Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No Traffic Allowed Between Subnets

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      waterboy550
      last edited by

      Looks like all my traffic is being blocked for some reason! The rules I put in place are being ignored, nothing fancy with the setup. Just trying to get traffic from 2 different subnets to be allowed.

      What am I doing wrong, I tried a reboot after the rules were in place and nothing. Nothing in Firewall Aliases or Nat.

      f1.PNG
      f1.PNG_thumb
      f2.PNG
      f2.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        I can find only one interface on your rules tab. pfSense can only control traffic between different interfaces.

        1 Reply Last reply Reply Quote 0
        • W
          waterboy550
          last edited by

          Here is the setup:
            1 router with 2 VLans
            2 firewalls (1 sophos and 1 pfsense)
            192.168.1.0/24 VLan 1 with interface of 192.168.1.2
            192.168.255.0/24 VLan 100 with interface 192.168.255.2

          The pfsense firewall only has one interface defined 192.168.255.253 (Lan). This interface has a gateway route of 192.168.255.2 (router). The router is a layer 3 router with 2 VLans (described above). The router has a default route of 192.168.1.1 (sophos firewall) that has a Wan interface.

          Everything on the VLan 100 can ping and send traffic to any host on VLan 1 as well as the internet. VLan 1 hosts can access the internet and only 192.168.255.253 (pfsense firewall) on VLan 100. All other traffic to other hosts on VLan 100 reaches the host, but their responses back to the VLan 1 are blocked by pfsense on their return.

          On the VLan 1 192.168.1.1 is the default gateway for all hosts. This firewall has a static route of 192.168.255.0/24 to 192.68.1.2 (router). Each host on VLan 100 has a default gateway of 192.168.255.253 (pfsense firewall). This firewall has a gateway route of 192.168.255.2 (router).

          If I change the hosts default gateway to 192.168.255.2 everything works great. I would like however to use the pfsense firewall to filter some of the traffic in and out of the VLan.

          Sorry for the long winded explanation, but I figured all the information needed to be known. Please HELP!

          f3.PNG
          f3.PNG_thumb
          f4.PNG
          f4.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "I would like however to use the pfsense firewall to filter some of the traffic in and out of the VLan."

            And where did you configure these vlans in pfsense?

            Where is this other firewall?  And how is it connected.

            So if host on 192.168.255.0/24 lets say 192.168.255.100 wants to talk to 192.168.1.100, he sends traffic to his gateway pfsense 192.168.255.253, pfsense routes it out same interface to 192.168.255.2, router says ok send to 192.168.1.0 network out its 192.168.1.0/24 interface.

            Client says hey back and sends answer to its gateway router or firewall on this 192.168.1.0/24 network.. Lets say router - router say oh your wanting to talk to 192.168.255.0/24 great I have an interface in this network and sends the traffic on to 192.168.255.100

            You have asynchronous routing for sure, even if vlan tags are correct, etc.  But I don't see any vlan in pfsense?

            Please draw up your network - but I would never in a million years setup something like what it sounds.  If you want to firewall between 192.168.1 and 192.168.255 why don't you just connect pfsense to both of these networks?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • W
              waterboy550
              last edited by

              I haven't. The Pfsense firewall is on the VLan 100. It knows the default gateway is 192.168.255.2 (VLan interface on router).

              I don't need Pfsense to know about the whole structure of the network. I only want to use the firewall aspect to deny/allow outside (non 192.168.255.0/24) traffic in and deny/allow local traffic to certain outside networks.

              Is this possible?

              1 Reply Last reply Reply Quote 0
              • W
                waterboy550
                last edited by

                If I select Disable Firewall (Disable all packet filtering) from the Advanced Firewall and NAT tab it works correctly as well.

                I'm starting to think there is no way to allow this traffic to pass if the firewall is active, but I can't see why creating a rule wouldn't allow it!

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Firewall rules in inbound to an interface.. Not outbound - and you still run into a routing issue.  So I see your network as you describe it as this

                  Is this your network?  See attached - you were not clear on where internet is connected?

                  If this is true this is one messed up setup!

                  So you want to route traffic from 255.X to 255.253, just to be sent to 255.2..  And then return traffic from 1.x to go to 192.168.1.1 to be sent to 192.168.1.2 ?

                  Why would you do something like this?  When you replace the router with a firewall be it pfsense or whatever and your golden.. See second attachment

                  isthisyournetwork.png
                  isthisyournetwork.png_thumb
                  normalsetup.png
                  normalsetup.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • dotdashD
                    dotdash
                    last edited by

                    Don't take this the wrong way, but I do not think your setup is correct.
                    You are trying to filter with a single interface firewall that is an end node. You want the firewall to control traffic, but don't want it to know the structure of the network. I like simple, so I would just kill the sophos and put another interface in pfsense for the second subnet. Maybe replace the router with pfsense? You could always place pfsense in transparent mode and put it between the 255 clients and the router. You have proven that if someone wants to bypass the filter, they just have to change their gateway.

                    1 Reply Last reply Reply Quote 0
                    • W
                      waterboy550
                      last edited by

                      johnpoz that is how the network is setup. I had a phone company come in and they added another VLan and changed the topology. I have never setup a phone system as is why I had them do it.

                      Trust me the topology was a lot uglier before I made some tweaks. I really like your layout and it would clean everything up so nicely. I'll see what I can do to get another card in the firewall. Currently I have 4 Nics on the firewall (internal, external, failover wireless external, wireless bridge to another site), so whats one more!

                      I'll update soon!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.