Vlan question on new install

  • My setup is as follows;


    Layer 3 switch> port ge.1.2 vlan.0.2

    Ok, on this layer 3 switch as you can tell my pfSense server connects to port ge.1.2 and this is assigned as vlan 2.

    Also on this switch is about 30 more vlans for various departments, services, etc… but from any of those vlans I cannot ping the address of the pfSense web  interface.

    How/where do I tell pfSense that these vlans should be routed out from the the switch ( into the firewall ( and out to the internet (

    I have tried everything I can find but cannot get from my desktop PC to the pfSense box.

  • System:Routing - Gateways. Add a gateway, interface LAN, IP
    Do NOT make it the the gateway on Interfaces->LAN, leave that as "none".
    System:Routing - Routes. Add static route/s for each of the subnets reachable through the L3 switch, using that new gateway.
    Firewall Rules LAN - add rules to allow traffic with source addresses of those subnets that can arrive from the L3 switch.
    Firewall:NAT - Outbound - switch to Manual Outbound NAT. Add NAT rules to NAT traffic from those subnets that can arrive from the L3 switch as it goes out WAN.

    I think that is all - it should allow the clients out through pfSense LAN, NATing to the public internet, and pfSense to know how to route the replies back to the L3 switch.

  • I have made the changes you suggested but still cannot get to the web interface from my office vlan

    My office PC can ping (vlan gateway) and just fine and any other internal system I have.

    But I still cannot ping the address

  • Do some packet capture on pfSense LAN to see if the pings are arriving. Diagnostics->Routes will show you what routes pfSense knows about, make sure it has a route back to 10.10.28.* through, and make sure the cable is plugged in  ;)
    Post you gateways, static routes and firewall rules when you are really stuck.

  • Just ran a Wireshark test and when I ping from, reports that is unreachable.

    I changed vlans to others that I have setup like you told me to and get the same results.

    L3 switch has a default route of to

  • Netgate Administrator

    The default LAN firewall rule which allows access to the webgui via the LAN interface has 'LAN net' as its source address. Since you are trying to connect from another subnet routed to LAN you will have to modify the LAN rules to include that if you haven't already.
    You should see these connection attempts in the firewall logs if they're being blocked.


  • Did some more testing and here is what I found.

    Expanded the /30 to /29 to allow testing PC in the subnet between the L3 switch and the firewall. FW>, L3>, TEST-PC>

    I then setup another test pc on a internal subnet that I have made a NAT rule for as well as a route rule for TESTER>

    So from the firewall I can ping all the way back to the TESTER pc.

    From the TESTER pc I can only ping up to the interface on the L3

    Form the L3 I can ping to the FW and down to the TESTER

    From the TEST-PC I can ping down to the TESTER pc BUT CANNOT ping the FW and they are in the same subnet together.

    Any ideas?

  • It does sound like firewall rules on LAN. Do a packet capture on the LAN interface of the FW and see if the ping is arriving there - hopefully it is. For testing, make the firewall rule allow any to any on LAN.

Log in to reply