1 LAN and 1 VLAN - how to pass traffic between them?


  • I have an 1.2.3 RC1 system on Alix that has a single WAN, a normal LAN, and a VLAN for a second LAN.

    Currently, both LAN and VLAN can reach the WAN, and I can ping hosts on either subnet from its interface on the pfsense box.  But I can't reach systems on the other LAN/VLAN.

    I have tried a lot of things, mostly variations on adding firewall rules on each interface allowing access to the other, but nothing has worked.

    Can you please describe the things that need to happen to have a VLAN and a LAN interface route to each other?

    Please explain in general what's needed.  Also, a few things in particular:

    1.Should I put anything in the gateway fields when configuring these LAN and VLAN interfaces?

    2. In my firewall rules, is the destination field what creates the route to the other subnet, or should I use the gateway field?

    3. Do I need to do anything with NAT?  I would not expect this, since each host on both subnets should be addressable by its full IP address.

    Thanks!


  • Some pictures would be more helpful, as nobody only creates one vlan I suspect you have done some completely wrong on that part. pfSense book would be a good read.
    Never the less if you copy the default rule on lan to your opt nic and change lan net to opt net it should work.


  • Here are some screenshots.  No static routes are defined, and AON is disabled.  Any help much appreciated.

    ![Screen shot 2009-11-29 at 10.28.29 AM.png](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.28.29 AM.png)
    ![Screen shot 2009-11-29 at 10.28.29 AM.png_thumb](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.28.29 AM.png_thumb)
    ![Screen shot 2009-11-29 at 10.29.14 AM.png](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.29.14 AM.png)
    ![Screen shot 2009-11-29 at 10.29.14 AM.png_thumb](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.29.14 AM.png_thumb)
    ![Screen shot 2009-11-29 at 10.29.59 AM.png](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.29.59 AM.png)
    ![Screen shot 2009-11-29 at 10.29.59 AM.png_thumb](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.29.59 AM.png_thumb)
    ![Screen shot 2009-11-29 at 10.30.37 AM.png](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.30.37 AM.png)
    ![Screen shot 2009-11-29 at 10.30.37 AM.png_thumb](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.30.37 AM.png_thumb)
    ![Screen shot 2009-11-29 at 10.30.58 AM.png](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.30.58 AM.png)
    ![Screen shot 2009-11-29 at 10.30.58 AM.png_thumb](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.30.58 AM.png_thumb)
    ![Screen shot 2009-11-29 at 10.28.51 AM.png](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.28.51 AM.png)
    ![Screen shot 2009-11-29 at 10.28.51 AM.png_thumb](/public/imported_attachments/1/Screen shot 2009-11-29 at 10.28.51 AM.png_thumb)


  • Dont assign the parent interface on which VLANs are created.

    Either multiple real interfaces, or only VLANs on a parent interface.

    example:
    vr0 and vr1
    or
    VLANx on vr0 and VLANy on vr0

    If you mix tagged and untagged interfaces it can happen, that an ARP request gets answered directly.
    The client then tries to talk to the MAC of the server which doesnt work because of the VLAN tag.


  • Thanks for that advice.  I altered the setup to use 2 real interfaces on my alix and configured a separate switch port to send the data for the VLAN to the second real interface.  Routing now works.

    I think this may be a better approach for another reason also; My understanding is that, since the NIC chips in the alix board don't natively support tagged VLAN, there might have been performance and/or MTU issues the other way.  This way, the switch can do the work of untagging the frames and PFSense just routes.

    Jeff