Static routes

  • I apologize if this has been on the forum before, I've looked and couldn't find it.  I have 2 WANS which will turn into 3.  I have 4 VLANS.  by default pfsense routes all of them together.  I've tried setting up a static route and lost connectivity so I've reset to factory settings.  Reset up the 4 VLANS and the 2 WANS. I would like to set up routes so the 1 VLAN can connect to another VLAN but that other VLAN cant connect back (if that makes sense).  I also want to route the VLANS out on particular WANs.  i.e:
    VLAN1 can connect and manage VLAN 2 but VLAN 2 cant connect to VLAN1.  VLAN 1 goes out on WAN 1 and VLAN 2 goes out on WAN 2.

    Is there anyone who can give me advice on this?

  • use firewall rules. Static routes should not be used for any networks directly attached to pfsense.

    in Firewall rules:
    just allow from VLAN1 to VLAN2 (on VLAN1-tab)
    and block from VLAN2 to VLAN1 (on VLAN2-tab)

  • That makes things alot simpler, thankyou :)  I will try it and report back.  Greatly appreciated :)

  • that seems to have worked, thankyou :)

  • Just a quick check with static routes.  I think one VLAN isnt routing to a WAN.  With static routes do I state the source ip and destination ip as the range?  i.e. or do i specify specifically the ip?

  • as i said before … no static routes for any interface directly attached to pfsense. this includes vlan's

    there's probably a different issue going on, without more info it's impossible to tell tho.

    screenshots of firewall rules/interfaces/routing tables/ .... might help

  • I thought that was the case (as you said in a previous post).  lll have a lay with it then Ill post up screenshots if I don't get anywhere with it :)

  • posting up the firewall rules and routing table.  The interfaces I havent posted have no rules in them.  It is still reletively open as a network.

  • i'm guessing OPT5 & OPT6 are the VLAN interfaces ?

    The interfaces I havent posted have no rules in them.  It is still reletively open as a network.

    Pfsense blocks EVERYTHING by default … so if you have no rules on the OPT interfaces, then they will be unable to go out to anywhere.
    try creating an 'ALLOW ALL' rule on the vlan interfaces (PASS |  protocol/source/destination:any )
    if that works, you can adjust it / add rules to lock it down the way you like.

  • Opt1,5,6 and LAN are all vlans.  LAN is working fine.  OPT1 is going to be VoIP, Opt 5 is going to be my DM-z and Opt 6 is going to be my blue.

    Ive just added in the allow rules on opt 1 (which is the VLAN im working on at the moment) and its still not playing ball.  I want WAN1 as my data and WAN2 as my voice.  WAN2 seems to be the one having the issue

  • just adding rules are not enough if you want them to get to the internet. You are also going to have to create manual NAT rules to make sure that when the traffic goes out, it gets an internet address.

  • Ive done that.  When I do ipconfig on the computer it is picking up an ip (DHCP), but when I ping it says that the private interface is unreachable.  ip of pc is and ip of private nic on pfsense on that vlan is

  • have you double checked the vlan settings on the switch ? untagged ports for clients & correct pvid | tagged port for pfsense

  • For the time being I am going through the NICSs (directl connecting), I do have 2 shiny Netgear switches sitting here, which at the moment I'm not using, but until I've got the VLANs sorted on firewall I was going to wait before using them.  I have 4 NICs currently.  2 Red, 1 with LAN, OPT5, Opt6, 1 with Opt5 and OPt1. Sorry I should have said earlier. Is that likely where my issue is?

  • So long as there are rules to allow the packets to pass (any protocol, normal is TCP/UDP) and there is an associated rule in the outbound NAT table, it should be able to get tot he internet.

    what are you trying to ping and from where?

  • Pfsense will ALLWAYS TAG the packets on vlan interfaces ….

    if you directly attach your clients, then you will need to force your network driver into the correct VLAN for this to work. (in windows this can be done in device manager when going to advanced settings of the NIC).
    Do note that this works with most Intel network cards .... not sure if all drivers are able to support VLAN's.

  • is there anyway to turn off tagging in PfSense?

  • Yes … don't enable VLAN.

  • lol, ok, ill set up my switches then now instead of going direct.  cheers :)

  • Ive got a vlan going through the switch, but tagging doesn't appear to be the issue as pfsense is going through a tagged port

  • Yes, you just have to specify which VLAN it has access to and it should work.

  • I did :-/

  • I have the vlan tagged, but its not lagged on the switch.  Is that required?

  • The switch needs to know what VLAN it has on what port. Basically, it needs a VLAN access group setup.

  • I've already done that.  So I'm assuming from that explanation I don't need to set a dedicated lag.  So that then begs the question why is my VLAN access group not doing what it should :-/  I'm sure I'm missing something blatently simple here!

  • Ive tried it through a LAG, Ive tried it with tagged ports to the pfsense box, ive tried it with untagged ports, Its giving out IPs but its not connecting to the internet (and ive setup NAT as far as I'm aware).  I cant ping pfsense from the computer I have going through the switch. I can however ping the switch

  • Sorry I thought LAG was a typo for TAG. Far as I can remember LAGG is for link aggregation. Port failover or load balancing between 2 ports. That is a different setup than just VLAN and routing. If you are getting an IP from DHCP running on pfSense, but cannot even ping it, then the most likely cause is that you are missing a firewall rule to allow the traffic. In the firewall config, does each of your tabs for VLANS have a default allow rule similar to LAN?

  • Theres no rule in pfsense on the private interfaces, I thought it allowed everything by default?  so I need to create an allow rule?

  • Ive created an allow all rule on the vlan im connectign to currently, its still seems to have the same issue

  • The default action on all except floating is to deny. Without an allow rule of some kind, traffic will not pass.
    Are you at least able to ping the pfSense interface now?

  • no its still timing out.  ive done a ping <ip>  /t so when it starts working ill see it :) </ip>

  • Got it working now.  I had it to nonly allow tcp!  im now allowing all :-D  silly slip!  thankyou to everyone that has helped greatly appreciated :-D

Log in to reply