Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unable to connect vlan to vlan?

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    28 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nick.loenders
      last edited by

      Hi, I have setup several vlans on my pfsense and on the unifi switch.

      I now have connected a laptop on a port with vlan 220 and a poe phone on vlan 230.
      But I am unable to ping from my laptop to the phone?

      I have added the rules, but still won't work. What am I missing here?

      Oh, I cannot not ping/access the internet from vlan220 either?

      b2a552f7-44bb-4121-b5f4-48dc5f64eb74-image.png

      19ec4818-fabb-4265-9623-c50079425cbc-image.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @nick.loenders
        last edited by johnpoz

        @nick-loenders well for starts many of those rules are not needed.

        For starts vlan220 net could never be source of traffic into vlan 230 interface, so such rules make no sense.

        Also top rule there vlan230 to vlan230 are not well written, while this would allow access to the vlan230 interface of psfense. Clients on 230 do not talk to pfsense to talk to other clients on 230.

        So this rule would be better written as dest vlan230 address if that is what your wanting to allow.

        Also the rule on your 220 that allows access to wan net, that is not going to allow access to the internet.. That is only going to allow access to whatever the wan network is.. wan net does not = internet.. Any is what you need to allow internet access. For example internet address of google dns 8.8.8.8 sure is not part of your wan net - now is it ;)

        So your rule vlan220 net allow to vlan230 net would allow access to a device IP on vlan 230.. I do not see any evaluations of that rule that 0/0 B on the states means nothing has pfsense requesting to go there.

        But if you allow traffic to 230 from 220, no rules at allow would be need on the 230 interface to allow the return traffic.

        Common issues users have when trying to talk to something in other vlan is, firewall on the dest device not allowing the traffic. The device not using pfsense as its gateway, or the mask on the device thinks the source traffic is local so never sends answer back to pfsense.

        Also do you have any floating rules?

        What I would suggest for testing your access to your 230 vlan device. Is sniff on the 230 interface on pfsense, now from 220 device start pinging the IP in the 230 vlan -- do you see pfsense sending on the traffic? If so that means something on the 230 device not answering..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        N 1 Reply Last reply Reply Quote 0
        • N
          nick.loenders @johnpoz
          last edited by nick.loenders

          @johnpoz said in unable to connect vlan to vlan?:

          r be source of traffic into vlan 230 interface, so such rules

          Hi,

          I narrowed it down. First of all pinging to vlan230 works now. I forgot to add the switch with the vlan tags...

          7d8b4b7f-0780-4b18-817e-e3975eb72786-image.png

          But then how do I allow it to go to the internet?
          with that disabled rule I can ping google. Or do I need to make a group public ip's 1.1.1.1-9.254.254.254 , 11.0.0.1-191.254.254.254, .... and allow that?!?!?!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @nick.loenders
            last edited by johnpoz

            @nick-loenders said in unable to connect vlan to vlan?:

            But then how do I allow it to go to the internet?

            You need a rule that allows destination ANY..

            There is no way it would be realistic to try and create rules for ALL the possible IPs that might be the internet ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            N 1 Reply Last reply Reply Quote 1
            • N
              nick.loenders @johnpoz
              last edited by

              @johnpoz But then it is also allowed to the LAN and the other VLANS?

              Or am I supposed to block traffic to the other vlans/lan ? So if you have 200 vlans, you need to make 200 rules, just to make sure the other vlans are block except 1 AND the internet?

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @nick.loenders
                last edited by johnpoz

                @nick-loenders if you do not want vlan 220 to talk to vlan 230, then you put a rule above your any rule to block that.

                Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

                as to create 200 rules? No - I would assume all your vlans are rfc1918 space right? Then create an alias that contains all the rfc1918 space. And use that as your rule to block access to your other vlans.

                Example

                aliasrule.jpg

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                N 1 Reply Last reply Reply Quote 0
                • N
                  nick.loenders @johnpoz
                  last edited by

                  This post is deleted!
                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @nick.loenders
                    last edited by johnpoz

                    @nick-loenders again rules are evaluated top down..

                    rule to allow to 230
                    rule to block to rfc1918 alias
                    rule to any

                    So now 220 can talk to 230
                    but not any of your other vlans because they are all in the rfc1918 space
                    but if wants to talk to say 8.8.8.8 or 9.9.9.9 etc.. that is allowed by the any rule at the end.

                    edit: here is a picture example

                    example.jpg

                    So I allow some required stuff, like ping pfsense to validate connectivity. Use dns and ntp on pfsense test address.

                    Then block all access to any other pfsense IPs on any interface, say the wan IP that is public and could change to prevent access to say the pfsense gui.

                    I then allow access to the guest network. But block all other access to any other rfc1918 address space, my other vlans. And then the last rule allows access to the internet (any)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    N 1 Reply Last reply Reply Quote 0
                    • N
                      nick.loenders @johnpoz
                      last edited by

                      @johnpoz
                      Ok so I got now:
                      12b2459b-4023-4acd-bc4b-a86818eb534b-image.png

                      But I cannot ping internet, nor surf.
                      Firewall even blocks on DNS:

                      26363d09-a9c7-4949-9aee-43423cd37589-image.png

                      Weird, nah?

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @nick.loenders
                        last edited by johnpoz

                        @nick-loenders said in unable to connect vlan to vlan?:

                        Weird, nah?

                        Now your only allowing tcp, most dns is always udp.. Your dns rules should be for both tcp/udp since sometime tcp can be used.

