) and assigned these to separate interfaces, labelled VLAN111, VLAN112, VLAN113.
      VLAN111 - 192.168.111.1
      VLAN112 - 192.168.112.1
      VLAN113 - 192.168.113.1

      This em1 interface is connected to a Cisco switch. This switch has all 3 VLANs configured on it. The port that em1 is connected to is configured as a trunk port.
      interface GigabitEthernet0/1
      description pfsense-trunk
      switchport mode trunk

      My primary client machines, on VLAN111 are connected to ports configured as such:
      interface GigabitEthernet0/5
      switchport access vlan 111
      switchport mode access

      I have an ESXi host connected to port 13, with it's management port configured for VLAN113.
      interface GigabitEthernet0/13
      description everest-mgmt
      switchport trunk allowed vlan 111-113
      switchport mode trunk

      From pfSense, I can ping hosts on VLAN113. I can ping both the management IP for ESXi (192.168.113.10) and the switch management IP (192.168.113.254).

      All clients on VLAN111 can access the internet through pfSense, but cannot ping any host on VLAN113. I can't test VLAN112, as there are no hosts on this VLAN.

      I have the default LAN to any rule that should allow traffic into VLAN112 and VLAN113, and matching rules in each VLAN112/113 allowing traffic from these networks to any.



      I really don't know what to check next. From what I've read, pfSense will route between connected VLANs, provided the firewall rules allow. I see no reason why my firewall rules don't allow it.

      Thoughts?

      1 Reply Last reply Reply Quote 0
      • M
        moikerz
        last edited by

        are you testing Windows hosts, that aren't replying? Often Windows is only configured to respond to ICMP packets from within it's own network. Example: host on vlan111 with IP 192.168.111.2 may not be able to get a response from host on vlan112 with IP 192.168.112.2, because the 3rd octet is different.

        1 Reply Last reply Reply Quote 0
        • C
          cursor
          last edited by

          I thought of that too. I've disabled the Windows firewall, and even tried to use an Ubuntu server on 111 to ping the management interfaces on 113. Both hosts on 113 are management interfaces; ESXi and Cisco 2960G.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You are policy routing. There is probably no reason to specify the gateway on that VLAN111 rule. That is explicitly telling pf what to do with all traffic - send it out WAN.

            https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              cursor
              last edited by

              @Derelict:

              You are policy routing. There is probably no reason to specify the gateway on that VLAN111 rule. That is explicitly telling pf what to do with all traffic - send it out WAN.

              https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

              Yes!! Thank you so much!
              I'm going to have to test the policy based routing for my VPN, but that's secondary right now.
              Saved my skin here today!

              S 1 Reply Last reply Reply Quote 0
              • S
                sgw @cursor
                last edited by

                I found this thread today while I also try to get my fw rules right for allowing traffic between VLANs.

                What puzzles me is that I don't see any blocked packages in the system logs, so the theory that they are routed somewhere else sounds valid ;-)

                Could someone pls be more specific?
                Do I need a PASS-rule on every VLAN-interface tab for bypassing?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.