Inter VLAN routing not working.



  • I have to setup a small educational facility having a following network.

    wan1(NIC0)==                      Student_VLAN(NIC2)
                         PFsense==     Staff_VLAN(NIC2)
    wan2(NIC1)==                      Survillance_VLAN(NIC3)

    In above network I have to give access of some ports of NVR on survillance_vlan to staff_vlan.
    Similarly I have to give access of NAS on staff_vlan to student_vlan.

    I have DHCP server on every network from pfsense having subnet 192.168.1.0/24 for staff_vlan, 192.168.5.0/24 for student_vlan and 192.168.6.0/24 for survillance_vlan.

    I tried different rules under firewall but I even cant ping the machine on another network.
    All the machines and devices in belonging network are working properly, they get IP from DHCP server.
    Student and staff have internet access from Captive portal. All is working fine other than inter network routing.

    Even if tried for default allow for all rule but still its not working.

    I checked for logs, there showing ICMP rule passed when i try to ping for system in another network.
    When i clicked on passed button it shows following
    @79 Pass in log quick on re0_vlan3 from any to <negate_networks:5>flags S/SA keep state label "Negate_Route:
    negate policy routing for destination

    Please give some suggestion over the topic.

    Thanking you.</negate_networks:5>


  • Banned

    Its a matter of rules…nothing else. It works fine here :)



  • The following are the rules I have for different Interface

    for staff
    *  *  *  *    *    wan  none
    *  staff_vlan net  *  student_vlan net    *    *  none

    for student
    *  *  *  *    *    wan  none
    *  student_vlan net  *  staff_vlan net    *    *  none

    for survillance
    *  survillance_vlan net  *  staff_vlan net    *    *  none

    I tried different rules, tried to reset states after every modification.

    But still not getting the problem. Logs showing the pass tag but then why i cant access the other network.

    Any thing I am missing in it. Any other setting I have to do for it?

    Please give suggestions.

    Thanks in advance


  • Rebel Alliance Developer Netgate

    Is pfSense actually the current default gateway for all of the devices in those networks?

    If you interfaces are set right (correct IP, correct subnet mask), the rules are right, and the firewall is actually the default gateway for everything, then traffic will flow through.

    Assuming, of course, that the device you're trying to contact will actually accept the connection. Sometimes local firewalls such as Windows firewall will block ping and other services from outside of its own subnet.



  • Can you explain what it is, how to set all interface for pfsense as default gateway.?

    I have DHCP server for all networks and under it default gateway is the interface's IP address.
    For gateway I have two wan interfaces for internet, both worked under load balance mode.

    Other than this, please tell me how to set pfsense as default gateway?

    About the system firewalls, Windows might be blocking request for ping from other subnets, but about the other network
    devices, like IP camera's, NVR, NAS. Atleast they have to give response for pings.

    May I use virtual IP for this?. I will map a traffic of certain virtual IP of one subnet to IP of another subnet.?

    Is such thing possible. ?

    I not know much technically about the networking, but still I am trying to get a way from knowledge that I have,
    so kindly consider me and a suggestion over it.

    and again thnx for your reply.



  • Dear jimp,

    Thanks for your suggestion. You was right the, windows was blocking the other subnet traffic.

    But I still have problem with non windows devices where I dont have control over the Rules of devices.

    I have posted the following query under NAT section and request you to have suggestions over it.

    Thanks for help.

    """
    I have networks having different subnets for different devices.

    For survillance networks, the IP camera's I have not accepting the request from other subnet and
    also there is no option for firewall rules like windows.

    Can I use 1:1 NAT to overcome this problem.?
    Is there is method so that, I can use virtual IP belonging to survillance subnet can just forward my traffic
    to IP camera so the Camera will detect it as local traffic and accept it?

    Please help me on this issue.

    Thanks in advance."""


Log in to reply