Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules between lan and vlan

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      njanja
      last edited by

      Hello again
      After I had some trouble getting started on my vlans, now is time to go to phase 2.
      Now is the time to set some rules between lan and vlans.

      I'll start with this one:
      My server with virtual pfsensen is on my lan and it has ip 10.10.10.10.
      Pfsensen has IP: 10.10.10.15, and I can come from any PC. Works just fine.

      I have 5 different vlans, and all my PCs are located on different vlnas. Vlans has the following ip:
      vlan10 - 10.0.10.1
      vlan20 - 10.0.20.1
      vlan30 - 10.0.30.1
      vlan40 - 10.0.40.1
      vlan50 - 10.0.50.1

      My PROBLEM is:
      When I sit at PC that has IP address 10.0.10.1 then I CAN NOT access my server that has IP address 10.10.10.10.

      Can I fix this problem by any rule?

      1 Reply Last reply Reply Quote 0
      • D
        DanC
        last edited by

        Can you post your firewall rules for these interfaces?

        Traffic is evaluated as it enters an interface.

        If you want your PC on 10.0.10/24 subnet to access pfSense on 10.10.10/24 subnet, then you need to add a firewall rule to allow that traffic.  So add a rule on 10.0.10.0/24's interface to allow traffic to destination 10.10.10.0/24.  (I'm assuming you're using /24 subnets)

        OPT interfaces (VLANs or other physical interfaces) by default have no rules, so all traffic is blocked.  Traffic will not pass between segments unless you allow it to happen.

        1 Reply Last reply Reply Quote 0
        • N
          njanja
          last edited by

          @DanC:

          Can you post your firewall rules for these interfaces?

          Traffic is evaluated as it enters an interface.

          If you want your PC on 10.0.10/24 subnet to access pfSense on 10.10.10/24 subnet, then you need to add a firewall rule to allow that traffic.  So add a rule on 10.0.10.0/24's interface to allow traffic to destination 10.10.10.0/24.  (I'm assuming you're using /24 subnets)

          OPT interfaces (VLANs or other physical interfaces) by default have no rules, so all traffic is blocked.  Traffic will not pass between segments unless you allow it to happen.

          Hi

          Hello
          Here comes my rule for my vlan. From this nettwork I want to access 10.10.10.10.
          The first rules are only tests

          https://www.dropbox.com/s/hmppl69o4axftu8/manadzer%20rules.JPG?dl=0

          1 Reply Last reply Reply Quote 0
          • D
            DanC
            last edited by

            Your first rule, as you probably understand since you said it was "only test," isn't necessary.  The rule below it also passes all that traffic.

            Your traffic might be using a protocol that is not TCP or UDP.  If you're trying to ping 10.10.10.10 from that subnet, either add another rule that allows ICMP (under protocol) or change the protocol of your bottom rule to "Any."

            I could ask a million questions about what traffic you want to go where, but you really need to spell it out.  Changing the protocol to Any will definitely allow all traffic to leave that interface, but it might not get you where you want to go security-wise.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Yeah as DanC stated that first rule doesn't make a lot of sense since you have a rule below it that is same but also allows UDP.

              Rules are evaluated top down as traffic enters the interface, first rule to trigger wins no other rules are evaluated.

              "When I sit at PC that has IP address 10.0.10.1 then I CAN NOT access my server that has IP address 10.10.10.10."

              What exactly are you trying to access this pc with?  If as danc also correctly states if icmp your rules do not allow for that.  Also do not forget any host firewall that might be running for example windows out of the box firewall will not allow access from other than its local network.. So coming from a vlan would not be allowed by the host firewall unless you correctly setup the rules on the host firewall to allow it or turn the firewall off, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • N
                njanja
                last edited by

                @johnpoz:

                What exactly are you trying to access this pc with?  If as danc also correctly states if icmp your rules do not allow for that.  Also do not forget any host firewall that might be running for example windows out of the box firewall will not allow access from other than its local network.. So coming from a vlan would not be allowed by the host firewall unless you correctly setup the rules on the host firewall to allow it or turn the firewall off, etc.

