Routing LAN networks



  • Hello!

    I am sitting here trying to segment my LAN a bit to clean things up, but it seems I can't understand how to setup proper routing...

    My current setup:

    2 physical interfaces:

    WAN: 92.x.x.x
    LAN: 10.0.0.254

    LAN DHCP enabled, range 10.0.0.1-10.0.0.50

    Standard config, nothing special. WAN access works, everything internally works. But things are getting crowded and I want to separate things a bit:

    Servers: 10.0.0.0/24
    Clients : 10.0.1.0/24 (assigned through DHCP)
    WLAN: 10.0.2.0/24

    and so on and so forth. The idea is to limit the traffic that is sent between the nets to secure things, but I can't seem to get traffic running between the different networks. Per standard I can see everything on the 10.0.0.0/24 but can't access anything on 10.0.1.0/24 or vice versa. I can't get my head around pfSense to set this up, when I had an old router it was dead easy to setup, but regardless what I do nothing works with pfSense...

    What settings do I need to be able to ping and access a 10.0.1.1 client from the 10.0.0.0 network and the other way around?

    Thanks!
    /a_stupid_user



  • @mrpijey, your desired configuration makes sense. Segmenting the WLAN is great idea and can help performance too.
    As far as pfSense is concerned, you need to remember that firewall rules apply inbound to an interface, so what that means practically is that each interface needs its own firewall rules to allow communication to the other networks.
    As an example, on the WLAN interface you need a rule that allows for a destination of ANY.

    Action: Pass
    Interface: WLAN
    Address Family: IP4
    Protocol: Any
    Source: WLAN net
    Destination: Any
    

    Similarly, on the Clients interface you also need a rule that allows destination ANY.
    Eventually, you could also choose more elaborate destinations to limit the visibility of certain systems, but allowing ANY destination will get it up and running. For now don't touch the advanced options.



  • I have only one internal interface (10.0.0.254) and all the AP's, servers and clients are connected through a single switch which is connected to this interface.


  • LAYER 8 Rebel Alliance

    You should not run multiple networks on the same physical layer.
    You can separate them physically or use VLANs.

    -Rico



  • @mrpijey
    In that case you need to either use more interfaces and separate switches (one for each network) or VLANs, however, unless your switch is a managed switch that supports 802.1Q VLANs, you are out of luck.
    More info here: https://docs.netgate.com/pfsense/en/latest/book/vlan/index.html



  • Yes, the idea was to use VLANs as my switch is a managed one, but I would still need to know how to setup pfsense for this. I guess I will need to setup multiple interfaces then in pfsense, one for each VLAN? But how is pfsense then setup to do proper routing between all these interfaces?


  • LAYER 8 Rebel Alliance

    @mrpijey said in Routing LAN networks:

    But how is pfsense then setup to do proper routing between all these interfaces?

    You just need Firewall Rules...

    -Rico


  • LAYER 8 Global Moderator

    @mrpijey said in Routing LAN networks:

    But how is pfsense then setup to do proper routing between all these interfaces?

    Just like every other router I have ever seen ;) If the network is directly attached, it nows how to get there - ie route.. So just like that when you create a new interface be it a native one or vlan one, and put a network on it.. Pfsense will know how to get there ;)

    As stated you would just have to create firewall rules on this new interface to allow traffic, only the lan interface defaults to having any any rule to allow traffic, new interfaces start with no rules - so default deny is used for any traffic entering that interface. Other than the hidden dhcp rules that will be created when you enable dhcpd on that interface.

    If you have questions on that - just create your interface, put an IP on it with mask, and then look at your routing table.

    edit: Out of the box when you create a new interface with an ip/mask on it, traffic from say lan with its default any any would be able to start a conversation with optX network devices. But optX devices would not be able to start a conversation with lan.. Since there are no rules on this new optX interface.

    The return traffic from optx to lan in the conversation started by lan would be allowed by the state that is created.



  • Alright, I think I understand. This will be a good opportunity to move to a larger switch as I've outgrown my 24 port one... :). But I will create the additional interfaces then, VLAN tag all of them, segment the switch properly (as well as the virtual machines I got) and setup the proper firewall rules for each to allow the interfaces to talk to the main internal interface. I had forgot all about the proper VLAN tagging and it makes a lot more sense with the optional interfaces now thinking about it. Thank you!



  • Seems I still can't get it right....

    I added an additional interface to pfSense (I run it virtualized in Hyper-V, so I VLAN tagged the NIC in the VM settings). Configured it in pfSense with a static IP (10.0.1.254). So now I have the following interfaces:

    WAN: 92.x.x.x
    LAN: 10.0.0.254
    LAN2: 10.0.1.254 (tagged in Hyper-V with VLAN10)

    Then I setup a virtual machine, tagged that with the same VLAN ID (again, in the hyper-v NIC settings) and a fixed IP (10.0.1.1).

