Unwanted routing between VLANs
-
I'm very new with pfSense. Here's the overview. I'm running pfSense 2.01. I'm using two Ethernet Ports LAGG'd together to form one trunk port from my Cisco 2960 switch.
I've got three interfaces defined: WAN (Comcast), LAN (lagg0_vlan2) - which is just for management… I have another pfsense box I'm using for routing traffic from this network, and GUESTNET (lagg0_vlan3).
The problem I've noticed is that pfSense is routing traffic from GUESTNET to LAN - which I don't want. I've tried putting in rules to reject all traffic from GUESTNET to LAN - but it still did it.
I should mention that I originally defined the LAN as a gateway - with the thought the I might need to route traffic to the other pfSense box (which also has an interface on vlan2)… but decided to isolate this problem so I removed that gateway.
The only thing I've been able to do to stop this leakage of traffic from GUESTNET to LAN is to deactivate the LAN interface.
I've been going crazy trying to figure this out. Any suggestions would be greatly appreciated.
I'm thinking it might be related to http://forum.pfsense.org/index.php/topic,48143.0/topicseen.html - but I'm not sure.
Thanks in Advance!
-
Put your intra lans deny rules on top of firewall rules at lan and at GUESTNET.
Don't forget to reset states after you create rules(there is a shortcut on dashboard)
Check also if there is no other gateways allowing access from one lan to another.
-
Put your intra lans deny rules on top of firewall rules at lan and at GUESTNET.
Don't forget to reset states after you create rules(there is a shortcut on dashboard)
Check also if there is no other gateways allowing access from one lan to another.
Thanks for the tips. I did all these things – unfortunately, the problem is still there. I was thinking that perhaps there's something special about the "LAN" segment I switched it up. I made GUESTNET (vlan 3) reside on LAN, and the CAMPUS VLAN (vlan 2) reside on OPT1.
That didn't help either. I've concluded that it has to be on this pf box because if I disable the vlan2 interface - I no longer have the problem. I'm about to try resetting to factory defaults and trying without the trunking/lagg (although I really like those features).
-
The problem I've noticed is that pfSense is routing traffic from GUESTNET to LAN - which I don't want. I've tried putting in rules to reject all traffic from GUESTNET to LAN - but it still did it.
Putting them in where? You need that rule to be the first on GUESTNET.
I should mention that I originally defined the LAN as a gateway - with the thought the I might need to route traffic to the other pfSense box (which also has an interface on vlan2)… but decided to isolate this problem so I removed that gateway.
No, don't do that, that's strictly for multi-WAN. You shouldn't even have a gateway on LAN in most cases.
-
@cmb:
The problem I've noticed is that pfSense is routing traffic from GUESTNET to LAN - which I don't want. I've tried putting in rules to reject all traffic from GUESTNET to LAN - but it still did it.
Putting them in where? You need that rule to be the first on GUESTNET.
Yep - That's where I put them.
I should mention that I originally defined the LAN as a gateway - with the thought the I might need to route traffic to the other pfSense box (which also has an interface on vlan2)… but decided to isolate this problem so I removed that gateway.
No, don't do that, that's strictly for multi-WAN. You shouldn't even have a gateway on LAN in most cases.
Thanks - good advice.
The way I managed to get this working right is to eliminate the Trunk port and lagg0 and use physical interfaces for each VLAN (and on the switch changed them from Trunk to Access ports).
Not sure why this was happening… but I was up against a deadline and needed to make it work without losing any more sleep. :P
