Can't Ping an IP on a VLAN



  • Hi Everyone,

    Need help on this one. I've set up a pfsense 2.1 box with 5 different subnets.

    Parent Interface  –-- LAN ( 10.16.2.1/24)

    VLAN8 ---- 10.14.14.1/22
    VLAN9 ---- 10.16.3.1/24
    VLAN10 ---- 10.16.4.1/24
    VLAN11 ---- 10.16.5.1/24
    VLAN12 ---- 10.16.6.1/24

    Now the problem is this. I have a PC connected on the LAN internface (10.16.2.1/24) and 5 more PCs Connected on each of the VLAN. BUT from the LAN interface I cannot PING each of the PCs on each of the VLAN.

    How do I allow Internet Traffic on each of the VLAN but Set it up somehow that a PC on a VLAN will not be able to ping other PCs on other VLAN. But the PC on the Parent Interface will be able to communicate with each of the PC on the VLANs
    Thanks in advance



  • You want LAN to access anything, so leave a rule on LAN like the default "allow all" rule - pass to destination any. That should be there by default and so you should be able to ping from LAN to a VLAN PC.
    The other subnets usually need to access the DNS forwarder listening on port 53 of their pfSense interface IP. By the sound of it, you also will not want PCs on the VLANs to have access to the pfSense webGUI, so you only need to open port 53 for DNS on the pfSense interface.
    You want to block traffic to all other local subnets, then allow everything else. The way I usually achieve this is:

    1. Make an Alias for all the private subnets local on the box (e.g. call it LocalNets) - you can specify all the subnets individually in multiple entries in the alias or specify some bigger network that summarises (covers) all of them and more - e.g. 10.0.0.0/8
    2. On each VLAN interface add rules:
      a) Pass protocol TCP/UDP source VLANnn net, destination VLANnn address, port 53 (DNS)
      b) Pass protocol any source VLANnn net, destination !LocalNets, port any
      c) Put an explicit "block all" rule at the end, or just let the unseen "block all" rule do its thing.

    At (b) you can separate the rule into 2 rules if you find it easier to understand and maintain:
    (b) (i) Block protocol any source any, destination LocalNets, port any
    (b) (ii) Pass protocol any, source VLANnn net, destination any, port any

    But first you need to look at your LAN rules and figure out why you cannot ping from LAN to VLAN systems.



  • Thanks for the reply. And I will try this set up.
    But I recently (Somehow) solved this problem by putting rules in the Floating Rules Tab.
    please advice if this can be used.

    Protoco –- Any
    Source ---- Lan subnet
    Port ---- Any
    Destination ---- VLANs(My VLAN group Alias)
    Port ---- Any
    gateway ---- Any



  • It will work on the Floating Rules tab, but it should also work on the LAN Rules tab. And, unless you removed it, there should be an allow all rules on the LAN anyway.


Log in to reply