    But even so, the VM can't reach 10.0.1.254. I am unsure how to setup the firewall settings for the interface so it can be reached from the main 10.0.0.x LAN.

    What am I missing? I tried adding the firewall settings for the LAN2 but not sure how it should look like.... regardless what settings I used the test VM could never ping the LAN2 interface.


  • LAYER 8 Global Moderator

    Hyper-V and vlans is its own thing.. which has nothing to do with pfsense. There was a thread awhile back where I went into how to do it..

    But your going to have to go into more detail of your actual connectivity if you want any help in that area.. I would suggest get help on hyper-v forums for how to do vlans in it.. But I can tell more likely then not will have to be down from powershell, etc. I would have to dig up old thread..

    But your client in the same vlan on hyper-v as your opt interface in pfsense would not be able to ping that vlan IP of pfsense, unless you created a rule on the vlan interface to allow it. Is the other vm in this vlan set to dhcp - does it get an address from pfsense dhcpd running on that vlan interface?

    edit: here is old thread where I went through setting up vlan with pfsense on hyper-v
    https://forum.netgate.com/topic/139891/solve-hyperv-2012-vlans-support-hn0



  • Well of course the two don't have anything to do with each other, but I had to separate the test VM and interface from the rest of the network since I run both the test machine and pfsense virtualized. And if it's tagged then I can also get it to connect properly to my physical network once I start tagging the needed ports with the same ID. So if i VLAN tag the ports in Hyper-V or on a physical switch it should be the same, to pfSense it should simply see three separate interfaces, WAN, LAN and LAN2, all separated from each other.

    Well I am not using DHCP on pfsense, that's why I use fixed IPs. I want the test VM to talk to at least the interface first, and then setup the proper rules to allow it to talk to the rest of the network (including the actual DHCP server which is on the 10.0.0.x network).

    But do I need to do anything before the LAN2 interface even accepts any inbound and outbound traffic? Since neither can ping the other.

    Edit: Just to double check so traffic works I setup a secondary test VM with IP 10.0.1.2, same VLAN tag on the Hyper-V machine and Opt1 (LAN2) interface in pfSense and both test VMs can ping each other just fine. But none of them pings the LAN2 interface (10.0.1.254).

    And I read that post, it doesn't apply as it's an issue with VLANs and Hyper-V (2012r2 in your link), something that was fixed with Hyper-V 2016, and I am running Hyper-V 2019. I also verified the VLAN tagging with Get-VMnetworkAdapterVLAN and it is as it should be (two test VMs and one pfSense interface tagged with VLAN 10). And as I mentioned, both test VMs can ping each other but not the pfSense interface, nor can pfSense ping any of the test VM's.


  • LAYER 8 Global Moderator

    And how do you have the vlans setup in hyper-v, lets see output of

    Get-VMnetworkAdapterVLAN

    Did you setup the interface in pfsense as native or tagged vlan, etc. etc..

    And what rule did you put on the interface in pfsense - are you allowing icmp... Again out of the box there are no rules on new interfaces - so yeah anything will be blocked..

    Can not help you without details..

    Your issue could be as stupid as tcp rule vs icmp rule, or maybe put /32 on the IP in pfsense?



  • VMName                   VMNetworkAdapterName Mode     VlanList
    ------                   -------------------- ----     --------
    vm01                     Network Adapter      Access   10
    vm02                     Network Adapter      Access   10
    pfSense                  Network Adapter      Untagged
    pfSense                  Network Adapter      Access   10
    

    vm01 and vm02 are test VMs, the tagged pfSense is the Opt1 (LAN2) interface, the other one is the LAN interface that everything goes through atm.

    As for the firewall setting, that's what I am asking, how should it be setup?

    Action: Pass
    Protocol: IPv4 *
    Source: LAN2
    Port: *
    Destination: *
    Port: *
    Gateway: *

    I just basically copied the LAN wildcard rule.



  • Well, seems I can get no help here. All I asked for was to how to setup the firewall rules so I can route traffic between my LAN network (10.0.0.0/24) to my LAN2 network (10.0.1.0/24). I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    I might have to find a proper hardware router to do this properly as it seems no one can give me a simple explanation on how to set it up properly.


