No Traffic Allowed Between Subnets
-
Looks like all my traffic is being blocked for some reason! The rules I put in place are being ignored, nothing fancy with the setup. Just trying to get traffic from 2 different subnets to be allowed.
What am I doing wrong, I tried a reboot after the rules were in place and nothing. Nothing in Firewall Aliases or Nat.
-
I can find only one interface on your rules tab. pfSense can only control traffic between different interfaces.
-
Here is the setup:
1 router with 2 VLans
2 firewalls (1 sophos and 1 pfsense)
192.168.1.0/24 VLan 1 with interface of 192.168.1.2
192.168.255.0/24 VLan 100 with interface 192.168.255.2The pfsense firewall only has one interface defined 192.168.255.253 (Lan). This interface has a gateway route of 192.168.255.2 (router). The router is a layer 3 router with 2 VLans (described above). The router has a default route of 192.168.1.1 (sophos firewall) that has a Wan interface.
Everything on the VLan 100 can ping and send traffic to any host on VLan 1 as well as the internet. VLan 1 hosts can access the internet and only 192.168.255.253 (pfsense firewall) on VLan 100. All other traffic to other hosts on VLan 100 reaches the host, but their responses back to the VLan 1 are blocked by pfsense on their return.
On the VLan 1 192.168.1.1 is the default gateway for all hosts. This firewall has a static route of 192.168.255.0/24 to 192.68.1.2 (router). Each host on VLan 100 has a default gateway of 192.168.255.253 (pfsense firewall). This firewall has a gateway route of 192.168.255.2 (router).
If I change the hosts default gateway to 192.168.255.2 everything works great. I would like however to use the pfsense firewall to filter some of the traffic in and out of the VLan.
Sorry for the long winded explanation, but I figured all the information needed to be known. Please HELP!
-
"I would like however to use the pfsense firewall to filter some of the traffic in and out of the VLan."
And where did you configure these vlans in pfsense?
Where is this other firewall? And how is it connected.
So if host on 192.168.255.0/24 lets say 192.168.255.100 wants to talk to 192.168.1.100, he sends traffic to his gateway pfsense 192.168.255.253, pfsense routes it out same interface to 192.168.255.2, router says ok send to 192.168.1.0 network out its 192.168.1.0/24 interface.
Client says hey back and sends answer to its gateway router or firewall on this 192.168.1.0/24 network.. Lets say router - router say oh your wanting to talk to 192.168.255.0/24 great I have an interface in this network and sends the traffic on to 192.168.255.100
You have asynchronous routing for sure, even if vlan tags are correct, etc. But I don't see any vlan in pfsense?
Please draw up your network - but I would never in a million years setup something like what it sounds. If you want to firewall between 192.168.1 and 192.168.255 why don't you just connect pfsense to both of these networks?
-
I haven't. The Pfsense firewall is on the VLan 100. It knows the default gateway is 192.168.255.2 (VLan interface on router).
I don't need Pfsense to know about the whole structure of the network. I only want to use the firewall aspect to deny/allow outside (non 192.168.255.0/24) traffic in and deny/allow local traffic to certain outside networks.
Is this possible?
-
If I select Disable Firewall (Disable all packet filtering) from the Advanced Firewall and NAT tab it works correctly as well.
I'm starting to think there is no way to allow this traffic to pass if the firewall is active, but I can't see why creating a rule wouldn't allow it!
-
Firewall rules in inbound to an interface.. Not outbound - and you still run into a routing issue. So I see your network as you describe it as this
Is this your network? See attached - you were not clear on where internet is connected?
If this is true this is one messed up setup!
So you want to route traffic from 255.X to 255.253, just to be sent to 255.2.. And then return traffic from 1.x to go to 192.168.1.1 to be sent to 192.168.1.2 ?
Why would you do something like this? When you replace the router with a firewall be it pfsense or whatever and your golden.. See second attachment
-
Don't take this the wrong way, but I do not think your setup is correct.
You are trying to filter with a single interface firewall that is an end node. You want the firewall to control traffic, but don't want it to know the structure of the network. I like simple, so I would just kill the sophos and put another interface in pfsense for the second subnet. Maybe replace the router with pfsense? You could always place pfsense in transparent mode and put it between the 255 clients and the router. You have proven that if someone wants to bypass the filter, they just have to change their gateway. -
johnpoz that is how the network is setup. I had a phone company come in and they added another VLan and changed the topology. I have never setup a phone system as is why I had them do it.
Trust me the topology was a lot uglier before I made some tweaks. I really like your layout and it would clean everything up so nicely. I'll see what I can do to get another card in the firewall. Currently I have 4 Nics on the firewall (internal, external, failover wireless external, wireless bridge to another site), so whats one more!
I'll update soon!
