cannot routing over pfsense on vlan

ajtak

Hello everyone, sorry for my english..
I have pfsense on minipc. pfsense has LAN with captive portal for home users. captive portal is connected to active directory. That's fine and working. pfsense has configured VLAN for guest user. Devices is obtained IP address from pfsense, but devices cannot ping to pfsense. routing over pfsense don't work as well.
Do you have any idea? I can´t find mistake on configuration.
Thank you, Ajtak

ajtak

bump...
Do you have some idea?

viragomann

Have you added firewall rules to that VLAN to permit access?
What shows the filter log?

ajtak

Yes, I have rule, which allowed all traffic, but nothing matching on this rule.
Devices has answer ping from all another devices on VLAN, but cannot ping to pfsense. it's frustrating.
Floating is empty.

johnpoz

@ajtak said in cannot routing over pfsense on vlan:

evices cannot ping to pfsense

Well you have no rule that allows icmp.. So no you wouldn't be able to ping anything. That top rule you marked is TCP.

None of your rules would allow icmp.. As to routing - don't see any hits on any of your rules.. Have you generated any traffic to pfsense that would match at all..

ajtak

Sorry, I'm blind. It's true...
But.. Last rule logged all traffic, when doesn't match rules before this rule? if so, nothing happens anyway.

Routing - yes pfsense is OK. traffic from LAN to openvpn, ipsec or internet is OK.

johnpoz

I don't see any hits on that rule, you sure the default rule just didn't log..

ajtak

resume:

pfsense LAN IP 192.168.254.254/24
pfsense VLAN IP 10.40.254.0/24

device 1 on LAN has obtained IP 192.168.254.101/24 from DHCP
device 2 on LAN has obtained IP 192.168.254.102/24 from DHCP
device 3 on VLAN has obtained IP 10.40.254.101/24 from DHCP
device 4 on VLAN has obtained IP 10.40.254.102/24 from DHCP

ping reply is ok betwen device 1 and device 2
ping reply is ok betwen device 1 and pfsense LAN IP
ping reply is ok betwen device 2 and pfsense LAN IP

ping reply is ok betwen device 3 and 4
ping reply isn't ok betwen device 3 and pfsense VLAN IP
ping reply isn't ok betwen device 4 and pfsense VLAN IP

routing table on device 3 and device 4 has default route 0.0.0.0/0 -> 10.40.254.254

johnpoz

@ajtak said in cannot routing over pfsense on vlan:

pfsense VLAN IP 10.40.254.0/24

That is NOT an ip, that is a network. And for sure doesn't match what you stated the gateway is

routing table on device 3 and device 4 has default route 0.0.0.0/0 -> 10.40.254.254

ping reply is ok betwen device 3 and 4

That has ZERO to do with pfsense, since they are on the same network.

ajtak

sorry ip 192.168.254.254 with subnet mask 24 etc..

johnpoz

So what happens when device 3 or 4 pings lan IP 192.168.254.254

Did you alter your rules to allow icmp on your vlan?

Do you have any floating tab rules? Those could be blocking as well, even if you allow on your vlan rules.

ajtak

I can setup icmp rule remotly, but I'll be at the router in four hours for testing traffic.
I don't have rules on floating tab. tab is empty.

ajtak

I'm allowed icmp from 192.168.254.0/24 and device 3 has reply from 192.168.254.254. is it OK?

johnpoz

That makes zero sense you mean you allowed icmp TO, not from..

Rules are placed on interfaces where traffic enters pfsense.

ajtak

I'm added next rule which allowed all trafic to VLAN address. icmp to VLAN IP still don't working.