VLAN Not Routing Traffic
-
I've created a new VLAN 100 (TestLABnet) 10.0.0.0/24, assigned it to the LAN interface, created Rules on both LAN and VLAN 100(TestLABnet) to allow traffic to and from both, and a rule to allow traffic from VLAN 100 out the WAN interface. I created the new VLAN100 on my Cisco SG300-10 switch and assigned it to the port my Test Server is attached to, as Access Port untagged on VLAN 100. I don't have internet connectivity from the device on VLAN100 but can ping 10.0.0.1. I can also ping 10.0.0.1 on a device connected to the LAN. The attached device is 10.0.0.10 and I cannot ping it from the LAN.
As a Rule Test I set the LAN rule allowing traffic to pass to TestLABnet to block and the ping from LAN to TestLABnet failed, I set it to allow and was able to ping again. So the rule is good. But I've obviously missed something. Anyone got any ideas?
Thanks,
David
-
A VLAN interface on pfSense will be tagged to the switch, not untagged. In your case the SG300 port going to pfSense will have to be a general mode port with pvid vlan 1 (or whatever the LAN VLAN is) and tagged vlan 100.
It might also be better to post screen shots of the rules you make instead of a description of what rules you think you made. At least until we know you have a grasp on what needs to go where.
-
Here are some screenshots of my config… GE5 is the port patched straight through to my Test Server
-
What switch port is connected to pfSense?
If GE5 is connected to your test device, that is not an access port on VLAN 100. VLAN 100 is tagged there, not untagged.
-
GE1 is to the PFSENSE, I changed GE5 to the setting shown in the screenshot above after you guys informed me it should be tagged. Essentially I put it back to what it was before and added the Tagged VLAN100
I've got a Ubiquiti WiFi Controller that has Guestnet (VLAN50) on it connected to GE9 of this switch and I mirrored the settings for Guestnet. Guestnet VLAN50 works fine.
-
Then 100 will also work fine. Did you enable a DHCP server?
We said tagged to pfSense, not tagged to the edge device.
-
I did not enable DHCP on VLAN100 since the devices attached will have static IPs. I thought I had everything correct but canot explain why I cannot ping 10.0.0.10 from the LAN 172.16.220.0/23, I am able to ping 10.0.0.1 which is the VLAN100 gateway from the LAN.
-
Because you did something wrong. Probably at layer 2.
-
What do I need to look @? I mirrored the config of GuestNet I've shown my steps above… What do you see that I missed?
-
Since you posted a switch config that was not the actual switch config, I suggest you screen shot everything again and post it as it actually is.
There isn't anything else to do based on what you already said.
What are you pinging? A common problem given that information is a local firewall on the target host that blocks traffic from other subnets.
-
I changed switch port GE5 to Access on VLAN100 untagged and everything is all good now…
-
Glad you got it sorted out.
