Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules from VLAN to LAN and back

    Scheduled Pinned Locked Moved
    Firewalling
    rules
    2
    5
    630
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfs-ole
      last edited by

      Hi,

      I've here a tagged VLAN ID=20 with 192.168.20.0/24. This is connected to an access point and clients can get connected to the internet. I want to get them access to the LAN network 192.168.1.0/24 too.

      pfs_vlan20.png
      pfs_lan.png

      From logs, I have access to an host, e.g. 192.168.1.11, but the host seems to be unable to get the VLAN 192.168.20.0/24 resp. the client inside this network back.

      pfs_vlan_logs.png

      For my understanding LAN should be allowed to go to every network, even GUEST network (which isn't intended later on). So, what happens and how to get it?

      Thanks

      A 1 Reply Last reply Reply Quote 0
      • A
        akuma1x @pfs-ole
        last edited by

        @pfs-ole Make a new firewall rule on interface INT_VLAN20, you could even duplicate the one you already have - "default allow internal VLAN20 to any", and change the destination to "LAN net". After you make and save this rule, move it all the way to the top of the INT_VLAN20 firewall rule list and save the list.

        Now test to make sure it works. You might have to, on devices connected to the INT_VLAN20 network, renew their DHCP leases to get the client working correctly.

        If this works, then you can tweak it, for example, to only allow access to certain machines/hosts on LAN network, setup a schedule, allow only certain types of traffic (ports) thru to the LAN network, etc.

        You can then also start to move the rule down in the list, to an appropriate final resting spot.

        Hope that helps.

        Jeff

        1 Reply Last reply Reply Quote 0
        • P
          pfs-ole
          last edited by pfs-ole

          thank you for your advice, but it doesn't work or even change something. As I understand this, this is a more concrete forward rule from VLAN20 to LAN which aren't blocked as the logs shows. Maybe I'm wrong?

          Edit: Maybe I forgot an important detail to mention. The vlan20 is on Unifi WLAN, connected to a management switch (layer 2 switch called?) going to pfsense. Also on switch is the LAN which isn't VLAN tagged. So, maybe the client in LAN can't connect to the client in VLAN 20 since the switch isn't configured for this? But, isn't the pfsense not capable to do this?

          A 1 Reply Last reply Reply Quote 0
          • A
            akuma1x @pfs-ole
            last edited by

            @pfs-ole Ok then. On the host on VLAN20, do you have the machine's firewall rules turned off. If it's a Windows machine, for example, if you don't have the internal built-in Windows firewall turned off, it will NOT respond to traffic or requests from other networks.

            Same goes for machines on LAN, if they are Windows machines. They will not respond to machines on the VLAN20 network, since that network is not on the same subnet as the LAN network.

            Jeff

            1 Reply Last reply Reply Quote 0
            • P
              pfs-ole
              last edited by pfs-ole

              I will check it in the evening. A t this time only linux machines are there and I don't want to allow the windows machines to serve some services.

              Anyway, LAN network doesn't know anything about VLANs, where the host to be connected from VLAN20 is located ....

              1 Reply Last reply Reply Quote 0
              • First post
                Last post