I can't seem to get traffic between LAN/VLAN interfaces [solved]
-
LAN - 10.10.0.0/22
VLAN 10 - 10.10.5.0/24The gateway for the LAN is 10.10.1.1 (not sure why it wasn't 10.10.0.1, but I inherited this).
The gateway for the hosts in VLAN 10 is 10.10.5.1From a host in the LAN, I can ping out, ping 10.10.1.1, and ping 10.10.5.1, but I cannot ping 10.10.5.3 (a host in VLAN 10).
From a host in VLAN 10, I can ping out, ping 10.10.5.1, and ping 10.10.1.1 but I cannot ping 10.10.1.7 (a host in the LAN).I keep reading that I don't need a route (and I shouldn't), and that all I need to do is allow the traffic via firewall rules. But I've put a rule in Firewall - > LAN that says allow IPv4*, source *, port *, destination VLAN 10 Net, port *, gateway *
and also a firewall rule in VLAN 10 that says allow all destined for VLAN Net.
But the traffic won't go.
I can't find that they're being blocked in System Logs -> Firewall, I tried filtering by source and destination IP but nothing comes up.
While I was on-site yesterday I did try going to System -> Advanced -> Firewall/NAT and tried checking Disable all packet filtering. Interestingly enough I could then ping across from LAN to VLAN10.
So what rule am I missing or have misconfigured to allow this traffic?
In this particular scenario, the VLAN interfaces are all on one physical interface, but I've seen the same exact behavior on LANs in 2 separate interfaces. It must be something I'm doing wrong.
-
Windows boxes? maybe it’s the firewall on the hosts blocking icmp from remote subnets.
Do a packet capture on vlan10 in pfsense and ping something on vlan10 from the lan.
Does traffic flow out to the host on vlan10?
-
@NogBadTheBad
No not Windows boxes. I disabled all packet filtering in System -> Advanced on the pfSense box and the pings started flowing, but I have to be on-site to do that or I can't get back into the firewall. -
What firewall rules did you create?
Common mistake is forcing traffic out a gateway, wan or vpn before you allow access to the vlan.
Post up your rules.
-
@johnpoz
Ugh! Thank you! I feel like an idiot! My outbound allow rules were on top, I guess I figured pfSense was going to snag that as not heading for outbound, but now that I think about it, perfect sense!