Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No connection between hosts on vlan interfaces

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sventz
      last edited by

      Hello, dear pfSense forum members,

      the system i have some troubles with is a pfSense 1.2.3-RELEASE with two physical interfaces.

      WAN on rl0: dynamic IP, gateway: 192.168.0.1
      LAN on rl1:192.168.1.1/24
      OPT1 VLAN 10 on rl1 (mgmt):192.168.10.1/24
      OPT2 VLAN 100 on rl1 (intern):192.168.100.1/24

      The switch port for the rl1 interface of the pfSense box is in VLAN 10 and 100 and configured as a tagged port, one client port is untagged 10, another one is untagged 100.

      Basically, what i want to do is to have (restricted) access from hosts in the intern net (and later from some more VLANs) to hosts in the mgmt net. I added the following just-allow-all-for-testing-purposes rules:
      action: pass; interface: mgmt; protocol:any; source: any; destination: any; log enabled
      action: pass; interface: intern; protocol:any; source: any; destination: any; log enabled

      Currently, there are two clients that are getting configured through standard DHCP from pfSense: one client in 192.168.10/24 and one client in 192.168.100/24. Connections between hosts in the same net and to or from the pfSense interfaces all seem to work as intended: pings are getting answers, and the hosts have internet access through their gateways and the WAN interface.

      If i try a ping from a host in 192.168.100/24 to a host in 192.168.10/24, it just times out. In the pfSense firewall log, a message shows up with the white-on-green arrow, saying:
      @63 pass in log quick on vlan1 inet from 192.168.100.0/24 to 192.168.10.0/24 flags S/SA keep state label "USER_RULE: intern -> mgmt"

      Does that mean ping is working fine as far as the firewall and the hosts are involved? What could be the problem that no connections are possible between the two networks? Please help. The setup was tested on two different switches now, a HP ProCurve 2610-48 and a Netgear FSM7328S, but no differences in results so far.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It means that the ping made it to pfSense and was passed, but doesn't specify what happened after that.

        You will need to do a packet capture on the destination interface when you run that test to see if the packets are leaving as expected.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          sventz
          last edited by

          Thanks for the advice. I did some captures on the pfSense interfaces, also on a static configured Linux client in the mgmt net. Mostly, they showed echo request incomming or outgoing when i tried to ping a client on another subnet, but never a reply.

          After going over the configurations of the clients, i saw that at least the OS firewall of one dynamic Windows 7 client didn't let ping request through from addresses outside of their own subnets. And on the Linux client, there was a route that pointed to the pfSense WAN interface instead of the mgmt VLAN interface, so answers never left from the right interface on the Linux client (it also had one interface in the 192.168.0/24 net).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.