I can http/ssh all interfaces of pfSense (but not host)



  • I can http/ssh all interfaces of pfSense (but not hosts that in those other vlans).
    Trying to implement inter-vlan communication.
    I pasted my config below. (after looking at https://hardforum.com/threads/pfsense-intervlan-routing.1615335/ && https://forum.pfsense.org/index.php?topic=63397.0)
    Thanks. (Pics attached)

    ![1 - LAN.JPG](/public/imported_attachments/1/1 - LAN.JPG)
    ![1 - LAN.JPG_thumb](/public/imported_attachments/1/1 - LAN.JPG_thumb)
    ![2 - OPT1.JPG](/public/imported_attachments/1/2 - OPT1.JPG)
    ![2 - OPT1.JPG_thumb](/public/imported_attachments/1/2 - OPT1.JPG_thumb)
    ![3 - OPT2.JPG](/public/imported_attachments/1/3 - OPT2.JPG)
    ![3 - OPT2.JPG_thumb](/public/imported_attachments/1/3 - OPT2.JPG_thumb)


  • LAYER 8 Global Moderator

    Your rules on opt1 net with dest opt1 net are pointless, Since you have a rule that says opt1 net can do anything it wants with any any.

    If your not able to talk to lan from opt1 net - your issue is most likely software firewalls on your lan devices not allowing opt1 network.

    Your rule on the bottom with dest opt1 net reject is beyond pointless.. Seem you do not understand that pfsense is used to talk OFF opt1 net, or any other net.. Devices do not send traffic to pfsense to talk devices on their same network.. They might ask it for dns, to resolve something on their network - but when talking to another device on their own network they do not talk to pfsense.

    So rules that try and block or allow access on that network are pointless..

    Rules are evaluated as they enter an interface, first rule to trigger wins, no other rules are evaluated.  If I am on say 192.168.1.100/24 and want to talk to 192.168.1.101/24 - why would I send a packet to my gateway pfsense on say 192.168.1.1 ??



  • right, lan1 <> lan1 or opt1 <> opt1 would go by MAC addresses.

    Ok, thanks for your pointers on end-device firewall (for not allowing lan1 <> opt1 traffic).

    thanks again for your time.


Log in to reply