                        weird.jpg

                        Curious why you put in IP vs just vlan220 address alias? Is 20.253 not pfsense actual IP? Is it a vip or something?

                        If dns is not working you have a hard time resolving, and surfing anything. Can you say ping 8.8.8.8 ?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          MoonKnight @johnpoz
                          last edited by

                          @johnpoz
                          Hi,
                          Those my DNS rules look okay? This is on the LAN interface.
                          Can I use the same rules on my other interfaces also?

                          I have seen others using almost the same rules, but they use LAN Net as SOURCE.

                          9086afef-fd72-462a-b97e-d1f6f8d05eb8-image.png

                          --- 24.11 ---
                          Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                          Kingston DDR4 2666MHz 16GB ECC
                          2 x HyperX Fury SSD 120GB (ZFS-mirror)
                          2 x Intel i210 (ports)
                          4 x Intel i350 (ports)

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @MoonKnight
                            last edited by

                            @moonknight source should really always be the net the interface is connected to.. Only time it shouldn't be is if your using it as a transit network. But lan makes for a horrible transit because there should be no hosts on a transit network or you run into asymmetrical problems.

                            That first rule is attempting to redirect anything to loopback, which is fine - but then kind of makes the second rule pretty pointless. Is that tied to a port forward rule?

                            I would put the lan address rule above the rule from the port forward, just for easier reading

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            M 1 Reply Last reply Reply Quote 1
                            • M
                              MoonKnight @johnpoz
                              last edited by MoonKnight

                              @johnpoz
                              Hi again, and thanks for your answer :)

                              I was following docs at netgate.
                              1 rule:
                              https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

                              2 and 3 rule:
                              https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html

                              2nd rule is not port forward. The 1st rule is NAT rule.
                              So I can remove 2nd rule then :)

                              1st rule NAT
                              3c666958-889c-45dd-a0eb-2adac37c3674-image.png

                              --- 24.11 ---
                              Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                              Kingston DDR4 2666MHz 16GB ECC
                              2 x HyperX Fury SSD 120GB (ZFS-mirror)
                              2 x Intel i210 (ports)
                              4 x Intel i350 (ports)

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @MoonKnight
                                last edited by

                                @moonknight said in unable to connect vlan to vlan?:

                                2nd rule is not port forward. The 1st rule is NAT rule.

                                huh? Not really its a "port forward" ;) look what section of nat rules you put it in hehehe

                                If your 1st rule there allows the port forward, so it would depend on the destination of your port forward if that 2nd rule is needed. Since you have it ! lan address, then you need it - but I would just put it above is all.. If you remove it you wouldn't be able to actual talk directly to the lan address for dns ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                M 1 Reply Last reply Reply Quote 0
                                • M
                                  MoonKnight @johnpoz
                                  last edited by

                                  @johnpoz
                                  Damn, you got me, hehe :)
                                  Of course, it is a port forward.

                                  Something like this?
                                  2a24579b-d300-4cac-b174-0dd30e18f70a-image.png

                                  Should I also put "LAN Net" in the source? In all of them?

                                  --- 24.11 ---
                                  Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                                  Kingston DDR4 2666MHz 16GB ECC
                                  2 x HyperX Fury SSD 120GB (ZFS-mirror)
                                  2 x Intel i210 (ports)
                                  4 x Intel i350 (ports)

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @MoonKnight
                                    last edited by

                                    @moonknight its cleaner to have lan net there, makes it easy to know what interface your on, etc.

                                    I mean when would there ever be anything other than lan net coming into that interface as source ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    N 1 Reply Last reply Reply Quote 0
                                    • N
                                      nick.loenders @johnpoz
                                      last edited by

                                      @johnpoz
                                      I did it like this and that worked :)

                                      c2e7cf00-0b53-4302-bfe4-78d9c862f0e2-image.png

                                      The 10.233 is the WAN ip of my home setup modem..... Therefore it did not work when blocking the PrivateNetwork :)

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @nick.loenders
                                        last edited by johnpoz

                                        @nick-loenders You mean you couldn't access its gui? Or the internet, since it would have nothing to do with internet access.

                                        And your rules block it anyway - Remember, order top down. So trying to get to 192.168.10.233 is blocked by the private nets rule before it even gets to your allow rule.

                                        What I don't get is why none of your rules are even showing being used... They are all 0/0 for states.. That means pfsense has not seen any traffic that matches any of those rules.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        N 1 Reply Last reply Reply Quote 0
                                        • N
                                          nick.loenders @johnpoz
                                          last edited by

                                          @johnpoz

                                          Well, at home, where it was as setup the internetmodem/router gives me 192.168.10.0/24 addresses. So the WAN ip of the pfsense was 10.233, but as 192.168.10 is blocked by the rule, I could not get passed the modem/router.

                                          At the office now, I have:

                                          de0ef60f-9146-40d5-9e05-be0809885d59-image.png

                                          And this works as it should.

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator @nick.loenders
                                            last edited by

                                            @nick-loenders said in unable to connect vlan to vlan?:

                                            I could not get passed the modem/router.

                                            Again that rule you added wouldn't of worked, because it was below the block rfc1918 rule, unless you didn't have 192.168 listed in the alias? But if you didn't then you wouldn't of need a special rule to allow since your any at the bottom would of allowed.

                                            Also even if you blocked access from your lan to the modem/router IP - that wouldn't of had anything to do with internet access. Since your clients behind pfsense would never be going to that IP other than trying to access its web gui.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            N 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.