Rules between lan and vlan



  • Hello again
    After I had some trouble getting started on my vlans, now is time to go to phase 2.
    Now is the time to set some rules between lan and vlans.

    I'll start with this one:
    My server with virtual pfsensen is on my lan and it has ip 10.10.10.10.
    Pfsensen has IP: 10.10.10.15, and I can come from any PC. Works just fine.

    I have 5 different vlans, and all my PCs are located on different vlnas. Vlans has the following ip:
    vlan10 - 10.0.10.1
    vlan20 - 10.0.20.1
    vlan30 - 10.0.30.1
    vlan40 - 10.0.40.1
    vlan50 - 10.0.50.1

    My PROBLEM is:
    When I sit at PC that has IP address 10.0.10.1 then I CAN NOT access my server that has IP address 10.10.10.10.

    Can I fix this problem by any rule?



  • Can you post your firewall rules for these interfaces?

    Traffic is evaluated as it enters an interface.

    If you want your PC on 10.0.10/24 subnet to access pfSense on 10.10.10/24 subnet, then you need to add a firewall rule to allow that traffic.  So add a rule on 10.0.10.0/24's interface to allow traffic to destination 10.10.10.0/24.  (I'm assuming you're using /24 subnets)

    OPT interfaces (VLANs or other physical interfaces) by default have no rules, so all traffic is blocked.  Traffic will not pass between segments unless you allow it to happen.



  • @DanC:

    Can you post your firewall rules for these interfaces?

    Traffic is evaluated as it enters an interface.

    If you want your PC on 10.0.10/24 subnet to access pfSense on 10.10.10/24 subnet, then you need to add a firewall rule to allow that traffic.  So add a rule on 10.0.10.0/24's interface to allow traffic to destination 10.10.10.0/24.  (I'm assuming you're using /24 subnets)

    OPT interfaces (VLANs or other physical interfaces) by default have no rules, so all traffic is blocked.  Traffic will not pass between segments unless you allow it to happen.

    Hi

    Hello
    Here comes my rule for my vlan. From this nettwork I want to access 10.10.10.10.
    The first rules are only tests

    https://www.dropbox.com/s/hmppl69o4axftu8/manadzer rules.JPG?dl=0



  • Your first rule, as you probably understand since you said it was "only test," isn't necessary.  The rule below it also passes all that traffic.

    Your traffic might be using a protocol that is not TCP or UDP.  If you're trying to ping 10.10.10.10 from that subnet, either add another rule that allows ICMP (under protocol) or change the protocol of your bottom rule to "Any."

    I could ask a million questions about what traffic you want to go where, but you really need to spell it out.  Changing the protocol to Any will definitely allow all traffic to leave that interface, but it might not get you where you want to go security-wise.


  • Rebel Alliance Global Moderator

    Yeah as DanC stated that first rule doesn't make a lot of sense since you have a rule below it that is same but also allows UDP.

    Rules are evaluated top down as traffic enters the interface, first rule to trigger wins no other rules are evaluated.

    "When I sit at PC that has IP address 10.0.10.1 then I CAN NOT access my server that has IP address 10.10.10.10."

    What exactly are you trying to access this pc with?  If as danc also correctly states if icmp your rules do not allow for that.  Also do not forget any host firewall that might be running for example windows out of the box firewall will not allow access from other than its local network.. So coming from a vlan would not be allowed by the host firewall unless you correctly setup the rules on the host firewall to allow it or turn the firewall off, etc.



  • @johnpoz:

    What exactly are you trying to access this pc with?  If as danc also correctly states if icmp your rules do not allow for that.  Also do not forget any host firewall that might be running for example windows out of the box firewall will not allow access from other than its local network.. So coming from a vlan would not be allowed by the host firewall unless you correctly setup the rules on the host firewall to allow it or turn the firewall off, etc.

    Hi

    My server (ESXI) have IP 10.10.10.10. My PC have IP 10.0.10.1.
    I need to access my server so that I can continue to configure my virtual machines.
    I need help creating a rule, so I can log in to my server.



  • So long as everything on L1 is correct, make a rule on your PC's interface that has the following:

    Action:  Pass
    Interface:  Whatever Interface has 10.0.10.1
    Address Family:  IPv4
    Protocol:  Any

    Source:  Single Host or Alias - 10.0.10.1
    Destination:  Single Host or Alias - 10.10.10.10
    Dest Port Range:  Any/Any

    That will pass all traffic from your PC to your Server.  Make sure this is above any "Block" rules, if you add any to that interface.



  • @DanC:

    So long as everything on L1 is correct, make a rule on your PC's interface that has the following:

    Action:  Pass
    Interface:  Whatever Interface has 10.0.10.1
    Address Family:  IPv4
    Protocol:  Any

    Source:  Single Host or Alias - 10.0.10.1
    Destination:  Single Host or Alias - 10.10.10.10
    Dest Port Range:  Any/Any

    That will pass all traffic from your PC to your Server.  Make sure this is above any "Block" rules, if you add any to that interface.

    Hi

    Thanks for your reply. But I have to tell you that it still does not work. I think it's wrong with my configuration of VLAN and LAN.
    I attach a picture so you can see how everything is connected.

    My LAN has ip address 10.10.10.1/25
    Port 6 on SW1 and SW2 are not configurate and they giv me ip address 10.10.10.xx

    My VLAN101 has ip address 10.0.10.1/24

    I think I have to move my server to a vlan network.

    https://www.dropbox.com/s/m1wtae3785jysv8/mapswichs.JPG?dl=0



  • If you have that rule in place, then your settings on the switch are probably not correct.  I can say for certain, your switch setup is less than ideal.  There's probably a reason for your setup, but I'd try to simplify the mess of Internet on port 8 passing through both switches for starters.

    Might be a setting on your switch that's causing your lack of interconnectivity.  Do you have any port isolation enabled?

    Can you ping pfSense from your VLANs?  Do you have connectivity from VLAN to VLAN?


  • Rebel Alliance Global Moderator

    What is the config on these switch ports?  What switch make and model are they?

    What is the config you have on the lan vm interface on pfsense and what vswitch is configured you have it set to 4095?

    Where is your vmkern setup on esxi host?  Is it just a portgroup connected to same physical interface that goes to port 6?  What is the vswitch settings on this port group?  If you have to default which is 0, it will strip all all tags on vlans.

    Does your esxi host have more than 2 interfaces?  If so you could break your vmkern out to its own interface and vswitch/port group.



  • @johnpoz:

    What is the config on these switch ports?  What switch make and model are they?

    What is the config you have on the lan vm interface on pfsense and what vswitch is configured you have it set to 4095?

    Where is your vmkern setup on esxi host?  Is it just a portgroup connected to same physical interface that goes to port 6?  What is the vswitch settings on this port group?  If you have to default which is 0, it will strip all all tags on vlans.

    Does your esxi host have more than 2 interfaces?  If so you could break your vmkern out to its own interface and vswitch/port group.

    Hi guys
    Thanks for the help. I found the error, the error was in ESXI settings, I missed adding VLAN in menager network.
    Afterwards it was enough to change some settings in ESXI. I put a new fixed ip addres. and now it works. Now
    I can access server from any VLAN, but I will limit the VLAN so that all VLAN will not access MENADGER networks.

    Here's a picture that shows what I missed:
    https://www.dropbox.com/s/asz02n8pj7pdmr1/fel.JPG?dl=0