Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PC On VLAN Can't Talk to PC On LAN?

    L2/Switching/VLANs
    2
    4
    688
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MichaelCropper
      last edited by

      I'm probably missing something blindingly obvious here. Beyond a basic VLAN Setup (VLAN Tag + DHCP Server inc. Static IP for certain machines) there is nothing configured for firewall rules.

      Actual Setup (simplified);

      • pfSense Hardware (DHCP Managed Here)
        • Unifi Managed Switch
          • Physical Port: Trunk Port (connected to pfSense hardware) - All VLANs
          • Physical Port: VLAN 1 to PC 1
          • Physical Port: LAN to PC 2

      Yet when I try to ping from PC on VLAN 1 to IP Address of PC on LAN, it fails.

      What am I missing?

      This is a home lab setup, so nothing mission critical.

      Regards
      Michael

      J 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @MichaelCropper
        last edited by Jarhead

        @michaelcropper said in PC On VLAN Can't Talk to PC On LAN?:

        there is nothing configured for firewall rules.

        By default everything is blocked so you'll need to add a rule to allow traffic.
        To start, just add an Allow all rule on LAN and VLAN.
        That'll get you started, then trim it down as needed.
        Rules are applied top down, so don't add a block rule below the allow rule. And pay attention to what you're blocking, there may be a service you need as part of that block (ie DNS or similar). If there is, just add an allow rule for DNS (example) above the block rule.

        Edit: Also, that default block rule is always the last rule even though you can't see it there. same as Cisco implicit deny rule.

        1 Reply Last reply Reply Quote 1
        • M
          MichaelCropper
          last edited by

          Solved.

          Grrr, Norton 360 on the device I was testing with!!!

          Out of the box Norton 360 disables inbound PING, so when I was trying to PING the device on the LAN (with Norton 360 installed), from the device on the VLAN, it was getting through the pfSense firewall, only to get blocked by the firewall on the PC on the LAN with Norton 360 installed.

          I do wish there were some end-to-end debugging tools available that gave 100% visibility for the network hops involved for a single packet so it was obvious which hop things were failing on. Very manual methodical step by step process to debug seems the only way when dealing with networking. I'm used to working with much better debugging tools the further up the software/application stack. ping and tracert/traceroute are just so basic and don't always provide a clear answer.

          1 Reply Last reply Reply Quote 0
          • M
            MichaelCropper
            last edited by

            I've just done a write up about the challenges of debugging these scenarios for reference: https://www.contradodigital.com/2022/07/25/how-to-troubleshoot-ping-icmp-not-working/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.