Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I can't seem to get traffic between LAN/VLAN interfaces [solved]

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 471 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dlogan
      last edited by dlogan

      LAN - 10.10.0.0/22
      VLAN 10 - 10.10.5.0/24

      The gateway for the LAN is 10.10.1.1 (not sure why it wasn't 10.10.0.1, but I inherited this).
      The gateway for the hosts in VLAN 10 is 10.10.5.1

      From a host in the LAN, I can ping out, ping 10.10.1.1, and ping 10.10.5.1, but I cannot ping 10.10.5.3 (a host in VLAN 10).
      From a host in VLAN 10, I can ping out, ping 10.10.5.1, and ping 10.10.1.1 but I cannot ping 10.10.1.7 (a host in the LAN).

      I keep reading that I don't need a route (and I shouldn't), and that all I need to do is allow the traffic via firewall rules. But I've put a rule in Firewall - > LAN that says allow IPv4*, source *, port *, destination VLAN 10 Net, port *, gateway *

      and also a firewall rule in VLAN 10 that says allow all destined for VLAN Net.

      But the traffic won't go.

      I can't find that they're being blocked in System Logs -> Firewall, I tried filtering by source and destination IP but nothing comes up.

      While I was on-site yesterday I did try going to System -> Advanced -> Firewall/NAT and tried checking Disable all packet filtering. Interestingly enough I could then ping across from LAN to VLAN10.

      So what rule am I missing or have misconfigured to allow this traffic?

      In this particular scenario, the VLAN interfaces are all on one physical interface, but I've seen the same exact behavior on LANs in 2 separate interfaces. It must be something I'm doing wrong.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN Offline
        NogBadTheBad
        last edited by

        Windows boxes? maybe it’s the firewall on the hosts blocking icmp from remote subnets.

        Do a packet capture on vlan10 in pfsense and ping something on vlan10 from the lan.

        Does traffic flow out to the host on vlan10?

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dlogan @NogBadTheBad
          last edited by

          @NogBadTheBad
          No not Windows boxes. I disabled all packet filtering in System -> Advanced on the pfSense box and the pings started flowing, but I have to be on-site to do that or I can't get back into the firewall.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            What firewall rules did you create?

            Common mistake is forcing traffic out a gateway, wan or vpn before you allow access to the vlan.

            Post up your rules.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            D 1 Reply Last reply Reply Quote 1
            • D Offline
              dlogan @johnpoz
              last edited by

              @johnpoz
              Ugh! Thank you! I feel like an idiot! My outbound allow rules were on top, I guess I figured pfSense was going to snag that as not heading for outbound, but now that I think about it, perfect sense!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.