Isolating VLANs

  • Hi,

    I have a very annoying problem that I'm struggling to troubleshoot even after reading multiple posts on multiple forums.

    I'm trying to learn VLANs by creating an isolated guest VLAN which can access only the Internet. I've created this VLAN (VLAN40) on my switch and also VLAN10 for trusted devices. In these VLANs, I have the client ports untagged with their PVIDs set to the correct VLAN. The port connecting to the physical LAN port of the pfSense box is set as a tagged port in both VLANs.

    My firewall rules are set on each interface (trusted and untrusted) and are set to block any to the subnet of the other VLAN and allow anything else.

    I've tried many firewall configs but all seem to allow traffic between the VLANs. Even a single rule blocking everything. I'm fairly sure it's pfSense doing the routing as disconnecting the pfSense machine seems to stop traffic flowing between the VLANs.

    Thanks in advance.

  • How about you post screenshots of your rules? It's very easy for you to say that your rules are supposed to do this and that but we have only your word for it.

  • Thanks for your reply,

    Screenshots of my rules are attached.

    ![untrusted rules.PNG](/public/imported_attachments/1/untrusted rules.PNG)
    ![untrusted rules.PNG_thumb](/public/imported_attachments/1/untrusted rules.PNG_thumb)
    ![trusted rules.PNG](/public/imported_attachments/1/trusted rules.PNG)
    ![trusted rules.PNG_thumb](/public/imported_attachments/1/trusted rules.PNG_thumb)

  • Those rules look reasonable.

    Do you have anything on the Floating rules tab?

    Do a traceroute from a client on one TRUSTED to a client on UNTRUSTED and vice-versa to see what hops the packets are going through. That might give a clue about what is not connected/routed as expected.

  • This is actually one of the weirder parts of the issue, I had thought this myself.

    When using ping or tracert in Windows to test between VLANs, I get request timed out. However, I can still access the pfSense web interfaces using either IP from both VLANs and can access my WAP in the TRUSTED network from the UNTRUSTED network.

  • Okay, I found what was screwing me up…

    Whilst thinking about something completely different, I realised I had Squid Proxy Server running in pfSense.

    Turning off Squid fixed the issue, I'll have to try and reconfigure that for VLANs later when I have more time.

Log in to reply