No Traffic Allowed Between Subnets

  • Looks like all my traffic is being blocked for some reason! The rules I put in place are being ignored, nothing fancy with the setup. Just trying to get traffic from 2 different subnets to be allowed.

    What am I doing wrong, I tried a reboot after the rules were in place and nothing. Nothing in Firewall Aliases or Nat.

  • I can find only one interface on your rules tab. pfSense can only control traffic between different interfaces.

  • Here is the setup:
      1 router with 2 VLans
      2 firewalls (1 sophos and 1 pfsense) VLan 1 with interface of VLan 100 with interface

    The pfsense firewall only has one interface defined (Lan). This interface has a gateway route of (router). The router is a layer 3 router with 2 VLans (described above). The router has a default route of (sophos firewall) that has a Wan interface.

    Everything on the VLan 100 can ping and send traffic to any host on VLan 1 as well as the internet. VLan 1 hosts can access the internet and only (pfsense firewall) on VLan 100. All other traffic to other hosts on VLan 100 reaches the host, but their responses back to the VLan 1 are blocked by pfsense on their return.

    On the VLan 1 is the default gateway for all hosts. This firewall has a static route of to (router). Each host on VLan 100 has a default gateway of (pfsense firewall). This firewall has a gateway route of (router).

    If I change the hosts default gateway to everything works great. I would like however to use the pfsense firewall to filter some of the traffic in and out of the VLan.

    Sorry for the long winded explanation, but I figured all the information needed to be known. Please HELP!

  • LAYER 8 Global Moderator

    "I would like however to use the pfsense firewall to filter some of the traffic in and out of the VLan."

    And where did you configure these vlans in pfsense?

    Where is this other firewall?  And how is it connected.

    So if host on lets say wants to talk to, he sends traffic to his gateway pfsense, pfsense routes it out same interface to, router says ok send to network out its interface.

    Client says hey back and sends answer to its gateway router or firewall on this network.. Lets say router - router say oh your wanting to talk to great I have an interface in this network and sends the traffic on to

    You have asynchronous routing for sure, even if vlan tags are correct, etc.  But I don't see any vlan in pfsense?

    Please draw up your network - but I would never in a million years setup something like what it sounds.  If you want to firewall between 192.168.1 and 192.168.255 why don't you just connect pfsense to both of these networks?

  • I haven't. The Pfsense firewall is on the VLan 100. It knows the default gateway is (VLan interface on router).

    I don't need Pfsense to know about the whole structure of the network. I only want to use the firewall aspect to deny/allow outside (non traffic in and deny/allow local traffic to certain outside networks.

    Is this possible?

  • If I select Disable Firewall (Disable all packet filtering) from the Advanced Firewall and NAT tab it works correctly as well.

    I'm starting to think there is no way to allow this traffic to pass if the firewall is active, but I can't see why creating a rule wouldn't allow it!

  • LAYER 8 Global Moderator

    Firewall rules in inbound to an interface.. Not outbound - and you still run into a routing issue.  So I see your network as you describe it as this

    Is this your network?  See attached - you were not clear on where internet is connected?

    If this is true this is one messed up setup!

    So you want to route traffic from 255.X to 255.253, just to be sent to 255.2..  And then return traffic from 1.x to go to to be sent to ?

    Why would you do something like this?  When you replace the router with a firewall be it pfsense or whatever and your golden.. See second attachment

  • Don't take this the wrong way, but I do not think your setup is correct.
    You are trying to filter with a single interface firewall that is an end node. You want the firewall to control traffic, but don't want it to know the structure of the network. I like simple, so I would just kill the sophos and put another interface in pfsense for the second subnet. Maybe replace the router with pfsense? You could always place pfsense in transparent mode and put it between the 255 clients and the router. You have proven that if someone wants to bypass the filter, they just have to change their gateway.

  • johnpoz that is how the network is setup. I had a phone company come in and they added another VLan and changed the topology. I have never setup a phone system as is why I had them do it.

    Trust me the topology was a lot uglier before I made some tweaks. I really like your layout and it would clean everything up so nicely. I'll see what I can do to get another card in the firewall. Currently I have 4 Nics on the firewall (internal, external, failover wireless external, wireless bridge to another site), so whats one more!

    I'll update soon!

Log in to reply