Help with VLAN firewall rules
-
I have the following setup:
10.0.0.0/24 - default VLAN
10.100.0.0/24 - VLAN 100
10.8.0.0/24 - VPN network
10.0.0.99 - VPN server
I have a static route to 10.0.0.99 for the 10.8.0.3 subnet. Clients on the default VLAN (10.0.0.0/24) can ping clients on the VPN network (10.8.0.3). Clients on the 10.100.0.0/24 subnet can ping the VPN gateway, but aren't able to get to VPN clients. As far as I can tell, I am passing everything on the VLAN interface. I included tracert just in case it is a routing issue.
Here is my any-any rule on the VLAN interface:
tracert from client on default VLAN to vpn client:
Tracing route to [VPN CLIENT] [10.8.0.3] over a maximum of 30 hops: 1 1 ms 17 ms 4 ms pfSense.[mydomain] [10.0.0.1] 2 1 ms 1 ms 1 ms [VPN SERVER].[mydomain] [10.0.0.99] 3 61 ms 45 ms 60 ms [VPN CLIENT] [10.8.0.3]
tracert from client on 10.100.0.0/24 to vpn client:
Tracing route to 10.8.0.3 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.100.0.1 2 <1 ms <1 ms <1 ms [VPN SERVER].[mydomain] [10.0.0.99] 3 * * * Request timed out.
-
Do the VPN clients have a route to the 10.100.0.0/24 subnet?
You may have to push it to the clients.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.