                Hi

                My server (ESXI) have IP 10.10.10.10. My PC have IP 10.0.10.1.
                I need to access my server so that I can continue to configure my virtual machines.
                I need help creating a rule, so I can log in to my server.

                1 Reply Last reply Reply Quote 0
                • D
                  DanC
                  last edited by

                  So long as everything on L1 is correct, make a rule on your PC's interface that has the following:

                  Action:  Pass
                  Interface:  Whatever Interface has 10.0.10.1
                  Address Family:  IPv4
                  Protocol:  Any

                  Source:  Single Host or Alias - 10.0.10.1
                  Destination:  Single Host or Alias - 10.10.10.10
                  Dest Port Range:  Any/Any

                  That will pass all traffic from your PC to your Server.  Make sure this is above any "Block" rules, if you add any to that interface.

                  1 Reply Last reply Reply Quote 0
                  • N
                    njanja
                    last edited by

                    @DanC:

                    So long as everything on L1 is correct, make a rule on your PC's interface that has the following:

                    Action:  Pass
                    Interface:  Whatever Interface has 10.0.10.1
                    Address Family:  IPv4
                    Protocol:  Any

                    Source:  Single Host or Alias - 10.0.10.1
                    Destination:  Single Host or Alias - 10.10.10.10
                    Dest Port Range:  Any/Any

                    That will pass all traffic from your PC to your Server.  Make sure this is above any "Block" rules, if you add any to that interface.

                    Hi

                    Thanks for your reply. But I have to tell you that it still does not work. I think it's wrong with my configuration of VLAN and LAN.
                    I attach a picture so you can see how everything is connected.

                    My LAN has ip address 10.10.10.1/25
                    Port 6 on SW1 and SW2 are not configurate and they giv me ip address 10.10.10.xx

                    My VLAN101 has ip address 10.0.10.1/24

                    I think I have to move my server to a vlan network.

                    https://www.dropbox.com/s/m1wtae3785jysv8/mapswichs.JPG?dl=0

                    1 Reply Last reply Reply Quote 0
                    • D
                      DanC
                      last edited by

                      If you have that rule in place, then your settings on the switch are probably not correct.  I can say for certain, your switch setup is less than ideal.  There's probably a reason for your setup, but I'd try to simplify the mess of Internet on port 8 passing through both switches for starters.

                      Might be a setting on your switch that's causing your lack of interconnectivity.  Do you have any port isolation enabled?

                      Can you ping pfSense from your VLANs?  Do you have connectivity from VLAN to VLAN?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        What is the config on these switch ports?  What switch make and model are they?

                        What is the config you have on the lan vm interface on pfsense and what vswitch is configured you have it set to 4095?

                        Where is your vmkern setup on esxi host?  Is it just a portgroup connected to same physical interface that goes to port 6?  What is the vswitch settings on this port group?  If you have to default which is 0, it will strip all all tags on vlans.

                        Does your esxi host have more than 2 interfaces?  If so you could break your vmkern out to its own interface and vswitch/port group.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • N
                          njanja
                          last edited by

                          @johnpoz:

                          What is the config on these switch ports?  What switch make and model are they?

                          What is the config you have on the lan vm interface on pfsense and what vswitch is configured you have it set to 4095?

                          Where is your vmkern setup on esxi host?  Is it just a portgroup connected to same physical interface that goes to port 6?  What is the vswitch settings on this port group?  If you have to default which is 0, it will strip all all tags on vlans.

                          Does your esxi host have more than 2 interfaces?  If so you could break your vmkern out to its own interface and vswitch/port group.

                          Hi guys
                          Thanks for the help. I found the error, the error was in ESXI settings, I missed adding VLAN in menager network.
                          Afterwards it was enough to change some settings in ESXI. I put a new fixed ip addres. and now it works. Now
                          I can access server from any VLAN, but I will limit the VLAN so that all VLAN will not access MENADGER networks.

                          Here's a picture that shows what I missed:
                          https://www.dropbox.com/s/asz02n8pj7pdmr1/fel.JPG?dl=0

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.