Vlans/New PFSense install replacing cisco ASA

sysc

Ok, so this might be a stupid question and I apologize in advance if it is… I feel like I have searched pretty hard before asking. Anyways here is our situation, we would like to replace our cisco ASA with a pfsense box. We installed 1.2.3 with no issues except when trying to get multiple vlans/subnets to communicate outside of our network(to the inet) VLAN1 works fine, anything outside of that thought will not work. I have tried multiple things/suggestions I found on this site and nothing seemed to work. Does anyone have any pointers or documentation I can find?

VLAN 172.16.0.0 can get outside out network
VLAN 250 172.25.0.0/22 - can't
VLAN 251 172.22.0.0/22 - can't

and so on..

wallabybob

VLAN 172.16.0.0 can get outside out network

This is you LAN interface?

VLAN 250 172.25.0.0/22 - can't

This is a OPTx interface?

VLAN 251 172.22.0.0/22 - can't

This is also an OPTx interface?

If I recall correctly, by default pSense allows traffic on the LAN interface to the internet but blocks traffic on other interfaces. It doesn't know what rules you want to apply to other interfaces. Do you want OPT1 systems to be able to talk with LAN systems? Tell pfSense that. Do you want OPT1 systems to talk to the internet? Tell pfSense that.

It might help to think of pfSense as a firewall not a router. So once you get past a basic LAN and WAN configuration you have to tell pfSense what communication across subnets you want to allow.

sysc

wallybob, thanks for the reply.

That's kind of what we thought, yes 172.6.* is the lan interface, we do want them be able to communicate across subnets and to the inet. For each interface including opt1 we basically told it to allow any from any to any the same as the default rule for LAN is set to. I'm missing or something wrong at some level though.

Cry Havok

Do the hosts on the VLANs have the right default gateway (that is, the IP assigned to that VLAN on pfSense)?

sysc

Well, after many hours we got everything up and running. Just took lots of trial and error, thank goodness for xmas break… :)

wallabybob

What do you think was the key to your breakthrough?

sysc

Well, port that pfsense was plugged into need to be in trunk mode. From there it was a matter of taking it step by step. Initially we couldnt get any subnet to communicate with the pfsense box. We had to actually add the subnets to the lan interface. Once we could get vlans to communicate with pfsense it was just a matter of figuring out NAT.

NOTE: Automatic NAT does not work/would not work in our situation. Has to manually do it.
        1:1 NAT also would not work had to stick with NAT port forwarding.

Things are good now, internally geting out we have noticed a 50% increase in speeds.