Routing LAN networks

mrpijey

Hello!

I am sitting here trying to segment my LAN a bit to clean things up, but it seems I can't understand how to setup proper routing...

My current setup:

2 physical interfaces:

WAN: 92.x.x.x
LAN: 10.0.0.254

LAN DHCP enabled, range 10.0.0.1-10.0.0.50

Standard config, nothing special. WAN access works, everything internally works. But things are getting crowded and I want to separate things a bit:

Servers: 10.0.0.0/24
Clients : 10.0.1.0/24 (assigned through DHCP)
WLAN: 10.0.2.0/24

and so on and so forth. The idea is to limit the traffic that is sent between the nets to secure things, but I can't seem to get traffic running between the different networks. Per standard I can see everything on the 10.0.0.0/24 but can't access anything on 10.0.1.0/24 or vice versa. I can't get my head around pfSense to set this up, when I had an old router it was dead easy to setup, but regardless what I do nothing works with pfSense...

What settings do I need to be able to ping and access a 10.0.1.1 client from the 10.0.0.0 network and the other way around?

Thanks!
/a_stupid_user

awebster

@mrpijey, your desired configuration makes sense. Segmenting the WLAN is great idea and can help performance too.
As far as pfSense is concerned, you need to remember that firewall rules apply inbound to an interface, so what that means practically is that each interface needs its own firewall rules to allow communication to the other networks.
As an example, on the WLAN interface you need a rule that allows for a destination of ANY.

Action: Pass
Interface: WLAN
Address Family: IP4
Protocol: Any
Source: WLAN net
Destination: Any

Similarly, on the Clients interface you also need a rule that allows destination ANY.
Eventually, you could also choose more elaborate destinations to limit the visibility of certain systems, but allowing ANY destination will get it up and running. For now don't touch the advanced options.

mrpijey

I have only one internal interface (10.0.0.254) and all the AP's, servers and clients are connected through a single switch which is connected to this interface.

Rico

You should not run multiple networks on the same physical layer.
You can separate them physically or use VLANs.

-Rico

awebster

@mrpijey
In that case you need to either use more interfaces and separate switches (one for each network) or VLANs, however, unless your switch is a managed switch that supports 802.1Q VLANs, you are out of luck.
More info here: https://docs.netgate.com/pfsense/en/latest/book/vlan/index.html

mrpijey

Yes, the idea was to use VLANs as my switch is a managed one, but I would still need to know how to setup pfsense for this. I guess I will need to setup multiple interfaces then in pfsense, one for each VLAN? But how is pfsense then setup to do proper routing between all these interfaces?

Rico

@mrpijey said in Routing LAN networks:

But how is pfsense then setup to do proper routing between all these interfaces?

You just need Firewall Rules...

-Rico

johnpoz

@mrpijey said in Routing LAN networks:

But how is pfsense then setup to do proper routing between all these interfaces?

Just like every other router I have ever seen ;) If the network is directly attached, it nows how to get there - ie route.. So just like that when you create a new interface be it a native one or vlan one, and put a network on it.. Pfsense will know how to get there ;)

As stated you would just have to create firewall rules on this new interface to allow traffic, only the lan interface defaults to having any any rule to allow traffic, new interfaces start with no rules - so default deny is used for any traffic entering that interface. Other than the hidden dhcp rules that will be created when you enable dhcpd on that interface.

If you have questions on that - just create your interface, put an IP on it with mask, and then look at your routing table.

edit: Out of the box when you create a new interface with an ip/mask on it, traffic from say lan with its default any any would be able to start a conversation with optX network devices. But optX devices would not be able to start a conversation with lan.. Since there are no rules on this new optX interface.

The return traffic from optx to lan in the conversation started by lan would be allowed by the state that is created.

mrpijey

Alright, I think I understand. This will be a good opportunity to move to a larger switch as I've outgrown my 24 port one... :). But I will create the additional interfaces then, VLAN tag all of them, segment the switch properly (as well as the virtual machines I got) and setup the proper firewall rules for each to allow the interfaces to talk to the main internal interface. I had forgot all about the proper VLAN tagging and it makes a lot more sense with the optional interfaces now thinking about it. Thank you!

mrpijey

Seems I still can't get it right....

I added an additional interface to pfSense (I run it virtualized in Hyper-V, so I VLAN tagged the NIC in the VM settings). Configured it in pfSense with a static IP (10.0.1.254). So now I have the following interfaces:

WAN: 92.x.x.x
LAN: 10.0.0.254
LAN2: 10.0.1.254 (tagged in Hyper-V with VLAN10)

Then I setup a virtual machine, tagged that with the same VLAN ID (again, in the hyper-v NIC settings) and a fixed IP (10.0.1.1).

But even so, the VM can't reach 10.0.1.254. I am unsure how to setup the firewall settings for the interface so it can be reached from the main 10.0.0.x LAN.

What am I missing? I tried adding the firewall settings for the LAN2 but not sure how it should look like.... regardless what settings I used the test VM could never ping the LAN2 interface.

johnpoz

Hyper-V and vlans is its own thing.. which has nothing to do with pfsense. There was a thread awhile back where I went into how to do it..

But your going to have to go into more detail of your actual connectivity if you want any help in that area.. I would suggest get help on hyper-v forums for how to do vlans in it.. But I can tell more likely then not will have to be down from powershell, etc. I would have to dig up old thread..

But your client in the same vlan on hyper-v as your opt interface in pfsense would not be able to ping that vlan IP of pfsense, unless you created a rule on the vlan interface to allow it. Is the other vm in this vlan set to dhcp - does it get an address from pfsense dhcpd running on that vlan interface?

edit: here is old thread where I went through setting up vlan with pfsense on hyper-v
https://forum.netgate.com/topic/139891/solve-hyperv-2012-vlans-support-hn0

mrpijey

Well of course the two don't have anything to do with each other, but I had to separate the test VM and interface from the rest of the network since I run both the test machine and pfsense virtualized. And if it's tagged then I can also get it to connect properly to my physical network once I start tagging the needed ports with the same ID. So if i VLAN tag the ports in Hyper-V or on a physical switch it should be the same, to pfSense it should simply see three separate interfaces, WAN, LAN and LAN2, all separated from each other.

Well I am not using DHCP on pfsense, that's why I use fixed IPs. I want the test VM to talk to at least the interface first, and then setup the proper rules to allow it to talk to the rest of the network (including the actual DHCP server which is on the 10.0.0.x network).

But do I need to do anything before the LAN2 interface even accepts any inbound and outbound traffic? Since neither can ping the other.

Edit: Just to double check so traffic works I setup a secondary test VM with IP 10.0.1.2, same VLAN tag on the Hyper-V machine and Opt1 (LAN2) interface in pfSense and both test VMs can ping each other just fine. But none of them pings the LAN2 interface (10.0.1.254).

And I read that post, it doesn't apply as it's an issue with VLANs and Hyper-V (2012r2 in your link), something that was fixed with Hyper-V 2016, and I am running Hyper-V 2019. I also verified the VLAN tagging with Get-VMnetworkAdapterVLAN and it is as it should be (two test VMs and one pfSense interface tagged with VLAN 10). And as I mentioned, both test VMs can ping each other but not the pfSense interface, nor can pfSense ping any of the test VM's.

johnpoz

And how do you have the vlans setup in hyper-v, lets see output of

Get-VMnetworkAdapterVLAN

Did you setup the interface in pfsense as native or tagged vlan, etc. etc..

And what rule did you put on the interface in pfsense - are you allowing icmp... Again out of the box there are no rules on new interfaces - so yeah anything will be blocked..

Can not help you without details..

Your issue could be as stupid as tcp rule vs icmp rule, or maybe put /32 on the IP in pfsense?

mrpijey

VMName                   VMNetworkAdapterName Mode     VlanList
------                   -------------------- ----     --------
vm01                     Network Adapter      Access   10
vm02                     Network Adapter      Access   10
pfSense                  Network Adapter      Untagged
pfSense                  Network Adapter      Access   10

vm01 and vm02 are test VMs, the tagged pfSense is the Opt1 (LAN2) interface, the other one is the LAN interface that everything goes through atm.

As for the firewall setting, that's what I am asking, how should it be setup?

Action: Pass
Protocol: IPv4 *
Source: LAN2
Port: *
Destination: *
Port: *
Gateway: *

I just basically copied the LAN wildcard rule.

mrpijey

Well, seems I can get no help here. All I asked for was to how to setup the firewall rules so I can route traffic between my LAN network (10.0.0.0/24) to my LAN2 network (10.0.1.0/24). I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

I might have to find a proper hardware router to do this properly as it seems no one can give me a simple explanation on how to set it up properly.

JeGr

@mrpijey said in Routing LAN networks:

I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

What are you even talking about? You asked about where to setup firewall rules. There is only one place. Firewall rules. Period. That is working on almost any hardware setups and in many virtual ones without a single problem. I don't know where you get the

but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

I've read many posts and seldom see one that has problem with the simple basic question as to where and how to setup rules from one LAN to another (and vice versa). They are set up on the Interface that the package comes in first. easy as that. If they don't work or your routing doesn't work than you have problems laying deeper than asking simple questions. That's why I see people here asking questions about you running virtualization and which one, how you have configured this and that. But sure, if you ignore them, don't have the patience or will to debug your problem seriously and only want to see that "no one is helping you" - than perhaps some easy hardware one-click solution might be the right thing for you.

I can only wish you more luck then.

johnpoz

Sorry I missed your reply, there are hundreds of posts.. I can not get to all of them :)

But from your posting you have nothing setup up other than access ports - your not allowing any tagging in your hyper-v. Would have to read through the thread again to figure out what your trying to do exactly.

But this is pfsense forum, not hyper-v.. If you want to understand how to do vlans in hyper-v I would suggest you ask on their forums.. You might get lucky and get someone willing to help..

