Issue with Routing to VLAN Interface

cparkervt

I have an entire /24 subnet to carve up, and I have a /30 assigned to one of my WAN interfaces and it's working happily with some VIPs configured as /32 (I know it should match the parent interface, and this may be part of my problem but I'm not sure).

I just created a VLAN interface as another /30 for a layer 2 circuit to a client site; it does not conflict subnet wise with the parent interface subnet, nor any of the VIPs... I should be able to ping it from the outside world but cannot. I can ping it from my LAN subnet just fine, just not the rest of the world. From my understanding the traffic should be coming in via WAN2 and heading over to the VLAN interface internally to pfSense.

I can post screenshots of whatever people think is necessary, I'm just sitting here scratching my head as to why this is misbehaving. I've tried all sorts of WAN2 -> VLANinterface firewall rules and nothing seems to work... I've re-enabled the logging for implicit deny and I see nothing in my logs.

johnpoz

Sounds like more your ISP gave you a /24 vs routing it too you.. You can not just slice that up and put subnet behind pfsense?

Is this /30 the transit for the routed /24?

cparkervt

@johnpoz We were given a /24 from the ISP, and I have configured the WAN2 port in a /30 to talk to the upstream gateway (ISP) which heads off the Internet. I want to be able to assign addresses to the router itself for NAT'ing devices behind it, as well as create VLAN interfaces that will head off down a L2 circuit to client sites.

WAN2 = x.x.x.0/30
VIPs on WAN2 = x.x.x.N/32

VLAN202 = x.x.x.16/30 (x.x.x.17 is assigned to the interface itself)

If I am inside the LAN subnet, I can ping the VLAN interface just fine.
If I am on the Internet I can ping the VIPs but not the VLAN interface.

johnpoz

So this /30 inside your /24 its a subnet of your /24 - not some other transit network..

You can not do that - they are not routing that /24 to you, its just attached. If you want to slice it up it has to be routed to you.

Derelict

If you have justified a /24 from them it should be trivial to get a /29 for the interface so they can route the /24 to you over that.

cparkervt

So what I’m getting is that I should have a /29 assigned as a transit to my pfsense versus trying to carve up the /24 on its own interface delivered directly from the ISP?

johnpoz

Doesn't have to be a /29 it could be a /30 or shoot even a /31 or /28 even, etc. But you need some sort of transit network so they can route the /24 to you.. Just attaching the /24 to their device doesn't allow it to work when you break that network up because they think its directly attached at that layer 2 and they would just arp for it and at worse case just send out the traffic out the interface - they would not direct the traffic to your pfsense wan IP.

Derelict

I always default to a /29 because, at least here in ARIN, it requires no justification so why not get the addresses. And if they ask for justification just say, "VRRP/HA requires 3 addresses."

But technically a /31 or larger would work.

johnpoz

Concur a larger transit sure doesn't hurt ;) and yup a /29 gives you a few address to work with if doing HA, etc.