PfSense VLAN Rules for accessing HTTP



  • Hi there,

    I'm facing some issue on configuring the Rules on pfSense Optional interfaces.

    I think I'll start with a short description of my Network:

    I have configured a Network with HP Switches.
    One HP Switch (5406zl) does the job of the Gateway in the Network.

    I have configured about 4 VLANs:
    VLAN 1 = Management (only for access to Switch Webinterfaces)
    VLAN 2 = Server (Server-Network, for DC etc.)
    VLAN 3 = Employees (Clients)
    VLAN 100 = Uplink

    On the Switch is a 1HE Server with pfSense connected, the appropriate
    Port is on Switch and Firewall side configured this way:
    VLAN 100 Untagged
    VLAN 1 Tagged
    VLAN 2 Tagged
    VLAN 3 Tagged

    The Switch has as Gateway in each VLAN an IP as required:
    VLAN 1 = 10.0.90.1/16
    VLAN 2 = 10.10.0.1/18
    VLAN 3 = 10.20.0.1/16
    VLAN 100 = 10.255.0.1/16

    And the Firewall has the (standard) LAN interface configured for VLAN 100 (10.255.0.3/16).
    In addition I have added 3 optional Interfaces and configured the appropriate VLAN IDs for each:
    VLAN 1 = 10.0.0.3/16
    VLAN 2 = 10.10.0.3/18
    VLAN 3 = 10.20.0.3/16

    On Switch-Side  I have configured the Default-Route to 10.255.0.3!
    There are some ACLs configured on the Switch. Simplified the following:
    VLAN 1 permission on any other VLANs
    VLAN 2 permission to any other VLAN except VLAN 1
    VLAN 3 permission to VLAN 2 and 100

    On pfSense runs the  DHCP Server for any VLAN.
    So far everything seems to work I can access, the pfSense, from any VLAN even
    it is getting routed where ACLs are allowing the access.

    I can ping from any Client in network (pfSense, Gateway, WAN Interface on pfSense, Websites like google etc.).
    But if I try to start a Webbrowser and Access google.de it is not possible to see the page, though I have allowed
    in Firewall Rules to access HTTP and HTTPS!?

    When I put my Client in the VLAN 100 (native LAN interface) everything works fine!
    Only on "optional" Interfaces (VLANs) the problem exists…!

    Please help, I am thankful to any hints. Maybe I am only a simple step
    away from the solution, but stepping in the dark right now.  ???

    Thanks in advance!



  • Have you setup advanced outbound NAT? Do you have a default rule in each VLAN interface on pfSense? Are you able to resolve names to IP?



  • Yes the weird is, that i can resolve names to IP. The default Routes are also set. As far as I remember I didn't any changes to outbound NAT…
    I'll take a look, maybe there lies the problem...



  • Okay found the problem… and solved it.
    I have forgotten to tell, that I am routing any Traffic to the WAN by passing it on the VLAN 100, so I had to allow in VLAN 100 (LAN) Rules any requests coming from those other subnets!

    Thanks a lot.


Locked