I already linked to a thread where I went into great detail how to do vlans on hyper-v, which is actually a VM software that I pretty much loath ;) Its a joke compared to esxi for example.. ;)

But it has nothing to do with pfsense - do you provide the tags to pfsense or not is the big question.. If you want pfsense to use tags, then they have to be seen by pfsense, if not - then its just native traffic.. And you wouldn't setup vlans in pfsense if there are no tags for it to use. So just comes down to firewall rules on the native interface if there are no vlans setup in pfsense.. If you setup vlans in pfsense and there are no tags on the traffic then that vlan interface in pfsense would not see that traffic to do anything with no matter what your rules are.

mrpijey

@JeGr said in Routing LAN networks:

@mrpijey said in Routing LAN networks:

I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

What are you even talking about? You asked about where to setup firewall rules. There is only one place. Firewall rules. Period. That is working on almost any hardware setups and in many virtual ones without a single problem. I don't know where you get the

but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

I've read many posts and seldom see one that has problem with the simple basic question as to where and how to setup rules from one LAN to another (and vice versa). They are set up on the Interface that the package comes in first. easy as that. If they don't work or your routing doesn't work than you have problems laying deeper than asking simple questions. That's why I see people here asking questions about you running virtualization and which one, how you have configured this and that. But sure, if you ignore them, don't have the patience or will to debug your problem seriously and only want to see that "no one is helping you" - than perhaps some easy hardware one-click solution might be the right thing for you.

I can only wish you more luck then.

Well that's the problem, i've asked on how to set it up. All I've got so far are discussions about VLAN tagging and principles behind the routing, not an actual example.

I want to route traffic from 10.0.0.0/24 to 10.0.1.0/24 and allow traffic to flow between the two. How is that setup? How are the rules set up for this?

This is what I need to know.

Ignore all the VLANs and all that, I can set it up without using VLANs through a physical NIC and separate switch (and yes, I know how to setup VLAN tagging in Hyper-V as I've provided a screenshot displaying the ports being tagged, and I can ping the machines between pfSense and the clients within the same network partition, so tagging works. But ignore the tagging, atm I am doing it all untagged, no VLANs, both networks tied to physical NICs and clients connected to separate switches).

@JeGr said in Routing LAN networks:

@mrpijey said in Routing LAN networks:

I've tried a lot of different settings, in Firewall/Rules, Firewall/NAT/Outbound, in System/Routing, searched the net but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

What are you even talking about? You asked about where to setup firewall rules. There is only one place. Firewall rules. Period. That is working on almost any hardware setups and in many virtual ones without a single problem. I don't know where you get the

but it seems a lot of people have issues with this. And no one can give a clear answer. No guides anywhere, only guesses that leads nowhere.

I've read many posts and seldom see one that has problem with the simple basic question as to where and how to setup rules from one LAN to another (and vice versa). They are set up on the Interface that the package comes in first. easy as that. If they don't work or your routing doesn't work than you have problems laying deeper than asking simple questions. That's why I see people here asking questions about you running virtualization and which one, how you have configured this and that. But sure, if you ignore them, don't have the patience or will to debug your problem seriously and only want to see that "no one is helping you" - than perhaps some easy hardware one-click solution might be the right thing for you.

I can only wish you more luck then.

I did indeed setup VLAN tagging on the virtual machines as well as the virtual switch during testing, but for now ignore all of that. Both pfSense ports are tied to physical NICs, and the test clients are connected to two individual switches on each NIC. And I one client on one switch to see and talk to the other client on the other switch. Each client can ping its own pfSense interface it's connected to, but not the other.

As suggested by awebster I did setup an ANY rule on each of the interfaces (the default LAN one had one already, added one to the other LAN2 one) but it did nothing to allow pinging or traffic to an another client.

johnpoz

Post your rules dude.. If your saying each client can ping pfsense gateway... There is NOTHING to do for routing.. Unless your forcing clients a vpn service or whatever via some policy route

Post the rules on your interfaces..

As any router, it will automatically now how to route traffic between interfaces its attached too.. So you have to allow whatever traffic you want via firewall rules.. That is it.. And you have to take into account any host firewalls.

As to this

I did indeed setup VLAN tagging on the virtual machines as well as the virtual switch during testing

That is wrong - if you setup vlans in the vswitching of your VM Host it strips the tags presented to the client... So I will say it again understanding how YOUR software of choice handles tags is on you - has zero to do with pfsense.. Zero!!

awebster

@mrpijey said in Routing LAN networks:

This is what I need to know.

Allow ipv4 * * * * *

That being said and because you brought up my earlier post, I want to point out that pfSense works as advertised, and while it is unfortunate that you are having difficulties making it work, I feel that it is inappropriate to vent your frustration that you aren't getting support for an unrelated product. You may argue that a hypervisor is related to pfSense, and indirectly it is, but you can't expect people knowledgeable in product X to help you with product Y beyond the most basic support.

So,

• Show us your network diagram. That will generally help people on this forum better understand how its all hooked up. You don't need to be a graphic artist, you can draw it by hand and take a photo.
• What other devices are on the network that can be contributing to the problem?
• Is your WLAN really an access point, or in fact a wireless router?
• How does the traffic flow at the layer 2 level. Keep in mind pfSense is layer 2 aware. If there are asymmetric traffic flows they will be blocked.