no internet on 3 vlans 3rd ok



  • Trying to set up a box (dell 210ii - intel nic) with WAN LAN and 4 VLANs -basically as described here https://nguvu.org/pfsense/pfsense-baseline-setup/

    VLAN 20 with VPN running is good. The other 2 (vlan 10 is a local management network) are not getting out to the web - cant see any firewall blocks on them just fails to go anywhere.

    pfSense.localdomain   Firewall  Rules  VLAN_20_OPT5.png

    this one is ok

    pfSense.localdomain   Firewall  Rules  VLAN_30_OPT6.png

    this one is bad
    this is bad too

    pfSense.localdomain   Firewall  Rules  VLAN_40_OPT7.png

    ive got these subnets

    pfSense.localdomain   Firewall  Aliases  All.png

    Being a complete novice at this the learning curve is high and any assistance would be welcome


  • Netgate Administrator

    Ok so you should definitely be able to ping out by IP to, say, 8.8.8.8 from clients in either of those subnets.
    What happens when you try? If it fails what error is shown?

    Do you still have Outbound NAT set to automatic? If it's set to manual you will need rules for the new subnets.

    Steve



  • Thanks for your reply.

    Still cant get out to internet from either LAN, VLAN30 or VLAN40

    the NAT is set....

    pfSense.localdomain   Firewall  NAT  Outbound.png

    And a firewall log after attempting to connect to leaktest.com is

    pfSense.localdomain   Status  System Logs  Firewall  Normal View.png

    Cant ping to the outside on either LAN VLAN30 or VLAN40
    seems odd as the subnets and NAT seem to be set ok

    All I require is

    1. a OPENVPN connection which has internet connection stopped if the vpn disconnects
    2. A clear route to the ISP
    3. and a Guest network of limited access
    4. a management net for maintenance etc
      all of those on VLANS to a unifi AP and a hardwired port/s for each of those -this setup seemed to be what I was looking for and being a novice at networking stuff seemed ok
      Any assistance would really helpful.

  • Netgate Administrator

    Do you have dhcp enabled on those VLANs and are clients connected to them pulling an IP from pfSense?

    Steve



  • Yes, dhcp server is set for lan and vlan subnets as in the NAT outbound and when connected to them receives the appropriate ip address - can access webconig but not the outside neither ping (4.4.4.4) or http pages etc



  • pinging 9.9.9.9 gave this..... connected to 10.0.30.10

    pfSense.localdomain   Status  System Logs  Firewall  Normal View(1).png


  • Netgate Administrator

    None of those blocks are ICMP so not blocking ping.

    The UDP traffic is blocked because 137/138 are not in the allows out WAN alias.

    Run a continuous ping to 9.9.9.9 then check the state table to make sure it is opening states on the vlan30 and wan interfaces.

    Steve



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Made a few errors in checking pings but here is states for VLAN_30 that should just go out to clear isp ping to 9.9.9.9

    pfSense.localdomain   Diagnostics  States  States(2).png

    Getting packets going out on icmp nothing back (if I understand it correctly)
    On VLAN20 equal in and out


  • Netgate Administrator

    Yes but you should leave the state table set to all interfaces and filter by 9.9.9.9 so you can see all the states created.

    You should see a state on VLAN_30_OPT6 and another state, with NAT, on WAN.

    Steve



  • Sorry not really knowing what to do here.

    OK so this is connected to VLAN30 wifi -interface all - filtered to 9.9.9.9 whilst pinging 9.9.9.9

    VLAN_30_OPT6 icmp 10.0.30.10:17324 -> 9.9.9.9:17324 0:0 72 / 0 6 KiB / 0 B

    VPN_WAN2 icmp 10.0.30.10:17324 -> 9.9.9.9:17324 0:0 72 / 0 6 KiB / 0B

    is that 72 out nothing back?


  • Netgate Administrator

    Yes it is but more importantly is that it's leaving via VPN_WAN2 which seems like that's not what you intended.

    I think your VPN connection is pushing a new default route when it connects so all the traffic without a gateway set will then use it. And since you don't have outbound NAT rules for that it leaves with the internal, unroutable, source IP and sees no replies.

    Edit your VPN client and set 'Don't pull routes' to prevent the remote server setting a new default route. Check the routing table when it connects to be sure.

    Steve



  • Many thanks Steve! You're a genius! adding route-nopull worked.

    VLAN30 is clear to isp and VLAN20 on VPN and does not go outside when the VPN connection is dead.
    Problem sorted!! Thanks again!!


Log in to reply