Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inter-Vlan Traffing Being Blocked

    Firewalling
    2
    5
    181
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deadringers
      last edited by Deadringers

      Hi,

      I've run into an issue where inter-vlan traffic should be allowed, as per my permit rules, but it's being logged as blocked?

      I've got a very simple setup, just 2 VLANs that I'd like to allow CERTAIN traffic between.

      But right now I can't even pass anything which is odd...

      Anything I can look at to investigate?

      I do have a WAN port-forward for the same traffic, but I wouldn't expect that to mess with this inter-vlan traffic?

      alt text

      alt text

      alt text

      alt text

      alt text

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Deadringers
        last edited by

        @Deadringers
        It's the ACK packet, which is blocked:
        80bed470-3d58-49f0-a7c3-7b5fbd190c94-grafik.png

        So pfSense has no state for this connection and probably never created one. This means, the SYN packet didn't pass pfSense.

        So I guess your VLAN is leaking outside of pfSense and the SYN packet went to the destination device directly, while the ACK is directed to pfSense.

        Recheck the VLAN setup on the switch or whatever device is connected to pfSense and leaking it.

        D 1 Reply Last reply Reply Quote 1
        • D
          Deadringers @viragomann
          last edited by

          @viragomann said in Inter-Vlan Traffing Being Blocked:

          @Deadringers
          It's the ACK packet, which is blocked:
          80bed470-3d58-49f0-a7c3-7b5fbd190c94-grafik.png

          So pfSense has no state for this connection and probably never created one. This means, the SYN packet didn't pass pfSense.

          So I guess your VLAN is leaking outside of pfSense and the SYN packet went to the destination device directly, while the ACK is directed to pfSense.

          Recheck the VLAN setup on the switch or whatever device is connected to pfSense and leaking it.

          I did “clear states” when tshooting and perhaps this is an artefact of this?

          Will recheck but the PFSense box is the only thing that sits in both VLANS

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Deadringers
            last edited by

            @Deadringers said in Inter-Vlan Traffing Being Blocked:

            I did “clear states” when tshooting and perhaps this is an artefact of this?

            Could be, if the SYN packet passes the firewall before this.

            However, if the client times out due to this it should establish a new connection after a short period of time.
            Do you have trouble to connect?

            D 1 Reply Last reply Reply Quote 1
            • D
              Deadringers @viragomann
              last edited by

              @viragomann said in Inter-Vlan Traffing Being Blocked:

              @Deadringers said in Inter-Vlan Traffing Being Blocked:

              I did “clear states” when tshooting and perhaps this is an artefact of this?

              Could be, if the SYN packet passes the firewall before this.

              However, if the client times out due to this it should establish a new connection after a short period of time.
              Do you have trouble to connect?

              Hmm i can see traffic flowing just fine now so perhaps something got stuck in an odd state! Thanks again for your help mate.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post