Traffic Shaper
-
Hi all,
I have question about Traffic shaper. Pls see network diagram bellow:
Internet –> Router --> pix firewall --> pfsense --> Layer 3 Core switch --> Layer 2 Core Swicth -->many VLANs -->Pcs
How to make shaping for all VLANs in system? I have problem that VLANs can not access to Internet?
Pls help me!
any question about system I will answer to you!
Thanks!
Johnnguyen, -
Atm the trafficshaper only supports shaping between 2 interfaces. As vlans are handled like seperate interfaces this casn't be done at the pfSense itself. You need to set this up at the switches so the traffic hits the pfSense as non vlan traffic. Also note that you might need to modify your "default LAN to any rule" as this one only allows traffic from the LAN subnet to go out. If the vlans have a different subnet you need to allow either any as source range or need additional rules. On top of that you might need some static routes at the pfSense to find it's way back to the vlan segments via the layer3 core switch.
-
Hi hoba, thanks for you answer me, I want said to you about system I made.
I make VLANs at Layer 2 Core Switch, at Layer 3 I used RIP routing for all network in system and used static route to route outside.
The system before pfsense:
From Layer 3 Core Swicth connected to Inside in Fix Firewall.
For traffic from VLANs to Internet I used static route "any" at Layer 3 Core Switch route to "PiX Inside" and system running is OKThe system after connected pfsense
From Layer 3 Core Switch connect to "pfsense LAN", from "pfsense WAN" connect to "Pix Inside", and changed "static route" at Layer3 Core Switch to pfsense LAN IP address, but system can not run.
After change I see LAN system run is OK but others VLANs can not run.
In pfsense I open all Firewall rule at LAN an WAN to any.Pls help me fix this problem.
regards, Johnnguyen!
-
I think you are just missing the static routes for the vlans back to the coreswitch. This way traffic doesn'T know how to return and no outbound NAT rules will be generated automatically by the pfsense for the vlan subnets.
You already placed the pass any source rule at lan it seems so this should not be a firewall problem. -
So, I should make static routes "any" at pfsense LAN interface?
-
I want ask you one question, when I make static route at LAN interface the traffic shapper can active on traffic?
-
You need a bunch of static routes:
Interface LAN, subnet vlan1, gateway layer 3 coreswitch
Interface LAN, subnet vlan2, gateway layer 3 coreswitch
Interface LAN, subnet vlan3, gateway layer 3 coreswitch
… -
oh, I need make VLAN ID on pfsense LAN Interface the same VLAN ID at Core Switch? and at pfsense LAN interface I make Bridge with LAN interface, after that I make static route for each VLAN subnet?
-
Hi Hoba,
When I input static route Interface LAN, subnet vlan1, gateway layer 3 coreswitch … --> Network down, from in pfsense I cannot access to Outsite? What's problem?
-
Hi Hoba, I performed static route at LAN Interface with VLAN subnet but it's not run, I monitor just LAN address run other VLAN not run, plshelp me fix this problem
-
Make sure your coreswitch is configured properly and you have all routes in place that are needed at all involved routers/switches.
-
yeah, That is correct because my system run is OK before connect to Pfsense and in Pfsense I in put all Subnet VLAN route.
I don't know what is problem?
Johnnguyen
-
You added static routes at the pfsense for the vlans? You don't need routes for subnets that are directly connected to the pfsense.
-
Hi Hoba,
Examples: I have VLAN 5: Network: 10.100.5.0/24, Gateway: 10.100.5.1, VLAN 6: network 10.100.6.0/24, gateway: 10.100.6.1…
LAN address at pfsense: 10.100.100.5/24
In Layer 3 Core switch I used static route: ip route 0.0.0.0 0.0.0.0 10.100.100.5
Last time (not connect to pfsense) the system running is OK
As you help me, at pfsense LAN address I used static route as follow:
Interface LAN, Network:10.100.5.0/24, gateway layer 3 coreswitch: 10.100.5.1
Interface LAN, Network:10.100.6.0/24, gateway layer 3 coreswitch: 10.100.5.1
...Of course, I don't make routes for subnets that are directly connected to the pfsense.
Pls give me what is wrong?
Regards,
Johnnguyen -
Sorry Interface LAN, Network:10.100.6.0/24, gateway layer 3 coreswitch: 10.100.6.1 (not 10.100.5.1)
-
i think this should be
lan 192.168.5.0/24 gateway "other ip of the switch"the gateway of the static route needs to be in the directly connected subnet
-
Can you speak clearly?
Because I connect direct from Layer3 core Switch to Pix then system run is OK, but I connect from Layer 3 core switch to pfsense to pix then system is down. I make route already but it is not run, I don't know why?
-
Just one very weird thought…are all links at the pfSense up at all (see status>interfaces)? Or do you maybe need a crossovercable between some of the devices? ::)
-
oh, crossovercable between some of the devices? I don't think so because I test "ping" to outside at LAN or WAN pfsense interfase are very good, just other subnets from other VLANs cannot access to outside, although I used static route the same you consult but from LAN pfsense interface I can not ping to gateways of other VLAN
-
Hi all, may I help me to solve this problem?
Regards, Johnnguyen