  • LAYER 8 Moderator

    @mrpijey said in Routing LAN networks:

    I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    What are you even talking about? You asked about where to setup firewall rules. There is only one place. Firewall rules. Period. That is working on almost any hardware setups and in many virtual ones without a single problem. I don't know where you get the

    but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    I've read many posts and seldom see one that has problem with the simple basic question as to where and how to setup rules from one LAN to another (and vice versa). They are set up on the Interface that the package comes in first. easy as that. If they don't work or your routing doesn't work than you have problems laying deeper than asking simple questions. That's why I see people here asking questions about you running virtualization and which one, how you have configured this and that. But sure, if you ignore them, don't have the patience or will to debug your problem seriously and only want to see that "no one is helping you" - than perhaps some easy hardware one-click solution might be the right thing for you.

    I can only wish you more luck then.


  • LAYER 8 Global Moderator

    Sorry I missed your reply, there are hundreds of posts.. I can not get to all of them :)

    But from your posting you have nothing setup up other than access ports - your not allowing any tagging in your hyper-v. Would have to read through the thread again to figure out what your trying to do exactly.

    But this is pfsense forum, not hyper-v.. If you want to understand how to do vlans in hyper-v I would suggest you ask on their forums.. You might get lucky and get someone willing to help..

    I already linked to a thread where I went into great detail how to do vlans on hyper-v, which is actually a VM software that I pretty much loath ;) Its a joke compared to esxi for example.. ;)

    But it has nothing to do with pfsense - do you provide the tags to pfsense or not is the big question.. If you want pfsense to use tags, then they have to be seen by pfsense, if not - then its just native traffic.. And you wouldn't setup vlans in pfsense if there are no tags for it to use. So just comes down to firewall rules on the native interface if there are no vlans setup in pfsense.. If you setup vlans in pfsense and there are no tags on the traffic then that vlan interface in pfsense would not see that traffic to do anything with no matter what your rules are.



  • @JeGr said in Routing LAN networks:

    @mrpijey said in Routing LAN networks:

    I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    What are you even talking about? You asked about where to setup firewall rules. There is only one place. Firewall rules. Period. That is working on almost any hardware setups and in many virtual ones without a single problem. I don't know where you get the

    but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    I've read many posts and seldom see one that has problem with the simple basic question as to where and how to setup rules from one LAN to another (and vice versa). They are set up on the Interface that the package comes in first. easy as that. If they don't work or your routing doesn't work than you have problems laying deeper than asking simple questions. That's why I see people here asking questions about you running virtualization and which one, how you have configured this and that. But sure, if you ignore them, don't have the patience or will to debug your problem seriously and only want to see that "no one is helping you" - than perhaps some easy hardware one-click solution might be the right thing for you.

    I can only wish you more luck then.

    Well that's the problem, i've asked on how to set it up. All I've got so far are discussions about VLAN tagging and principles behind the routing, not an actual example.

    I want to route traffic from 10.0.0.0/24 to 10.0.1.0/24 and allow traffic to flow between the two. How is that setup? How are the rules set up for this?

    This is what I need to know.

    Ignore all the VLANs and all that, I can set it up without using VLANs through a physical NIC and separate switch (and yes, I know how to setup VLAN tagging in Hyper-V as I've provided a screenshot displaying the ports being tagged, and I can ping the machines between pfSense and the clients within the same network partition, so tagging works. But ignore the tagging, atm I am doing it all untagged, no VLANs, both networks tied to physical NICs and clients connected to separate switches).

    @JeGr said in Routing LAN networks:

    @mrpijey said in Routing LAN networks:

    I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    What are you even talking about? You asked about where to setup firewall rules. There is only one place. Firewall rules. Period. That is working on almost any hardware setups and in many virtual ones without a single problem. I don't know where you get the

    but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

    I've read many posts and seldom see one that has problem with the simple basic question as to where and how to setup rules from one LAN to another (and vice versa). They are set up on the Interface that the package comes in first. easy as that. If they don't work or your routing doesn't work than you have problems laying deeper than asking simple questions. That's why I see people here asking questions about you running virtualization and which one, how you have configured this and that. But sure, if you ignore them, don't have the patience or will to debug your problem seriously and only want to see that "no one is helping you" - than perhaps some easy hardware one-click solution might be the right thing for you.

    I can only wish you more luck then.

    I did indeed setup VLAN tagging on the virtual machines as well as the virtual switch during testing, but for now ignore all of that. Both pfSense ports are tied to physical NICs, and the test clients are connected to two individual switches on each NIC. And I one client on one switch to see and talk to the other client on the other switch. Each client can ping its own pfSense interface it's connected to, but not the other.

    As suggested by awebster I did setup an ANY rule on each of the interfaces (the default LAN one had one already, added one to the other LAN2 one) but it did nothing to allow pinging or traffic to an another client.


  • LAYER 8 Global Moderator

    Post your rules dude.. If your saying each client can ping pfsense gateway... There is NOTHING to do for routing.. Unless your forcing clients a vpn service or whatever via some policy route

    Post the rules on your interfaces..

