Static routes
-
I apologize if this has been on the forum before, I've looked and couldn't find it. I have 2 WANS which will turn into 3. I have 4 VLANS. by default pfsense routes all of them together. I've tried setting up a static route and lost connectivity so I've reset to factory settings. Reset up the 4 VLANS and the 2 WANS. I would like to set up routes so the 1 VLAN can connect to another VLAN but that other VLAN cant connect back (if that makes sense). I also want to route the VLANS out on particular WANs. i.e:
VLAN1 can connect and manage VLAN 2 but VLAN 2 cant connect to VLAN1. VLAN 1 goes out on WAN 1 and VLAN 2 goes out on WAN 2.Is there anyone who can give me advice on this?
-
use firewall rules. Static routes should not be used for any networks directly attached to pfsense.
in Firewall rules:
just allow from VLAN1 to VLAN2 (on VLAN1-tab)
and block from VLAN2 to VLAN1 (on VLAN2-tab) -
That makes things alot simpler, thankyou :) I will try it and report back. Greatly appreciated :)
-
that seems to have worked, thankyou :)
-
Just a quick check with static routes. I think one VLAN isnt routing to a WAN. With static routes do I state the source ip and destination ip as the range? i.e. 192.168.1.0? or do i specify specifically the ip?
-
as i said before … no static routes for any interface directly attached to pfsense. this includes vlan's
there's probably a different issue going on, without more info it's impossible to tell tho.
screenshots of firewall rules/interfaces/routing tables/ .... might help
-
I thought that was the case (as you said in a previous post). lll have a lay with it then Ill post up screenshots if I don't get anywhere with it :)
-
posting up the firewall rules and routing table. The interfaces I havent posted have no rules in them. It is still reletively open as a network.
-
i'm guessing OPT5 & OPT6 are the VLAN interfaces ?
The interfaces I havent posted have no rules in them. It is still reletively open as a network.
Pfsense blocks EVERYTHING by default … so if you have no rules on the OPT interfaces, then they will be unable to go out to anywhere.
try creating an 'ALLOW ALL' rule on the vlan interfaces (PASS | protocol/source/destination:any )
if that works, you can adjust it / add rules to lock it down the way you like. -
Opt1,5,6 and LAN are all vlans. LAN is working fine. OPT1 is going to be VoIP, Opt 5 is going to be my DM-z and Opt 6 is going to be my blue.
Ive just added in the allow rules on opt 1 (which is the VLAN im working on at the moment) and its still not playing ball. I want WAN1 as my data and WAN2 as my voice. WAN2 seems to be the one having the issue
-
just adding rules are not enough if you want them to get to the internet. You are also going to have to create manual NAT rules to make sure that when the traffic goes out, it gets an internet address.
-
Ive done that. When I do ipconfig on the computer it is picking up an ip (DHCP), but when I ping it says that the private interface is unreachable. ip of pc is 192.168.0.2 and ip of private nic on pfsense on that vlan is 192.168.0.1
-
have you double checked the vlan settings on the switch ? untagged ports for clients & correct pvid | tagged port for pfsense
-
For the time being I am going through the NICSs (directl connecting), I do have 2 shiny Netgear switches sitting here, which at the moment I'm not using, but until I've got the VLANs sorted on firewall I was going to wait before using them. I have 4 NICs currently. 2 Red, 1 with LAN, OPT5, Opt6, 1 with Opt5 and OPt1. Sorry I should have said earlier. Is that likely where my issue is?
-
So long as there are rules to allow the packets to pass (any protocol, normal is TCP/UDP) and there is an associated rule in the outbound NAT table, it should be able to get tot he internet.
what are you trying to ping and from where?
-
Pfsense will ALLWAYS TAG the packets on vlan interfaces ….
if you directly attach your clients, then you will need to force your network driver into the correct VLAN for this to work. (in windows this can be done in device manager when going to advanced settings of the NIC).
Do note that this works with most Intel network cards .... not sure if all drivers are able to support VLAN's. -
is there anyway to turn off tagging in PfSense?
-
Yes … don't enable VLAN.
-
lol, ok, ill set up my switches then now instead of going direct. cheers :)
-
Ive got a vlan going through the switch, but tagging doesn't appear to be the issue as pfsense is going through a tagged port