Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I route VLAN packets through pfSense untouched?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 862 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AJungleDog
      last edited by

      Hi all,
      I have VLAN tagged packets coming in on my WAN port and I need to forward them intact and still tagged to the next server connected to my LAN port.  How can I do this?

      Thanks,

      Brent

      1 Reply Last reply Reply Quote 0
      • T Offline
        timthetortoise
        last edited by

        Your question doesn't really make a lot of sense. If they're coming in as tagged packets, you need to have an interface that is tagged for the same VLAN. Once that happens, where they go should be determined by NAT or policy-based routing. If it's on an interface that's also tagged, then that already solves your problem. VLANs are a purely layer 2 concept, so once the packet gets routed, it's at the whim of the next layer 2 network it touches.

        1 Reply Last reply Reply Quote 0
        • A Offline
          AJungleDog
          last edited by

          OK, let me ask the same question in a different way.  I have an internet connection that comes in from another organization.  On that same network cable one of my LANs comes in in the form of tagged VLAN packets.  I currently just grab them with a virtual interface in pfSense and they become my OFFSITELAN that I can treat the same as my LAN.  Now we have installed our own VSAT and have a second internet source, WAN2.  I need to do load balancing and failover.  pfSense can handle that as well, but, there's a catch.  It cannot do it IF squid is installed, which it is.  So now I have to put a second pfSense, with squid, between my LAN users and my load balancing pfSense server.  I need those OFFSITELAN packets to make it all the way to the pfSense with squid which is behind the pfSense doing load balancing.

          Thanks in advance for your wisdom!

          Brent

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            Maybe this sort of thing, lets call the devices:
            a) "Front pfSense", which has OFFSITELAN as a VLAN, and WAN and WAN2.
            b) "Back pfSense" which has its WAN on Front pfSense LAN. And Back pfSense LAN has some ordinary local users also.

            1. Front pfSense
              a) add a gateway to Back pfSense WAN IP - "BackGW". Probably no need for a route.
              b) On OFFSITELAN add a rule, pass source OFFSITELANnet, destination any, gateway "BackGW"
            2. Back pfSense
              a) On WAN add pass rule to allow source OFFSITELAN subnet.
              b) Firewall->NAT Outbound, go to manual and add NAT rule on WAN for source OFFSITELAN, destination any, NAT to WAN address - this will ensure that packets from OFFSITELAN get their source address changed to the Back pfSense WAN IP, and so returning packets will have to be routed by Front pfSense to Back pfSense, and unNATed to deliver again to Front pfSense, which will deliver to the OFFSITELAN client.

            That should all work without any Squid. Then add Squid to the equation and see what happens!

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.