Vlan and pfsense



  • Hi Team,

    I have pfsens and a cisco 4006 sup 3

    On the switch I created the vlans, 23,29,31 without any ip.

    On pfsense I created the vlans also and used the same nic as the lan.

    Now each vlan connects to a remote pfsense so for example

    Remote 1 pfsense lan is vlan 20 which connects to local pfsense vlan 23

    Remote 2 pfsense vlan 28 connects to local pfsense vlan 29

    Now on vlan 23, I have a linux box  ip 192.168.23.10with the default GW as pfsense so its 192.168.23.250.

    Its the same on vlan 29  ip address 192.18.29.10 and the GW is 192.168.29.250

    My problem is that from the linux box on vlan 23 I can ping the box on vlan 29.

    How can  stop that from happening pls?

    Cheers,

    Raj



  • I'd try setting up a block rule or two in your firewall rules.



  • I have tried that so basically the rules added per vlan is

    Protocal : TCP/UDP  Source address : 192.168.20.0/24 destination : 192.168.23.0/24

    Protocal : TCP/UDP  Source address : 192.168.23.0/24 destination : 192.168.20.0/24

    Now 2 things

    If I am on the lan, then I can still ping the networks and secondly, If I go on the 192.168.23.10 box, I can not get online :-(

    Cheers,

    Raj



  • What kind of switch are you using?  Is it VLAN?

    Sounds like your VLANs are set up incorrectly, probably on the switch.



  • its a cisco 4006 with sup 3 on.

    The vlan is set on the switch without any ip address. The ports are set as trunks with multiple vlans allowed.

    The lan firewall port connects to one of those ports.

    All the servers have as gateway the pfsense so anything on the lan is 192.168.0.250 which is also the ip of the firewall.

    On vlan 23 the server gateway is 192.168.23.250 again the ip of the firewall on that interface.

    Cheers,

    Raj



  • Maybe I would understand better with a pretty picture of pfsense, the switch, all physical connections shown and labels on the lines/ports for vlans?



  • OK Here goes the switch explained:

    SWITCH MANAGEMENT VLAN IP 192.168.0.252

    G2/1    LAN  192.168.0.0/24 CONNECT TO PFSENSE LAN PORT 192.168.0.250 (pfsense ip) PORT IS A TRUNK
    G2/2
    G2/3
    G2/4
    G2/5
    G2/6
    G2/7
    G2/8
    G2/9
    G2/10
    G2/11
    G2/12
    G2/13
    G2/14
    G2/15 SERVER1 NIC1 BONDING WITH G2/16 TRUNK PORT
    G2/16 SERVER1 NIC2 BONDING WITH G2/15 TRUNK PORT
    G2/17 SERVER2 NIC1 BONDING WITH G2/18 TRUNK PORT
    G2/18 SERVER2 NIC2 BONDING WITH G2/17 TRUNK PORT
    G2/19 STORAGE01 NIC1 BONDING WITH G2/20 ACCESS PORT
    G2/20 STORAGE01 NIC2 BONDING WITH G2/19 ACCESS PORT
    G2/21
    G2/22
    G2/23
    G2/24

    SWITCH DEFAULT GATEWAY IS 192.168.0.250 WHICH IS THE PFSENSE BOX

    Now pfsense on the local site has 4 nics 2 unused and 2 used.

    ! connects to the wan and the second connects to the lan.

    The one of the lan is also used to create vlans on pfsense and that connects to G2/1 on the switch

    On pfsense when I create a vlan and give it an interface, I allocate the ip of x.x.y.250

    So for vlan 23 the ip on pfsense is 192.168.23.250 and the interface in enable and dhcp is set also.

    Now i need to be able to get internet access of that vlan so lets say from what it connects to in this case from vlan 20.

    Cheers for the help

    Raj



  • If everything is tagged VLAN going into the pfsense and nothing is untagged and hitting ports with common PVID then the traffic shouldn't be able to see from vlan to vlan because of the switch.  If the traffic is on seperate vlans and properly firewalled in pfsense it shouldn't be able to cross that barrier.  So, I have to assume you have made a mistake some where?  Maybe in pfsense you have an allow rule before a block rule or a floating allow rule.

    Its got to be something simple like that.

    Maybe someone else has better idea.



  • If I do the rules on pfsense as shown here

    Protocal : TCP/UDP  Source address : 192.168.20.0/24 destination : 192.168.23.0/24

    Protocal : TCP/UDP  Source address : 192.168.23.0/24 destination : 192.168.20.0/24

    Then I can not get from 1 vlan to another but still have access from the lan.

    On the lan if I add a rule :

    Protocol : Any Source Lan subnet destination 192.168.0.0/16 which is the lan vlan,
    Action block

    then webpages do not load up properly, I get a lot of page unavailable and needs to constantly need to refresh the pages and internet becomes very very slow.

    This rule is put first



  • What is the IP of the LAN interface?



  • 192.168.0.250


Log in to reply