Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inter-VLAN traffic Client Isolation

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    14 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phonix66
      last edited by

      Hi Team,

      I need help with an issue I’m facing and can’t really understand what is the cause, I’ll explain:

      1. I have a one pfsense.
      2. Two ubiquity unifi switches.
      3. one HP 1810-8g switch.

      I have created 6 vlans:
      Network design:
      LAN is untagged vlan 1
      Vlan 100 (MGMT) 192.168.2.128/25
      Vlan 200 (Storage) 192.168.3.128/25 only L2
      Vlan 300 (Intranet) 192.168.4.128/25
      Vlan 400 (Guest) 192.168.5.128/25
      Vlan 500 (Server) 192.168.6.128/25
      Vlan 600 (IoT) 192.168.7.128/25
      Untagged vlan is 1 all over, all the Rest is Tagged.

      Everything works as expected, i can reach every gateway of every vlan from every vlan as I pleases (at the moment I explicitly allow all IPv4 traffic between the vlans.

      The only problem I’m facing is I cannot reach clients on different vlans from the native vlan or from any vlan and vise versa. (sort of like the clients are isolated).
      I put logging on the firewall rules, and actually I can see that traffic is not being denied or blocked, but it’s going through!

      Also thing like DHCP off curse in the same broadcast domain are working well, but also dns to the lan address Shows everything is ok.

      Thanks on advance, and have a nice weekend.

      1 Reply Last reply Reply Quote 0
      • P
        Phonix66
        last edited by

        Someone please?

        1 Reply Last reply Reply Quote 0
        • P
          Phonix66
          last edited by

          for example:

          MBP ~ % ping 192.168.2.205
          PING 192.168.2.205 (192.168.2.205): 56 data bytes
          Request timeout for icmp_seq 0
          Request timeout for icmp_seq 1
          Request timeout for icmp_seq 2
          Request timeout for icmp_seq 3


          Traffic is being passed, but still I cannot reach clients on other vlans.
          Mar 13 18:59:09 LAN 192.168.1.154 192.168.2.205 ICMP - Pass
          Mar 13 18:58:05 LAN 192.168.1.154 192.168.2.205 ICMP - Pass
          The rule that triggered this action is:

          @105(XXXXXXXX) pass in log quick on Vlan_trunk inet all flags S/SA keep state label "USER_RULE"

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Phonix66
            last edited by

            @Phonix66

            Do you have rules to allow traffic from one VLAN to another?

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              Post the LAN rules. You don't have a gateway selected under advanced, do you?

              1 Reply Last reply Reply Quote 0
              • P
                Phonix66
                last edited by

                Thanks for the answer.
                I have set for the troubleshooting Ipv4 allow all

                For example:
                On the Floating rules:
                Allow all IPv4 * * * * * * none

                Also on the trunk I created under interface group (Where I bond all sub interfaces with the LAN uplink) rules:
                Allow all IPv4 * * * * * * none

                In short I have fully allow all traffic, but still seeing the problem.
                On the logs nothing is being blocked, but still I cannot trace route or ping from and to clients.

                Thanks,

                1 Reply Last reply Reply Quote 0
                • P
                  Phonix66
                  last edited by

                  Thanks,

                  The only gateway I have under advanced is the next WAN modem I have, I can reach the internet from all VLANs.
                  Here are the rules:

                  rules.xls [0_1584124401963_Rules.rtf](Uploading 100%) [0_1584124167304_Rules.rtf](Uploading 100%)

                  1 Reply Last reply Reply Quote 0
                  • P
                    Phonix66
                    last edited by

                    A small correction, I was able to reach the internet, outbound traffic was ok yesterday for all vlans.
                    Now internet outbound traffic is only working on the LAN untagged.

                    1 Reply Last reply Reply Quote 0
                    • dotdashD
                      dotdash
                      last edited by

                      A few screenshots would have been fine. I Don't really have time to sort through the raw dump, but some things look goofy.
                      Not sure what you are doing with your 'interface group trunk'?? and floating rules. Why don't you start simple:
                      Firewall rules, vlan 100 tab, ipv4* vlan 100 net to any No advanced settings
                      vlan 200 tab, ipv4* vlan 200 net to any No advanced.
                      Then try to ping from vlan 100 to 200....

                      1 Reply Last reply Reply Quote 0
                      • P
                        Phonix66
                        last edited by Phonix66

                        The interface “Trunk-Group” is where I Bond all vlans on the only wire (uplink) I have:012F044C-0A8B-4511-B9C2-DA9F4CDEBCAD.png

                        Over there I have a full ipv4 pass rule
                        C4BF376B-3747-4F07-94A1-C4B8CEAA70A2.png

                        On the floating it’s the same, only that there are some public “bad” addresses that I have blocked, but that’s are only incoming from the WAN side, nothing internal.

                        1 Reply Last reply Reply Quote 0
                        • dotdashD
                          dotdash
                          last edited by

                          In the interest of trying to walk before flying, why don't you see if it works when you add the rules to the interfaces, like I suggested before.

                          1 Reply Last reply Reply Quote 0
                          • P
                            Phonix66
                            last edited by Phonix66

                            I do have the rules as you suggest on some interfaces for testing, when it works I’ll replicate to the other interfaces, but now it’s not working:
                            883A3219-0FE5-4D0D-BFF9-9A4C1ECCF7D4.png

                            I suspect that I would need to factory reset the pfsense if nothing produces results, what I couldn’t do on a big production environment.

                            Maybe backup the configuration.
                            Reset to default.
                            Test with minimal configuration.
                            If works, the go step by step.
                            If not working restore configuration and troubleshoot again

                            1 Reply Last reply Reply Quote 0
                            • P
                              Phonix66
                              last edited by

                              Here is an example where I ping to a client and I get no response:
                              D7F414F3-A1AE-483E-BDBC-E4B43359CC5E.png

                              But looking in the logs everything looks good, my iP as source is reaching the destination:
                              0FBC0ADC-B69C-4837-A9DA-4C8339B25A85.png

                              1 Reply Last reply Reply Quote 0
                              • P
                                Phonix66
                                last edited by Phonix66

                                Thanks everyone, I’ve got it sorted out.
                                Did as I explained in my previous post and added allow rules under every vlan, then it started working.
                                Still doesn’t explains the firewall logs showing green for passed while it wasn’t the case.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.