Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    no internet on 3 vlans 3rd ok

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    15 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fin1000
      last edited by fin1000

      Trying to set up a box (dell 210ii - intel nic) with WAN LAN and 4 VLANs -basically as described here https://nguvu.org/pfsense/pfsense-baseline-setup/

      VLAN 20 with VPN running is good. The other 2 (vlan 10 is a local management network) are not getting out to the web - cant see any firewall blocks on them just fails to go anywhere.

      pfSense.localdomain   Firewall  Rules  VLAN_20_OPT5.png

      this one is ok

      pfSense.localdomain   Firewall  Rules  VLAN_30_OPT6.png

      this one is bad
      this is bad too

      pfSense.localdomain   Firewall  Rules  VLAN_40_OPT7.png

      ive got these subnets

      pfSense.localdomain   Firewall  Aliases  All.png

      Being a complete novice at this the learning curve is high and any assistance would be welcome

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Ok so you should definitely be able to ping out by IP to, say, 8.8.8.8 from clients in either of those subnets.
        What happens when you try? If it fails what error is shown?

        Do you still have Outbound NAT set to automatic? If it's set to manual you will need rules for the new subnets.

        Steve

        1 Reply Last reply Reply Quote 0
        • F
          fin1000
          last edited by

          Thanks for your reply.

          Still cant get out to internet from either LAN, VLAN30 or VLAN40

          the NAT is set....

          pfSense.localdomain   Firewall  NAT  Outbound.png

          And a firewall log after attempting to connect to leaktest.com is

          pfSense.localdomain   Status  System Logs  Firewall  Normal View.png

          Cant ping to the outside on either LAN VLAN30 or VLAN40
          seems odd as the subnets and NAT seem to be set ok

          All I require is

          1. a OPENVPN connection which has internet connection stopped if the vpn disconnects
          2. A clear route to the ISP
          3. and a Guest network of limited access
          4. a management net for maintenance etc
            all of those on VLANS to a unifi AP and a hardwired port/s for each of those -this setup seemed to be what I was looking for and being a novice at networking stuff seemed ok
            Any assistance would really helpful.
          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Do you have dhcp enabled on those VLANs and are clients connected to them pulling an IP from pfSense?

            Steve

            1 Reply Last reply Reply Quote 0
            • F
              fin1000
              last edited by

              Yes, dhcp server is set for lan and vlan subnets as in the NAT outbound and when connected to them receives the appropriate ip address - can access webconig but not the outside neither ping (4.4.4.4) or http pages etc

              1 Reply Last reply Reply Quote 0
              • F
                fin1000
                last edited by fin1000

                pinging 9.9.9.9 gave this..... connected to 10.0.30.10

                pfSense.localdomain   Status  System Logs  Firewall  Normal View(1).png

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by stephenw10

                  None of those blocks are ICMP so not blocking ping.

                  The UDP traffic is blocked because 137/138 are not in the allows out WAN alias.

                  Run a continuous ping to 9.9.9.9 then check the state table to make sure it is opening states on the vlan30 and wan interfaces.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • F
                    fin1000
                    last edited by fin1000

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • F
                      fin1000
                      last edited by fin1000

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • F
                        fin1000
                        last edited by fin1000

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • F
                          fin1000
                          last edited by fin1000

                          Made a few errors in checking pings but here is states for VLAN_30 that should just go out to clear isp ping to 9.9.9.9

                          pfSense.localdomain   Diagnostics  States  States(2).png

                          Getting packets going out on icmp nothing back (if I understand it correctly)
                          On VLAN20 equal in and out

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes but you should leave the state table set to all interfaces and filter by 9.9.9.9 so you can see all the states created.

                            You should see a state on VLAN_30_OPT6 and another state, with NAT, on WAN.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • F
                              fin1000
                              last edited by fin1000

                              Sorry not really knowing what to do here.

                              OK so this is connected to VLAN30 wifi -interface all - filtered to 9.9.9.9 whilst pinging 9.9.9.9

                              VLAN_30_OPT6 icmp 10.0.30.10:17324 -> 9.9.9.9:17324 0:0 72 / 0 6 KiB / 0 B

                              VPN_WAN2 icmp 10.0.30.10:17324 -> 9.9.9.9:17324 0:0 72 / 0 6 KiB / 0B

                              is that 72 out nothing back?

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by stephenw10

                                Yes it is but more importantly is that it's leaving via VPN_WAN2 which seems like that's not what you intended.

                                I think your VPN connection is pushing a new default route when it connects so all the traffic without a gateway set will then use it. And since you don't have outbound NAT rules for that it leaves with the internal, unroutable, source IP and sees no replies.

                                Edit your VPN client and set 'Don't pull routes' to prevent the remote server setting a new default route. Check the routing table when it connects to be sure.

                                Steve

                                1 Reply Last reply Reply Quote 1
                                • F
                                  fin1000
                                  last edited by

                                  Many thanks Steve! You're a genius! adding route-nopull worked.

                                  VLAN30 is clear to isp and VLAN20 on VPN and does not go outside when the VPN connection is dead.
                                  Problem sorted!! Thanks again!!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.