Cant route to other networks



  • hi all,

    getting a abit of a headache on this now

    im connected to vlan 1 im connected to the network/internet but i cant ping the other vlan interface ip addresses on the switch?

    ive set up my pfsense router/vlan switch like so -

    pfsense router - 192.168.1.254

    switches ip/vlan interface 1 ip - 192.168.1.253/24

    vlan interface 2 ip - 172.16.1.253/24

    vlan interface 3 ip - 172.16.2.253/24

    vlan interface 4 ip - 172.16.3.253/24

    on my switch ive added a static route like so -

    0.0.0.0 | 0.0.0.0 | static | 10 | 192.168.1.254 | vlan interface 1

    and on my pfsense router -

    gateways

    interface - LAN

    gateway - 192.168.1.253

    routes

    network - 172.16.1.0/24

    gateway - (selected the gateway above)

    i have no idea what im doing wrong

    sorry, rob



  • It sounds like you are using a layer 3 (L3) switch (i.e. it is also being a router) and pfSense is just the way to the internet and sitting on one of the switch VLANs. Correct?
    On pfSense you need to:

    1. Add a gateway to the L3 switch IP (192.168.1.253)
    2. Do NOT select any gateway for Interfaces->LAN - that must say "none" in the Gateway field.
    3. Add a static route(s) in System->Routing that point to 172.16.x.0/24 through that gateway
    4. Add firewall rules(s) on LAN to allow traffic from 172.16.x.0/24 out to the internet as you wish

    The L3 switch should be routing between the internal VLAN subnets.



  • Yes you are correct it's a layer 2+ switch that can do static routes and pfsense is just on the default vlan 1 and it's the way out to the internet for all the vlans

    1. Done 1 by adding the switches IP address under the gateways tab in system routes

    2. Haven't added the switches gateway to the LAN interface as tried that and it screwed everything up

    3. Done 3 by adding the route(s) to 172.16.x.0 and using the switches gateway as above in answer 1

    4. So when I add new FW rules what do I put in source and destination?

    Many thanks for your help

    Rob



  • The rules go on the interface where the traffic originates (first arrives), on LAN. The traffic will be from 172.16.x.0/24 going out to the internet, so pass source 172.16.x.0/24 destination any.
    If you want to stop those subnets from doing some things (like accessing the pfSense webGUI), then put a block rule before the pass rule, block source 172.16.x.0/24 destination LANaddress.
    Also, you can make use of Aliases - make 1 Alias for all your internal networks, e.g. call it "InternalNets" and add all those 172.16 to it. Then use that alias as source in your rules. Then if you need to change or expand the internal subnets you can do that once in the Alias and all the rules are automatically implemented to match.



  • got good news and bad news,

    when i plug in my laptop on vlan 2 (172.16.1.0) i can see the gateway of the switch of my vlan 2 (172.16.1.253) and strangley i can see the vlan 1 gateway of the switch (192.168.1.253) and i can see the pfsense router (192.168.1.254) and i can surf the internet no problem, google etc

    but i cant ping my main computer on vlan 1 (192.168.1.5)?

    so i know its not my switches problem so it must be how ive set rules up in pfsense but as mentioned above i dont know what im doing wrong

    EDIT here are 2 screen shots of my routes and rules






  • but i cant ping my main computer on vlan 1 (192.168.1.5)?

    I suspect that:

    1. Ping is sent from 172.16.1.n to L3switch 172.16.1.253, LSswitch sends it direct from 192.168.1.253 to main computer 192.168.1.5
    2. Main computer has pfSense as its default gateway, so the reply goes to 192.168.1.254. pfSense has no state for this, since it did not see the ping request. So it drops the packet, due to a asymmetric route.

    If you have enough ports, the easy thing to do is put pfSense by itself on a LAN subnet to/from the L3switch, then have other subnets on the L3switch for various groups of clients.

    or, add a route on main computer to tell it that 172.16.n.0/24 is reached through 192.168.1.253



  • My pc has got the 192.168.1.253 gateway

    My pfsense machine is on a VM ESXi server and on that server i have 2 NICS, NIC one is the management  vm kernal i have made this on vlan 1 (manage) to log onto the esxi server

    NIC two is the vlan interface one is on vlan 7 (WAN) and the other vlan is on vlan 1 (manage) and thats 192.168.1.0/24

    my vlan switch is on the same vlan 1 (manage) network so the pfsense and switch can route traffic to eachother

    My main computer is hooked up to an untagged vlan 1 port

    The pfsense machine has got 2 virtual NICS, one WAN one Manage, WAN is the internet and manage is the LAN



  • Also (and maybe the best way) you go to System->Advanced, Firewall/NAT tab and check "Bypass firewall rules for traffic on the same interface". That should let those asymmetric packets through.



  • guess what it has been working all this time, im really sorry

    the static route(s) to and from the switch (192.168.1.253) and pfsense (192.168.1.254) work!! as i blocked the FW rule for the Internal Network which consists of the networks (172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24) and i couldnt connect to the network/internet but as soon as i made it allow the laptop could connect to the network/internet and i tried the laptop on all networks, which is great

    the downside is my vlan interface ip addresse(s)  one for each vlan network on the switch dont seem to work and i really dont know why, ie i cant from my main pc on vlan 1(192.168.1.5) ping or go on the web portal of the switchs vlan interface of vlan 2 (172.16.1.253)

    could it be a dodgy firmware/software on my switch?



  • mmm… i found out you cant ping or log onto the other vlans interface (switches page) if there are no computers connected to that vlan, if there is a computer connected to that vlan you can ping the laptop and also you can ping and log onto the vlan interfaces ip address which is the switches page


Log in to reply