Routing between multiple subnets
-
Hello,
I have recently switched from another firewall to pfsense and I am having difficulties getting devices on my subnets to talk with each other.I currently have 2 main interfaces besides the WAN. They are the LAN interface with a network of 192.168.1.1/24 and my WLAN interface that connects to my WiFi AP with a network of 192.168.2.1/24. DHCP is enabled on both interfaces to server the appropriate address ranges accordingly.
The 3rd interface is a VLAN that uses the same physical port as the LAN interface and has a VLAN tag of 2, and a network of 192.168.4.1/24. That one also has DHCP enabled.
For both the LAN and ESXI networks, they are connected to a TP-Link T1600AG-28TS gigabyte L2 Smart Managed Switch. The switch is configured to accept the VLAN tag on the ports, and I know the VMware ESXI host is also configured properly. The VM running on that host has a IP of 192.168.4.2 and is able to connect to the internet just fine.
Here is a map of the network for reference:
The Issue:
Lets say I am on the laptop on the LAN network with a IP address of 192.168.1.2 and I want to access the remote desktop of the VM with an IP of 192.168.4.2 however all I get is a request timed out error. In my firewall, on the appropriate interfaces, I have rules to allow traffic from one network to the other:ESXI to LAN:
LAN to ESXI:
Yet if I use that laptop to ping 192.168.4.1 it works with no issues:
However, if I take my laptop that is on the WLAN network with a IP of 192.168.2.3 and browse to the NAS drive on the LAN network with a IP of 192.168.1.25 it works without issue.
How can I fix it so that I can have my devices communicate across the subnets? Is there something different I need to do for the VLAN interface?
-
Looks like either the 192.168.4.0/24 network isn't properly tagged through to ESXi or there is a firewall on host 192.168.4.2 that is blocking traffic from other subnets.
-
That was my original thought as well. The VM is a Windows 10 machine, but I have disabled the firewall completely. However, I am fairly certain the VLAN is tagged correctly. When I first set it up I had tagged the wrong port on the switch and the VM could not connect. As soon as I changed the tag to the right port, the VM was able to get a IP from the pfsense DHCP server and it is able to browse the internet just fine.
-
Well if it was correct it would be working. :/
There is nothing really to do other than what you have done unless there are other rules you haven't posted that are interfering before getting to the ones you have. Probably want to post the whole rule set on LAN and ESXi.
-
Here are the rules for the networks:
LAN:
ESXI:
Hrm, I just realized I wrote the descriptions backwards for the two rules. Oh well.
-
Those are fine. The rules on LAN sourcing from ESXi and the rules on ESXi sourcing from LAN don't make any sense but shouldn't be blocking the traffic.
Based on that though you should probably take a look at these:
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
