Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unable to connect vlan to vlan?

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    28 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nick.loenders @johnpoz
      last edited by

      @johnpoz
      So this should be the correct order then?

      94cfda09-5081-4c30-93a3-cbe253ff1ad6-image.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @nick.loenders
        last edited by

        Yeah those would work for allowing devices on 208 net to talk to those 10.2 Ips, as long as those are not IPs of pfsense since your blocking "this firewall" first.

        If those are name servers - you prob want those rules to be udp/tcp.. In some instances dns can and does use tcp..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        N 2 Replies Last reply Reply Quote 0
        • N
          nick.loenders @johnpoz
          last edited by

          @johnpoz
          The 10.2.50.252 is the VIP of the pfsense, the 50.253 and 10.2.8.253 are the DNS servers the pfsense uses when I do a ipconfig on the laptop.

          I changed a little:

          f48f0482-2c0a-4ac5-93de-91b93c42bcbe-image.png

          But this 208 is used by an SSID on the wifi. If I connect to that SSID , I cannot access the internet?

          1 Reply Last reply Reply Quote 0
          • N
            nick.loenders @johnpoz
            last edited by

            @johnpoz

            Guess my order was wrong.

            did :
            d7d2fe9d-2884-4f29-8947-bdf96bdd1eda-image.png

            And now it seems to be better for the internet. But now I CAN access the firewall gui and that I don't want? :(

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @nick.loenders
              last edited by

              @nick-loenders so what are those IPs 10.2.x are those pfsense IPs? Either way if you want to block access to gui of pfsense on its IPs

              Create a rule at top that blocks access to the webgui ports (say 80 and 443) to "this firwall"

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              N 1 Reply Last reply Reply Quote 0
              • N
                nick.loenders @johnpoz
                last edited by nick.loenders

                @johnpoz

                I do my best :) But it won't block.
                5cf5fe3c-7c27-4889-9f2f-8334dc612583-image.png

                Off course the LAN net is the 10.2.50.0/24 as well, problem in there ?

                Private_Networks is:
                a93e4eeb-5019-4b0e-8634-d4b80a591c4c-image.png

                VLAN 208 has ip's 10.2.8.0/24

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @nick.loenders
                  last edited by johnpoz

                  @nick-loenders you need to check states.

                  If something is allowed, and you connected to it. A state would be created allowing that traffic. If you then put in a block to that thing. Until the state goes away it would still be allowed, states are evaluated before rules.

                  So you need to either wait til the state expires, or you kill it via the state table in diagnostic menu.

                  Also when troubleshooting firewall rules, make sure you don't have something in the floating tab that would allow it.

                  It goes states
                  floating rules
                  interface rules

                  So even if you create a block in the interface, if you have some quick rule set in floating that allows it, it would be allowed no matter what rules you put on the actual interface.

                  edit: BTW 172.16 is a /12 mask not a /16... The 172 space is 172.16-31

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  N 1 Reply Last reply Reply Quote 0
                  • N
                    nick.loenders @johnpoz
                    last edited by

                    @johnpoz the states thing probably did it yesterday.

                    I'll have to change the subnet yes. Good remark :)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.