Allow traffic between VLANs



  • I'm not a VLAN expert, but I don't see a VLAN3 tab on your rules. Btw if you have 5 separate OPT interfaces, why are you using VLANs at all? Usually it's one or the other. You could have created all of your VLANs on LAN without needing any other interfaces.

    On my 2.5.0 test box, I created a VLAN10 on LAN and then assigned & enabled it, and it appears on my rules list as a separate tab. Your allow Any rule shows 0 bytes of traffic, so nothing is talking to that interface.



  • @KOM said in Allow traffic between VLANs:

    I'm not a VLAN expert, but I don't see a VLAN3 tab on your rules. Btw if you have 5 separate OPT interfaces, why are you using VLANs at all? Usually it's one or the other. You could have created all of your VLANs on LAN without needing any other interfaces.

    On my 2.5.0 test box, I created a VLAN10 on LAN and then assigned & enabled it, and it appears on my rules list as a separate tab. Your allow Any rule shows 0 bytes of traffic, so nothing is talking to that interface.

    I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly. When you assign a VLAN to an OPT interface, you don't see the VLAN in the rules list, you just see the interface. (Edit: Actually, I've never seen VLANs show up in the rules list regardless of how they're setup)

    I'm using VLANs so that I can utilize tagging. Giving them each an interface means I have a larger address space to work with and can have a different DHCP scope for each VLAN.



  • I just tried removing the VLANs from their own interfaces, so they're all just tied to LAN. The VLANs don't show up in the firewall rules page, and I can't setup a rule specific to a VLAN this way.



  • I'm most likely doing something wrong, but there isn't a lot of other user action going on today so you're stuck with me 😆

    I created a VLAN10 on LAN, then assigned it as an interface. You're right in that it is originally labelled OPT1 but I renamed it to VLAN10 and enabled it. Now I have a VLAN10 tab in rules.



  • @KOM said in Allow traffic between VLANs:

    I'm most likely doing something wrong, but there isn't a lot of other user action going on today so you're stuck with me 😆

    I created a VLAN10 on LAN, then assigned it as an interface. You're right in that it is originally labelled OPT1 but I renamed it to VLAN10 and enabled it. Now I have a VLAN10 tab in rules.

    Right. The name doesn't actually matter. I have it named "Office". I just left it as OPT for simplicity in this test environment.



  • Updated screen shot setup closer to my production environment:

    alt text



  • @kingrazor said in Allow traffic between VLANs:

    I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.

    As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.



  • @Grimson said in Allow traffic between VLANs:

    @kingrazor said in Allow traffic between VLANs:

    I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.

    As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.

    That's because there's nothing hooked up to that VLAN right this second. There was earlier when I was testing. I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.



  • Are you actually using VLAN tagging?



  • @chpalmer said in Allow traffic between VLANs:

    Are you actually using VLAN tagging?

    Yes



  • @kingrazor

    Can devices on your VLANs access the internet and their own gateway address?



  • @chpalmer said in Allow traffic between VLANs:

    @kingrazor

    Can devices on your VLANs access the internet and their own gateway address?

    Yes



  • @kingrazor said in Allow traffic between VLANs:

    I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.

    If they can reach the Internet with a wide open any rule, and if there is no additional blockind rule created by you it's likely not a pfSense issue. Probably a local firewall on the devices preventing access from devices outside their subnet. Capture traffic on both pfSense interfaces and see what exactly happens there.



  • Just a heads up.. Im in an establishment with a really bright background so please forgive me if I ask something that is obvious above.. :)



  • What subnets are you working with??

    Nothing overlapping is there?



  • @chpalmer said in Allow traffic between VLANs:

    What subnets are you working with??

    Nothing overlapping is there?

    VLAN 1 is 10.0.0.1
    VLAN 2 is 10.0.2.1
    VLAN 3 is 10.0.3.1

    and so on



  • @kingrazor said in Allow traffic between VLANs:

    VLAN 1 is 10.0.0.1
    VLAN 2 is 10.0.2.1
    VLAN 3 is 10.0.3.1

    You're missing half the information there. Is it /8 /12 /24 whatever.



  • @Grimson said in Allow traffic between VLANs:

    @kingrazor said in Allow traffic between VLANs:

    I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.

    If they can reach the Internet with a wide open any rule, and if there is no additional blockind rule created by you it's likely not a pfSense issue. Probably a local firewall on the devices preventing access from devices outside their subnet. Capture traffic on both pfSense interfaces and see what exactly happens there.

    Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.



  • @Grimson said in Allow traffic between VLANs:

    @kingrazor said in Allow traffic between VLANs:

    VLAN 1 is 10.0.0.1
    VLAN 2 is 10.0.2.1
    VLAN 3 is 10.0.3.1

    You're missing half the information there. Is it /8 /12 /24 whatever.

    VLAN 1 is 10.0.0.1/24
    VLAN 2 is 10.0.2.1/24
    VLAN 3 is 10.0.3.1/24

    and so on



  • @kingrazor said in Allow traffic between VLANs:

    Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.

    No it does not. Next time test with a serious OS.



  • @Grimson said in Allow traffic between VLANs:

    @kingrazor said in Allow traffic between VLANs:

    Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.

    No it does not. Next time test with a serious OS.

    Oh brother. I'm not going to bother installing an OS that none of my clients will ever use.



  • Windows will treat any out of subnet address as public unless told otherwise..

    And Im striking that last comment as Im not sure you can make it treat anything out of its own subnet as a private network.. Others will know better than I..



  • Yep, Windows firewall was the problem. Apparently even allowing ping on public network connections wasn't enough.

    So now on each interface I have an allow any rule at the bottom and block/reject rules above that to restrict traffic across VLANs (except where we want it)


Log in to reply