Routing across PFSense Interfaces or VLANs not working
-
I've had a Netgate 6100 for a few months now and it does most its functions right. However, I have not been able to route between interfaces and I can't route between certain VLANS.
My configuration is WAN interface connected to ISP. LAN 4 Connected to 192.168.1.0/24. LAN 3 connected to 192.168.70.0/24.
DHCP is configured on both interfaces and seem to be working as verified through Status > DHCP Leases.
Firewall rules allowing traffic from LAN 4 to LAN 3 (Protocol any, destination any) exists and it is active. A similar rule allowing traffic from LAN 3 to LAN 4 exists and it is active.
My client computers are on LAN 4 (192.168.1.0/24) and I am trying to connect to a web server on LAN 3 (192.168.70.0/24). However, the traffic does not make it to LAN 3 from LAN 4.
I tried the Diagnostic > Ping from LAN 3 to the web server and pings are successful. When I try the same from LAN 4 to the web server, pings fail.
I also tried just creating a new VLAN and associating it with LAN 4 with all the applicable configurations (DHCP, Firewall rules, etc.) and it still does not work.
Any insight or recommendations is appreciated.
-
@Zerejekim Show your firewall rules, we need to confim if they don't have a gateway set, and if they are in the correct position (above internet rule with gateway set).
This is common miss configuration in multi wan setups.That said, if all is correct, check Windows Firewall rules, this is also another common issue with multiple VLANs.
-
These are the current rules on the VLAN I am connected to:
This is the rule on the VLAN I am trying to reach:
As you can see, they are wide open so they should be able to reach each other.
Also, you mentioned the gateway. The VLAN I am connected to is configured as follows:
The VLAN I am trying to get to is configured as follows:
Thanks for the response.
-
@Zerejekim Ok, USERS subnets alias, does it include your device ?
If so, can you check Windows Defender of the host you are trying to ping, if it's allowing ICMP from the 192.168.30.0/24 network ? -
The client computer I am on is on the USERS subnet. The device I am trying to reach is on the other subnet (which has an alias of DATACENTER). The device is not a windows computer. It is a Synology NAS and I should be able to reach it via HTTPS on my browser. I can't reach it in any way. In fact, I can't ping it from any other interface on the PFSense, except the interface for its own VLAN. So it is accepting ICMP but only from 192.168.70.0/24.
-
@Zerejekim said in Routing across PFSense Interfaces or VLANs not working:
I can't reach it in any way. In fact, I can't ping it from any other interface on the PFSense, except the interface for its own VLAN. So it is accepting ICMP but only from 192.168.70.0/24.
Confirm if the Synology NAS has a gateway set, it should be 192.168.70.1 (pfsense's Interface).
-
The NAS is configured for DHCP and the gateway is configured on the DHCP Server for that VLAN:
-
Ok, did you enable the Synology's firewall ?
There, there isn't an implicit deny rule, you need to create allow rules and lastly, create the deny all rule manually.If you enabled the NAS firewall, and created the deny rule, disable it for a few moments, test the ping again, and enable it afterwards.
-
Wow!!!!!
Thank you so much. That was it.
I reset the network (via the reset button in the back) which also resets the NAS Firewall.
After that, I was able to reach it.
Outstanding!!!!!
Can't thank you enough.
-
@Zerejekim said in Routing across PFSense Interfaces or VLANs not working:
Outstanding!!!!!
Can't thank you enough.
Great, I also have a Synology here, it is old, but still works, DS218+ with two Ironwolf 2TB drives in a RAID 1 config.
More than 5 years with this guy and never lost a file, scrub once a month and that is it..