Firewall/Routing Between Connected VLANs

cursor

I can't seem to find any relevant threads, at least not recent ones for 2.3.3…

I have a pfSense box, with 2 NICs, both Intel Gigabit CT Adapters.

The WAN connection is em0.
I have configured 3 VLANs on em1 (111, 112, 113) and assigned these to separate interfaces, labelled VLAN111, VLAN112, VLAN113.
VLAN111 - 192.168.111.1
VLAN112 - 192.168.112.1
VLAN113 - 192.168.113.1

This em1 interface is connected to a Cisco switch. This switch has all 3 VLANs configured on it. The port that em1 is connected to is configured as a trunk port.
interface GigabitEthernet0/1
description pfsense-trunk
switchport mode trunk

My primary client machines, on VLAN111 are connected to ports configured as such:
interface GigabitEthernet0/5
switchport access vlan 111
switchport mode access

I have an ESXi host connected to port 13, with it's management port configured for VLAN113.
interface GigabitEthernet0/13
description everest-mgmt
switchport trunk allowed vlan 111-113
switchport mode trunk

From pfSense, I can ping hosts on VLAN113. I can ping both the management IP for ESXi (192.168.113.10) and the switch management IP (192.168.113.254).

All clients on VLAN111 can access the internet through pfSense, but cannot ping any host on VLAN113. I can't test VLAN112, as there are no hosts on this VLAN.

I have the default LAN to any rule that should allow traffic into VLAN112 and VLAN113, and matching rules in each VLAN112/113 allowing traffic from these networks to any.

I really don't know what to check next. From what I've read, pfSense will route between connected VLANs, provided the firewall rules allow. I see no reason why my firewall rules don't allow it.

Thoughts?

moikerz

are you testing Windows hosts, that aren't replying? Often Windows is only configured to respond to ICMP packets from within it's own network. Example: host on vlan111 with IP 192.168.111.2 may not be able to get a response from host on vlan112 with IP 192.168.112.2, because the 3rd octet is different.

cursor

I thought of that too. I've disabled the Windows firewall, and even tried to use an Ubuntu server on 111 to ping the management interfaces on 113. Both hosts on 113 are management interfaces; ESXi and Cisco 2960G.

Derelict

You are policy routing. There is probably no reason to specify the gateway on that VLAN111 rule. That is explicitly telling pf what to do with all traffic - send it out WAN.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

cursor

@Derelict:

You are policy routing. There is probably no reason to specify the gateway on that VLAN111 rule. That is explicitly telling pf what to do with all traffic - send it out WAN.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Yes!! Thank you so much!
I'm going to have to test the policy based routing for my VPN, but that's secondary right now.
Saved my skin here today!

sgw

I found this thread today while I also try to get my fw rules right for allowing traffic between VLANs.

What puzzles me is that I don't see any blocked packages in the system logs, so the theory that they are routed somewhere else sounds valid ;-)

Could someone pls be more specific?
Do I need a PASS-rule on every VLAN-interface tab for bypassing?