Outbound NAT issues with VLAN

  • I'm attempting to put together a guest network in my home and separating it VLAN. My Configuration is as follows. PF Sense Box on
    DDWRT switch set with VLAN tagging set up.
    VLAN 1 (Local Lan + Local WiFi)
    VLAN 3 (Public Wifi)

    Seperate DHCP servers set up to serve VLAN 1 and 3.

    Firewall rules only exist to allow VLAN 1 and 3 access to any at this point.

    I am able to successfully connect to each of the SSIDs and obtain an ip address in each subnet correctly. Unfortunately I am not able to get access to the internet. I'm assuming there some manual NAT mapping that I must create, but I'm not sure what they would be. I'm more of a novice when it comes to networking and am by no means an expert. If anyone could help me construct what my outbound NAT mappings should be with as much specifics as possible, it would be greatly appreciated.

  • When you say "separate DHCP servers", do you mean an actual separate system in each VLAN that is giving out DHCP? And DHCP on pfSense is turned off?
    If so, then what are the pfSense IPs on each VLAN? And is each DHCP server giving out the corresponding pfSense VLAN IP address as the gateway?

    Your configuration will be fine with automatic outbound NAT - that generates NAT rules on every WAN to NAT from all IP addresses in evey LAN subnet.

  • Sorry, I should have clarified. When I say separate DHCP servers, I mean separate for each VLAN interface within pfsense.
    VLAN 1 DHCP server (served by pf) DHCP Range
    VLAN 3 DHCP server (served by pv) DHCP Range

    I switched to automatic NAT, but still no go.

  • Can you take some screenshots of your config, becuase this shouldn't be a problem. Just becareful when using vlan 1. Usally Vlan 1 is untagged and having tagged and untagged traffic on the same port can cause some issues if you are using something like captive portal. My fix was to tag vlan 1.

  • Firewall rules only exist to allow VLAN 1 and 3 access to any at this point.

    I guess those rules are on the VLAN1 and VLAN3 firewall rule tabs, respectively?

  • Here is my config for Interfaces, DHCP, Firewall and Outbound Nat

  • Your firewall rule is only allowing TCP. That will mean that DNS requests from clients (UDP) are being blocked. Clients will not be able to resolve DNS. You can probably ping, but not ping by name.

Log in to reply