No connection between hosts on vlan interfaces

  • Hello, dear pfSense forum members,

    the system i have some troubles with is a pfSense 1.2.3-RELEASE with two physical interfaces.

    WAN on rl0: dynamic IP, gateway:
    LAN on rl1:
    OPT1 VLAN 10 on rl1 (mgmt):
    OPT2 VLAN 100 on rl1 (intern):

    The switch port for the rl1 interface of the pfSense box is in VLAN 10 and 100 and configured as a tagged port, one client port is untagged 10, another one is untagged 100.

    Basically, what i want to do is to have (restricted) access from hosts in the intern net (and later from some more VLANs) to hosts in the mgmt net. I added the following just-allow-all-for-testing-purposes rules:
    action: pass; interface: mgmt; protocol:any; source: any; destination: any; log enabled
    action: pass; interface: intern; protocol:any; source: any; destination: any; log enabled

    Currently, there are two clients that are getting configured through standard DHCP from pfSense: one client in 192.168.10/24 and one client in 192.168.100/24. Connections between hosts in the same net and to or from the pfSense interfaces all seem to work as intended: pings are getting answers, and the hosts have internet access through their gateways and the WAN interface.

    If i try a ping from a host in 192.168.100/24 to a host in 192.168.10/24, it just times out. In the pfSense firewall log, a message shows up with the white-on-green arrow, saying:
    @63 pass in log quick on vlan1 inet from to flags S/SA keep state label "USER_RULE: intern -> mgmt"

    Does that mean ping is working fine as far as the firewall and the hosts are involved? What could be the problem that no connections are possible between the two networks? Please help. The setup was tested on two different switches now, a HP ProCurve 2610-48 and a Netgear FSM7328S, but no differences in results so far.

  • Rebel Alliance Developer Netgate

    It means that the ping made it to pfSense and was passed, but doesn't specify what happened after that.

    You will need to do a packet capture on the destination interface when you run that test to see if the packets are leaving as expected.

  • Thanks for the advice. I did some captures on the pfSense interfaces, also on a static configured Linux client in the mgmt net. Mostly, they showed echo request incomming or outgoing when i tried to ping a client on another subnet, but never a reply.

    After going over the configurations of the clients, i saw that at least the OS firewall of one dynamic Windows 7 client didn't let ping request through from addresses outside of their own subnets. And on the Linux client, there was a route that pointed to the pfSense WAN interface instead of the mgmt VLAN interface, so answers never left from the right interface on the Linux client (it also had one interface in the 192.168.0/24 net).

Log in to reply