PfSense VLAN Rules for accessing HTTP
-
Hi there,
I'm facing some issue on configuring the Rules on pfSense Optional interfaces.
I think I'll start with a short description of my Network:
I have configured a Network with HP Switches.
One HP Switch (5406zl) does the job of the Gateway in the Network.I have configured about 4 VLANs:
VLAN 1 = Management (only for access to Switch Webinterfaces)
VLAN 2 = Server (Server-Network, for DC etc.)
VLAN 3 = Employees (Clients)
VLAN 100 = UplinkOn the Switch is a 1HE Server with pfSense connected, the appropriate
Port is on Switch and Firewall side configured this way:
VLAN 100 Untagged
VLAN 1 Tagged
VLAN 2 Tagged
VLAN 3 TaggedThe Switch has as Gateway in each VLAN an IP as required:
VLAN 1 = 10.0.90.1/16
VLAN 2 = 10.10.0.1/18
VLAN 3 = 10.20.0.1/16
VLAN 100 = 10.255.0.1/16And the Firewall has the (standard) LAN interface configured for VLAN 100 (10.255.0.3/16).
In addition I have added 3 optional Interfaces and configured the appropriate VLAN IDs for each:
VLAN 1 = 10.0.0.3/16
VLAN 2 = 10.10.0.3/18
VLAN 3 = 10.20.0.3/16On Switch-Side I have configured the Default-Route to 10.255.0.3!
There are some ACLs configured on the Switch. Simplified the following:
VLAN 1 permission on any other VLANs
VLAN 2 permission to any other VLAN except VLAN 1
VLAN 3 permission to VLAN 2 and 100On pfSense runs the DHCP Server for any VLAN.
So far everything seems to work I can access, the pfSense, from any VLAN even
it is getting routed where ACLs are allowing the access.I can ping from any Client in network (pfSense, Gateway, WAN Interface on pfSense, Websites like google etc.).
But if I try to start a Webbrowser and Access google.de it is not possible to see the page, though I have allowed
in Firewall Rules to access HTTP and HTTPS!?When I put my Client in the VLAN 100 (native LAN interface) everything works fine!
Only on "optional" Interfaces (VLANs) the problem exists…!Please help, I am thankful to any hints. Maybe I am only a simple step
away from the solution, but stepping in the dark right now. ???Thanks in advance!
-
Have you setup advanced outbound NAT? Do you have a default rule in each VLAN interface on pfSense? Are you able to resolve names to IP?
-
Yes the weird is, that i can resolve names to IP. The default Routes are also set. As far as I remember I didn't any changes to outbound NAT…
I'll take a look, maybe there lies the problem... -
Okay found the problem… and solved it.
I have forgotten to tell, that I am routing any Traffic to the WAN by passing it on the VLAN 100, so I had to allow in VLAN 100 (LAN) Rules any requests coming from those other subnets!Thanks a lot.