Problem routing VLAN traffic
i'm setting up VLAN on my pfsense 2.1 nanobsd running on an ALIX board
the board has 3 network interfaces vr0 -> LAN, vr1 -> WAN, vr2 -> WAN2.
as i am still in the setup process its not acting as a FW and is simply
a regular device connected via LAN to my local network which means there
is no DHCP on the LAN and the LAN has a static IP which is part of the
local network. the gateway on the ALIX LAN is the router on the network
(which incidentally is pfsense (2.0) on a WRAP board - being replaced soon).
VLAN wise i've done the following:
- created a new VLAN interface on vr0 called GUEST tagged as 90
- enabled a DHCP server on the interface
- configured the netgear gs105e switches.
it works… partially:
- on the alix i can ping from interfaces LAN to GUEST and vice versa
- the test device on the VLAN gets a (VLAN) IP assigned
- the test device can ping the GUEST on the ALIX and the LAN itself
I'm assuming that the VLAN stuff (tagging etc) works.
but what doesn't work:
- can't reach any other device on the LAN (network) from the test device e.g the WRAP board
- which means can't reach the gateway to get to the internet.
pfsense seems to route (out of the box) between VLAN and LAN. and it mentions that on the
routes page... how else could the test device ping ALIX on LAN?
also: DNS seems to work (don't know why) but when i ping google on the VLAN test
device the IP is resolved. it must be getting that information from the WRAP ???
now since pfsense (ALIX) seems to route GUEST packets to LAN i'm interpreting
that i don't need a route..? so what should i be looking at the FW rules
on the WRAP ?
thanks in advance,
Few things just to check:
Is firewalling turned off (as in it is working in routing mode)? This option is in the advanced section.
Did you create a new allow all rule on the VLAN tab?
Did you switch to manual outbound nat BEFORE setting up the VLAN? (in which case you would need to add the NAT).
If in router mode, did you allow traffic from that VLAN in on the LAN on the WRAP?
thanks for your reply.
i didn't disable the firewall - but i did add an allow all rule.
it turns out the problem i had was i added the IP address of the VLAN interface in the "gateway' field… my thinking must have been that its what the dhcp passes to the client. but it must have meant that the interface itself was pointing to itself . anyway once i set that to none it worked.