Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT issues with VLAN

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LouC918
      last edited by

      I'm attempting to put together a guest network in my home and separating it VLAN. My Configuration is as follows. PF Sense Box on 10.110.1.1
      DDWRT switch set with VLAN tagging set up.
      VLAN 1 (Local Lan + Local WiFi) 10.110.10.0/24
      VLAN 3 (Public Wifi) 192.168.10.0/24

      Seperate DHCP servers set up to serve VLAN 1 and 3.

      Firewall rules only exist to allow VLAN 1 and 3 access to any at this point.

      I am able to successfully connect to each of the SSIDs and obtain an ip address in each subnet correctly. Unfortunately I am not able to get access to the internet. I'm assuming there some manual NAT mapping that I must create, but I'm not sure what they would be. I'm more of a novice when it comes to networking and am by no means an expert. If anyone could help me construct what my outbound NAT mappings should be with as much specifics as possible, it would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        When you say "separate DHCP servers", do you mean an actual separate system in each VLAN that is giving out DHCP? And DHCP on pfSense is turned off?
        If so, then what are the pfSense IPs on each VLAN? And is each DHCP server giving out the corresponding pfSense VLAN IP address as the gateway?

        Your configuration will be fine with automatic outbound NAT - that generates NAT rules on every WAN to NAT from all IP addresses in evey LAN subnet.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • L
          LouC918
          last edited by

          Sorry, I should have clarified. When I say separate DHCP servers, I mean separate for each VLAN interface within pfsense.
          VLAN 1 DHCP server (served by pf) 10.110.10.1 DHCP Range 10.110.10.100-.150
          VLAN 3 DHCP server (served by pv) 192.168.10.1 DHCP Range 192.168.10.100-.150

          I switched to automatic NAT, but still no go.

          1 Reply Last reply Reply Quote 0
          • M
            mikeisfly
            last edited by

            Can you take some screenshots of your config, becuase this shouldn't be a problem. Just becareful when using vlan 1. Usally Vlan 1 is untagged and having tagged and untagged traffic on the same port can cause some issues if you are using something like captive portal. My fix was to tag vlan 1.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              Firewall rules only exist to allow VLAN 1 and 3 access to any at this point.

              I guess those rules are on the VLAN1 and VLAN3 firewall rule tabs, respectively?

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • L
                LouC918
                last edited by

                Here is my config for Interfaces, DHCP, Firewall and Outbound Nat

                Screens.png
                Screens.png_thumb

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  Your firewall rule is only allowing TCP. That will mean that DNS requests from clients (UDP) are being blocked. Clients will not be able to resolve DNS. You can probably ping 8.8.8.8, but not ping by name.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.