Traceroute Doesn't Leave vSwitch - Pfsense Directly Routed?



  • I'm trying to create two networks at the moment. One will be the future "LAN" network for all my internal traffic. The other will just be there to access pfsense management web gui/shell.

    Ive created two vlans, 100 and 101. Each are identical and have their own "copy" of ubuntu with traceroute installed (ubnuntu on vlan 100 is 172.16.100.3; ubuntu on vlan 101 is 172.16.101.3). My hope was doing a traceroute from one ubuntu to another would cross over to my physical router, but it looks like pfense has handled this directly per the screenshot of traceroute.

    Is this something I just adjust with routing rules? Firewall rules? Ideally my physical router will handle all the routing traffic, as I'm just using pfsense as a future VPN gateway out to the internet/firewall packet inspection.

    How can I make it so traffic from one vlan always has to exit the vswitch and be routed by my physical router?

    ![Screen Shot 2018-03-31 at 12.05.00 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-31 at 12.05.00 PM.png)
    ![Screen Shot 2018-03-31 at 12.05.00 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-31 at 12.05.00 PM.png_thumb)
    ![Screen Shot 2018-03-31 at 12.04.34 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-31 at 12.04.34 PM.png)
    ![Screen Shot 2018-03-31 at 12.04.34 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-31 at 12.04.34 PM.png_thumb)



  • EDIT: I think my initial impression was correct that pfsense is not allowing my physical router to do vlan communication by default. I changed my default gateway to pfsense in the ubuntu route table. So with ubuntu configured to use 172.16.100.2 (pfsense) as its default gateway, I get the attached. So it does seem like pfense is able to directly route from one vlan to another, which is not ideal.

    What must I configure so that pfsense doesn't allow routing from vlan 100 to 101 directly (ie use the physical router) and vice-versa?

    ![Screen Shot 2018-03-31 at 12.41.35 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-31 at 12.41.35 PM.png)
    ![Screen Shot 2018-03-31 at 12.41.35 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-31 at 12.41.35 PM.png_thumb)


  • Rebel Alliance Global Moderator

    If you don't want using pfsense as their router - then don't point them to pfsense interface as their gateway.

    If you don't want to allow traffic between vlan, then firewall them at pfsense



  • Makes sense.

    I'm an amateur to most this, so my thought process was "if my VM (ubuntu) is compromised and someone directs its default gateway from 172.16.100.1 (physical router) to 172.16.100.2 (my pfsense), they now have some way to access my pfsense management interface." I was hoping to have my physical router do the vlan packet inspection and drop the packets that aren't generated from a certain vlan for no other reason than the router is built to be a very low resource/efficient router.

    I thought my vsphere config would cause all traffic to route to the physical router due to a separation of vlan, but that doesn't seem to be the case.