Not routing between LAN and VLAN



  • Hi There,

    I've got a LAN, VLAN10, VLAN30 and WAN. It used to work but after a clean shutdown, pfSense doesn't route anymore between LAN and VLAN10.

    The config:
    pfSenseLAN = 192.168.0.250 => PCLAN on Lan is using default gw 192.168.0.250.
    pfSenseVLAN10 = 172.24.10.250 => PCVLAN10 on VLAN10 is using default gw 172.24.10.250. 
    pfsenseVLAN30 = 172.30.10.250 => PCVLAN30 on VLAN30 is using default gw 172.30.10.250.

    PCLAN can ping PCVLAN30, pfsenseLAN and pfsenseVLAN30. CANNOT ping PCVLAN10, pfSenseVLAN10

    PCVLAN10 can ping PCVLAN30, pfsenseLAN, pfSenseVLAN10 and pfsenseVLAN30.    Cannot ping PCLAN.

    PCVLAN30 can ping PCVLAN10, PCLAN, pfsenseLAN, pfSenseVLAN10 and pfsenseVLAN30

    First rule on LAN, VLAN10 and VLAN30 is: IPv4 ICMP anytype,  any source to any destination pass

    Capture on pfsenseVLAN10 shows PCVLan10 sending ping request to PCLAN
    Capture on PCLAN doesn't not see ping

    I'm using pfsense 2.3.1

    Any help greatly appreciated because I don't know what else to try :o.

    O.



  • Post a network map.  Are you using a L2 switch trunked to PFsenseLAN or separate dumb switches?

    What does your log look like?  Are you seeing blocks?  If so, on what interfaces?

    The first thing I would do is add an any/any rule to every interface.  Second, disable the software firewall on your test endpoint devices until basic IP connectivity is established.

    At this point, you should have a route to all subnets (check your routing table) and an any/any rule on all your interfaces…. so you "should" be able to ping anything from anywhere.  If not, you would just need to start in with a troubleshooting progression.... e.g.... Verify connections.  Verify IP's and subnet masks.  Verify your DHCP server is handing out the correct default gateway.  Can the PC's ping the default gateway?

    Then, depending on your topology and equipment used... are the correct VLAN's tagged/untagged on the correct ports?  If you're using cisco gear and have an "allowed" statement configured... are the correct VLAN's allowed across the trunk?  Did you configure a custom native VLAN?

    Not that this is contributing to your main issue, but it appears you are using a mixture of tagged and untagged traffic on your network...  but what many do... is leave the LAN interface (parent interface) unconfigured and use all VLAN's.  Worth a shot if nothing else works.... but there are many questions that need answers first.