How do I route VLAN packets through pfSense untouched?

  • Hi all,
    I have VLAN tagged packets coming in on my WAN port and I need to forward them intact and still tagged to the next server connected to my LAN port.  How can I do this?



  • Your question doesn't really make a lot of sense. If they're coming in as tagged packets, you need to have an interface that is tagged for the same VLAN. Once that happens, where they go should be determined by NAT or policy-based routing. If it's on an interface that's also tagged, then that already solves your problem. VLANs are a purely layer 2 concept, so once the packet gets routed, it's at the whim of the next layer 2 network it touches.

  • OK, let me ask the same question in a different way.  I have an internet connection that comes in from another organization.  On that same network cable one of my LANs comes in in the form of tagged VLAN packets.  I currently just grab them with a virtual interface in pfSense and they become my OFFSITELAN that I can treat the same as my LAN.  Now we have installed our own VSAT and have a second internet source, WAN2.  I need to do load balancing and failover.  pfSense can handle that as well, but, there's a catch.  It cannot do it IF squid is installed, which it is.  So now I have to put a second pfSense, with squid, between my LAN users and my load balancing pfSense server.  I need those OFFSITELAN packets to make it all the way to the pfSense with squid which is behind the pfSense doing load balancing.

    Thanks in advance for your wisdom!


  • Maybe this sort of thing, lets call the devices:
    a) "Front pfSense", which has OFFSITELAN as a VLAN, and WAN and WAN2.
    b) "Back pfSense" which has its WAN on Front pfSense LAN. And Back pfSense LAN has some ordinary local users also.

    1. Front pfSense
      a) add a gateway to Back pfSense WAN IP - "BackGW". Probably no need for a route.
      b) On OFFSITELAN add a rule, pass source OFFSITELANnet, destination any, gateway "BackGW"
    2. Back pfSense
      a) On WAN add pass rule to allow source OFFSITELAN subnet.
      b) Firewall->NAT Outbound, go to manual and add NAT rule on WAN for source OFFSITELAN, destination any, NAT to WAN address - this will ensure that packets from OFFSITELAN get their source address changed to the Back pfSense WAN IP, and so returning packets will have to be routed by Front pfSense to Back pfSense, and unNATed to deliver again to Front pfSense, which will deliver to the OFFSITELAN client.

    That should all work without any Squid. Then add Squid to the equation and see what happens!

Log in to reply