4. Vlans/New PFSense install replacing cisco ASA

Vlans/New PFSense install replacing cisco ASA

  • S

    Ok, so this might be a stupid question and I apologize in advance if it is… I feel like I have searched pretty hard before asking. Anyways here is our situation, we would like to replace our cisco ASA with a pfsense box. We installed 1.2.3 with no issues except when trying to get multiple vlans/subnets to communicate outside of our network(to the inet) VLAN1 works fine, anything outside of that thought will not work. I have tried multiple things/suggestions I found on this site and nothing seemed to work. Does anyone have any pointers or documentation I can find?

    VLAN 172.16.0.0 can get outside out network
    VLAN 250 172.25.0.0/22 - can't
    VLAN 251 172.22.0.0/22 - can't

    and so on..

    0
  • W

    VLAN 172.16.0.0 can get outside out network

    This is you LAN interface?

    VLAN 250 172.25.0.0/22 - can't

    This is a OPTx interface?

    VLAN 251 172.22.0.0/22 - can't

    This is also an OPTx interface?

    If I recall correctly, by default pSense allows traffic on the LAN interface to the internet but blocks traffic on other interfaces. It doesn't know what rules you want to apply to other interfaces. Do you want OPT1 systems to be able to talk with LAN systems? Tell pfSense that. Do you want OPT1 systems to talk to the internet? Tell pfSense that.

    It might help to think of pfSense as a firewall not a router. So once you get past a basic LAN and WAN configuration you have to tell pfSense what communication across subnets you want to allow.

    0
  • S

    wallybob, thanks for the reply.

    That's kind of what we thought, yes 172.6.* is the lan interface, we do want them be able to communicate across subnets and to the inet. For each interface including opt1 we basically told it to allow any from any to any the same as the default rule for LAN is set to. I'm missing or something wrong at some level though.

    0
  • C

    Do the hosts on the VLANs have the right default gateway (that is, the IP assigned to that VLAN on pfSense)?

    0
  • S

    Well, after many hours we got everything up and running. Just took lots of trial and error, thank goodness for xmas break… :)

    0
  • W

    What do you think was the key to your breakthrough?

    0
  • S

    Well, port that pfsense was plugged into need to be in trunk mode. From there it was a matter of taking it step by step. Initially we couldnt get any subnet to communicate with the pfsense box. We had to actually add the subnets to the lan interface. Once we could get vlans to communicate with pfsense it was just a matter of figuring out NAT.

    NOTE: Automatic NAT does not work/would not work in our situation. Has to manually do it.
            1:1 NAT also would not work had to stick with NAT port forwarding.

    Things are good now, internally geting out we have noticed a 50% increase in speeds.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy