Traffic blocked between LAN and vlan interfaces



  • I have 1 physical LAN interface and 3 vlan interfaces.

    LAN
    vlan2
    vlan3
    vlan4

    Traffic from vlan 4 is not able to ping any devices on LAN interface.

    Rules in place.

    LAN
    IPv4 * LAN net * * * SA_Gateway_Group none   Default allow LAN to any rule

    vlan4
    IPv4 * AGENTWIFI_V4 net * * * SA_Gateway_Group none   Allow All

    There are no deny rules

    AGENTWIFI_V4 is using captive portal but after successful login to captive portal users are still unable to accessIP's on LAN subnet

    They can ping LAN Gateway.

    Lan 192.168.7.1/24
    vlan4

    LAN interface (vr0)
    Status up
    MAC address 00:0d:b9:31:6b:d0
    IPv4 address 192.168.7.1  
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::20d:b9ff:fe31:6bd0%vr0  
    Media 100baseTX <full-duplex>In/out packets 4215974/4763915 (906.03 MB/4.38 GB)
    In/out packets (pass) 4215974/4763915 (906.03 MB/4.38 GB)
    In/out packets (block) 3253/39 (273 KB/5 KB)
    In/out errors 0/0
    Collisions 0

    AGENTWIFI_V4 interface (vr0_vlan4)
    Status up
    MAC address 00:0d:b9:31:6b:d0
    IPv4 address 192.168.27.1  
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::20d:b9ff:fe31:6bd0%vr0_vlan4  
    Media 100baseTX <full-duplex>In/out packets 492031/672604 (244.01 MB/653.45 MB)
    In/out packets (pass) 492031/672604 (244.01 MB/653.45 MB)
    In/out packets (block) 77/0 (9 KB/0 bytes)
    In/out errors 0/0
    Collisions 0

    127.0.0.1 link#7 UH 0 21262 16384 lo0
    192.168.7.0/24 link#1 U 0 4790952 1500 vr0
    192.168.7.1 link#1 UHS 0 0 16384 lo0
    192.168.26.0/24 link#9 U 0 0 1500 vr0_vlan3
    192.168.26.1 link#9 UHS 0 0 16384 lo0
    192.168.27.0/24 link#10 U 0 673113 1500 vr0_vlan4
    192.168.27.1 link#10 UHS 0 0 16384 lo0
    192.168.28.0/24 link#8 U 0 411241 1500 vr0_vlan2
    192.168.28.1 link#8 UHS 0 0 16384 lo0</full-duplex></full-duplex>


  • LAYER 8 Global Moderator

    You need rules above your gateway groups to allow the traffic between local segments - so pfsense can use its own routing table.  If you put a gateway on a rule.. It can not use that.

    So if you have multiwan like I assume, and you have a gateway group you use..  Above those rules you need to create rules that DONT USE a gateway to allow traffic between your local segments.



  • You mean add the following rules?  This is above the rule with the gateway group

    LAN interface rule

    IPv4 * LAN net * AGENTWIFI_V4 net * * none   LAN to vlan4  (Using Default)

    vlan4 interface rule

    IPv4 * AGENTWIFI_V4 net * LAN net * * none   vlan4 to LAN



  • Yes, that should work.
    Anything you push into a gateway group will be forced out whatever is the highest tier available gateway/s in the group, regardless of the fact that its destination might be right there on a local LAN.



  • Still not able to ping.  :o  When physically connected to LAN no problem access devices.

    LAN Interface Rules

    IPv4 *    LAN net    *    AGENTWIFI_V4 net    *    *    none        LAN to vlan4  (Using Default)
    IPv4 *    LAN net    *    *    *    SA_Gateway_Group    none        Allow LAN to any rule

    vlan4 Interface Rules

    IPv4 *    AGENTWIFI_V4 net    *    LAN net    *    *    none        vlan4 to LAN (Using Default)
    IPv4 *    AGENTWIFI_V4 net    *    *    *    SA_Gateway_Group    none        Allow All


  • LAYER 8 Netgate

    Did you clear states after applying changes?  That looks like it should work.


  • LAYER 8 Global Moderator

    Also make sure that the host your trying to ping doesn't have its own firewall blocking ping.


  • LAYER 8 Netgate

    I also think it overly complicates things to have tagged and untagged VLAN traffic on the same physical interface.  You might have to do something special in your switch to allow it.

    I would create a VLAN for the LAN interface, assign it, make it tagged on the switchport and leave the untagged interface (vr0) unassigned to any pfSense interface.

    ETA: But if DHCP and pings to the gateway work properly on LAN and AGENTWIFI_V4 then this is likely not your problem.



  • Yeah it was the states!  Once that cleared up everything was ok with the newly added rules.  Luckily it does not affect IPSec.  I do not have to create special rules for the interfaces going to IPSec tunnels.

    Thanks guys!


Log in to reply