inter-VLAN routing with SG-2100
-
Hello, I am trying to set up VLANs on my network. However I am unable to get inter-VLAN routing to work. (the main issue is laid out in a bolded paragraph near the end after my explanation of my setup)
I am running pfSense on a SG-2100 and I am attempting to use the built in switch.
I also have a unifi switch that I believe I have setup correctly. Both the pfSense box and unifi switch are new so I could have missed something.
VLANS:
- VLAN2: Servers, switches, WiFi APs
- VLAN3: Private LAN
- VLAN4: Public LAN (guest), no access to other VLANs so working as intended atm
- VLAN16-19: virtualization LANs, not in use currently
VLAN Subnet: 10.1.[VLAN_ID].0/24
pfSense switch:
- Port 1: V2, untagged, freenas
- Port 2: V4, untagged, wireless router, N/A because working as intended
- Port 3: V2, tagged, proxmox (will host containers)
- Port 4: V2, tagged, Unifi managed switch, connects to end user devices on V2,3,4 (seems to be working as intended)
My goal is for VLAN3 to be able to access VLAN2 and for VLAN4 to be unable to access any other VLANs. Currently, each host has internet access and can access other hosts in the same VLAN but is unable to access hosts in other VLANs.
I am 99.99% sure this isn't pfSense's firewall blocking stuff because I've added pass all rules for every interface and floating (i.e from any to any for any protocol). And various more specific pass rules (i.e from specific host to specific host for ICMP). I have verified the packets are being passed in the system logs.
By running a packet capture, it seems there is a problem the routing leaving V2. I can see the ping echo request sent from a V3 host on the V2 interface. I do not see a reply though. I also do not see any ICMP packets on V2 when I try to ping a V3 host from V2.
This testing was done between proxmox on VLAN2, port3 and my desktop on VLAN3 connected to the switch on port4.
Any help/insight would be appreciated. I've been trying to figure this out for literal days.
Thanks
-
Here is my proxmox network config also:
-
Well now I just feel stupid. In my proxmox network config I have a big fat 20 for the netmask where it should 24. Stupid typo. Then my freenas machine is having some routing difficulties that are its own because it has no internet access unlike every other machine.
So I am pretty sure the VLANs are setup correctly.
-
The only thing I see which I would quyestion here is that in the 2100 switch config you have ports 3 and 4 set to PVID 2 but VLAN 2 is not untagged on those ports so it would not be available there.
If the host you are testing to in VLAN2 is connected untagged to ports 3 or 4 it will fail. VLAN2 is tagged on ports 3 and 4 though so as long as proxmox is also expecting tagged vlan2 there that should be OK.Steve
-
Good day,
I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...
