(Another) Firewall + VLAN Question!
mrrikp last edited by
Long time lurker, first time poster :)
I'm hoping someone who is a bit of a pfSense firewall ninja can help me with an issue I've been stumbling over.
I have pfSense running on a PCEngines APU with three physical interfaces. I use two for WAN (a primary, and a failover), and one to connect to my LAN switch (a Ubiquiti 8-port).
Physical interfaces configured as follows:
* WAN = igb0 * WAN2 = igb1 * LAN = igb2
With three VLAN interfaces:
* GUESTNET = VLAN 120 on igb2 (x.x.120.1/24) * IOTNET = VLAN 110 on igb2 (x.x.10.110.1/24) * CCTVNET = VLAN 130 on igb2 (x.x.130.1/24)
My primary concern here is the CCTVNET VLAN (130). Inside this VLAN is a Hyper-V machine (configured on this VLAN, with IP address in the correct range). All devices on this VLAN need to be able to communicate with the server. There is to be no outside WAN access (on either primary WAN or secondary WAN) from this VLAN and, devices in this VLAN should not be able to reach the LAN.
I do want the LAN to be able to reach the specific Hyper-V host, the CCTV Server (x.x.130.2), from the LAN, though.
So, the CCTV Hyper-V server can get an IP address, which means it must be able to communicate with pfSense, since it is my DHCP server. However, the VM is unable to ping anything but the pfSense gateway address (x.x.130.1). There is an online, active CCTV camera connected on x.x.130.103. This device can be pinged from LAN, but not from the VLAN!
What I've tried already
This is confounding me a bit, since I've tried various combinations of firewall rules on the CCTVNET VLAN and not had much luck. I even tried the default ALLOW any any rule, and this had no effect either. I'm certain traffic is entering the interface correctly though because, until I enabled the any any rule on this VLAN, I had no DNS capability and no connectivity to WAN. When I add this rule, I can 'magically' resolve google.com.
My natural conclusion is to assume that perhaps there's something weird going on with the Hyper-V networking side of things (it wouldn't be the first time), but it did connect and obtain a DHCP address from pfSense.
Current firewall configuration
On CCTVNET (pass, no blocks)
- IPV4, source = any, port = any, destination = CCTVNET net
- IPV4, source = any, port = any, destination = THIS FIREWALL
- IPV4, source = any, port = any, destination = WAN net
On LAN (pass, no blocks)
- IPV4, source = LAN net, port = any, destination = any
- IPV6, source = LAN net, port = any, destination = any
I'm hoping someone can help me losing my hair at a slightly quicker rate :)