Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between multiple subnets

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 912 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Celestialdeath99
      last edited by

      Hello,
      I have recently switched from another firewall to pfsense and I am having difficulties getting devices on my subnets to talk with each other.

      I currently have 2 main interfaces besides the WAN. They are the LAN interface with a network of 192.168.1.1/24 and my WLAN interface that connects to my WiFi AP with a network of 192.168.2.1/24. DHCP is enabled on both interfaces to server the appropriate address ranges accordingly.

      The 3rd interface is a VLAN that uses the same physical port as the LAN interface and has a VLAN tag of 2, and a network of 192.168.4.1/24. That one also has DHCP enabled.

      For both the LAN and ESXI networks, they are connected to a TP-Link T1600AG-28TS gigabyte L2 Smart Managed Switch. The switch is configured to accept the VLAN tag on the ports, and I know the VMware ESXI host is also configured properly. The VM running on that host has a IP of 192.168.4.2 and is able to connect to the internet just fine.

      Here is a map of the network for reference:

      The Issue:
      Lets say I am on the laptop on the LAN network with a IP address of 192.168.1.2 and I want to access the remote desktop of the VM with an IP of 192.168.4.2 however all I get is a request timed out error. In my firewall, on the appropriate interfaces, I have rules to allow traffic from one network to the other:

      ESXI to LAN:

      LAN to ESXI:

      Yet if I use that laptop to ping 192.168.4.1 it works with no issues:

      However, if I take my laptop that is on the WLAN network with a IP of 192.168.2.3 and browse to the NAS drive on the LAN network with a IP of 192.168.1.25 it works without issue.

      How can I fix it so that I can have my devices communicate across the subnets? Is there something different I need to do for the VLAN interface?

      interfaces.PNG
      interfaces.PNG_thumb
      layout.PNG
      layout.PNG_thumb
      esxi-to-lan.PNG
      esxi-to-lan.PNG_thumb
      lan-to-esxi.PNG
      lan-to-esxi.PNG_thumb
      ping1.PNG
      ping1.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Looks like either the 192.168.4.0/24 network isn't properly tagged through to ESXi or there is a firewall on host 192.168.4.2 that is blocking traffic from other subnets.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          Celestialdeath99
          last edited by

          That was my original thought as well. The VM is a Windows 10 machine, but I have disabled the firewall completely. However, I am fairly certain the VLAN is tagged correctly. When I first set it up I had tagged the wrong port on the switch and the VM could not connect. As soon as I changed the tag to the right port, the VM was able to get a IP from the pfsense DHCP server and it is able to browse the internet just fine.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Well if it was correct it would be working. :/

            There is nothing really to do other than what you have done unless there are other rules you haven't posted that are interfering before getting to the ones you have. Probably want to post the whole rule set on LAN and ESXi.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              Celestialdeath99
              last edited by

              Here are the rules for the networks:

              LAN:

              ESXI:

              Hrm, I just realized I wrote the descriptions backwards for the two rules. Oh well.

              lan-rules.PNG
              lan-rules.PNG_thumb
              esxi-rules.PNG
              esxi-rules.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Those are fine. The rules on LAN sourcing from ESXi and the rules on ESXi sourcing from LAN don't make any sense but shouldn't be blocking the traffic.

                Based on that though you should probably take a look at these:

                https://doc.pfsense.org/index.php/Firewall_Rule_Basics

                https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.