PfSense VLAN Rules for accessing HTTP
I'm facing some issue on configuring the Rules on pfSense Optional interfaces.
I think I'll start with a short description of my Network:
I have configured a Network with HP Switches.
One HP Switch (5406zl) does the job of the Gateway in the Network.
I have configured about 4 VLANs:
VLAN 1 = Management (only for access to Switch Webinterfaces)
VLAN 2 = Server (Server-Network, for DC etc.)
VLAN 3 = Employees (Clients)
VLAN 100 = Uplink
On the Switch is a 1HE Server with pfSense connected, the appropriate
Port is on Switch and Firewall side configured this way:
VLAN 100 Untagged
VLAN 1 Tagged
VLAN 2 Tagged
VLAN 3 Tagged
The Switch has as Gateway in each VLAN an IP as required:
VLAN 1 = 10.0.90.1/16
VLAN 2 = 10.10.0.1/18
VLAN 3 = 10.20.0.1/16
VLAN 100 = 10.255.0.1/16
And the Firewall has the (standard) LAN interface configured for VLAN 100 (10.255.0.3/16).
In addition I have added 3 optional Interfaces and configured the appropriate VLAN IDs for each:
VLAN 1 = 10.0.0.3/16
VLAN 2 = 10.10.0.3/18
VLAN 3 = 10.20.0.3/16
On Switch-Side I have configured the Default-Route to 10.255.0.3!
There are some ACLs configured on the Switch. Simplified the following:
VLAN 1 permission on any other VLANs
VLAN 2 permission to any other VLAN except VLAN 1
VLAN 3 permission to VLAN 2 and 100
On pfSense runs the DHCP Server for any VLAN.
So far everything seems to work I can access, the pfSense, from any VLAN even
it is getting routed where ACLs are allowing the access.
I can ping from any Client in network (pfSense, Gateway, WAN Interface on pfSense, Websites like google etc.).
But if I try to start a Webbrowser and Access google.de it is not possible to see the page, though I have allowed
in Firewall Rules to access HTTP and HTTPS!?
When I put my Client in the VLAN 100 (native LAN interface) everything works fine!
Only on "optional" Interfaces (VLANs) the problem exists…!
Please help, I am thankful to any hints. Maybe I am only a simple step
away from the solution, but stepping in the dark right now. ???
Thanks in advance!
Have you setup advanced outbound NAT? Do you have a default rule in each VLAN interface on pfSense? Are you able to resolve names to IP?
Yes the weird is, that i can resolve names to IP. The default Routes are also set. As far as I remember I didn't any changes to outbound NAT…
I'll take a look, maybe there lies the problem...
Okay found the problem… and solved it.
I have forgotten to tell, that I am routing any Traffic to the WAN by passing it on the VLAN 100, so I had to allow in VLAN 100 (LAN) Rules any requests coming from those other subnets!
Thanks a lot.