    As any router, it will automatically now how to route traffic between interfaces its attached too.. So you have to allow whatever traffic you want via firewall rules.. That is it.. And you have to take into account any host firewalls.

    As to this

    I did indeed setup VLAN tagging on the virtual machines as well as the virtual switch during testing

    That is wrong - if you setup vlans in the vswitching of your VM Host it strips the tags presented to the client... So I will say it again understanding how YOUR software of choice handles tags is on you - has zero to do with pfsense.. Zero!!



  • @mrpijey said in Routing LAN networks:

    This is what I need to know.

    Allow ipv4 * * * * *

    That being said and because you brought up my earlier post, I want to point out that pfSense works as advertised, and while it is unfortunate that you are having difficulties making it work, I feel that it is inappropriate to vent your frustration that you aren't getting support for an unrelated product. You may argue that a hypervisor is related to pfSense, and indirectly it is, but you can't expect people knowledgeable in product X to help you with product Y beyond the most basic support.

    So,

    • Show us your network diagram. That will generally help people on this forum better understand how its all hooked up. You don't need to be a graphic artist, you can draw it by hand and take a photo.
    • What other devices are on the network that can be contributing to the problem?
    • Is your WLAN really an access point, or in fact a wireless router?
    • How does the traffic flow at the layer 2 level. Keep in mind pfSense is layer 2 aware. If there are asymmetric traffic flows they will be blocked.


  • @awebster This is the kind of pointless answer that is the source of my frustration. pfSense is primarily managed through its web interface, so I would expect an answer that told me where in this user interface I would need to configure my settings (a screenshot etc). I already know the principles of routing, and I never had any issues with commercial firewalls and routers, but for some reason pfSense refuses to cooperate. And how is this getting support for an unrelated product? Isn't pfSense made by NetGate? Mind you, I didn't ask for help with Hyper-V or VLAN tagging, I only answered @johnpoz question about Hyper-V VLAN tags. But I only asked and expected answers, only regarding the routing firewall rules in pfSense. I did mention the whole setup so you would better understand my configuration, but I've also mentioned last that I removed all that to avoid all potential sources of problems, tied pfSense to physical NICs and connected physical clients, all for testing. I will deal with VLAN tagging and all that later.

    Your answer was no help to me as I already understand the principle of "allow all traffic". But since I failed to get it to work so I asked for some clear examples yet all I get are vague answers that are no help to anyone without intricate knowledge of the UI. I have no doubt pfSense can do what I want, but I needed to know how to set it up. Visually. You know, a screenshot? Something to help me relate to the UI of pfSense.

    But no matter, I asked the same question in a different forum and immediately got an answer with a screenshot of how it was supposed to be set up and where, and it worked once I adjusted the settings for my network setup.

    To @johnpoz and the others, thanks for the assistance. I understand there's a lot of posts and a lot of members asking for stuff, I was just getting frustrated that this topic went on for so long without a single clear answer of how to setup pfSense to allow traffic between networks.

    Thank you for an excellent product, been using pfSense since I switched from Smoothwall some 10 years ago, but until now I never needed to do any manual routing or anything like that. And it's been rock solid.



  • @mrpijey said in Routing LAN networks:

    where in this user interface I would need to configure my settings (a screenshot etc). I already know the principles of routing, and I never had any issues with commercial firewalls and routers

    (my emphasis) but WOW! ...truly astonishing!

    You asked for help and the forum helped but you balked, but if what you really wanted was a YouTube video showing you how to set it up, then all you had to do was search for pfSense in YouTube; there are hundreds!
    First hit: https://www.youtube.com/watch?v=9kSZ1oM-4ZM no affiliation and the dude looks pretty competent.

    See also: http://xyproblem.info/



  • @awebster I did not ask for a youtube video, I asked for some professional help in the public forum of the company that made the product.

    I did however not ask for your unprofessional attitude. Please do not reply to my threads anymore.

    My issue has been resolved.

    Thank you.


  • LAYER 8 Global Moderator

    @mrpijey said in Routing LAN networks:

    went on for so long without a single clear answer of how to setup pfSense to allow traffic between networks.

    As already stated there is NOTHING to do for routing.. NOTHING!!!! I mean ANY router that has directly attached interfaces will know how to route between them.. PERIOD!! The only time you would have to add routing info would be if you have specific upstream networks that need to go somewhere different than your default router, or you have downstream networks via a transit network.

    Your also running a firewall - so yes you will have to create a firewall rule to allow the traffic. Pfsense only put default any any rule on your lan, any other interfaces you create will have zero rules out of the box.

    Your thread turned into asking about vlans and hyper-v.

    You were told less than 30minutes after your post that you would have to create firewall rules to allow traffic between interfaces.


Log in to reply