Accessing VLAN from LAN Problem



  • Hey,

    i've got a little Problem and can't find a Solution.

    Following Setup:
    Management over LAN 192.168.1.x (Router Pfsense 192.168.1.1 -> HP ProCurve Switch 192.168.1.2 -> VLAN/LAN to HP Procurve Switches 192.168.1.x)

    The VLANs havent got access to the LAN interface, but i want to manage the WLAN Routers behind them so IP 192.168.19.2 from a IP in the Management Network i.e. 192.168.1.100 for example.

    Attached are my firewall rules for LAN and for the VLAN 192.168.19.x (/24).

    Even when i disable the blocking Rule 192.168.0.0/32 on the VLAN it does not work. How do i have to Setup this Rules?

    Thanks in advance

    Edit: The LB Gateway is a Gateway Group over WAN and WAN2 for Internet Access, Pfsense 2.0.3

    Edit2: Just found out the following: i can access other computers in the VLAN e.g. 192.168.19.100 but not the WLAN Router 192.168.19.2 (but when i am directly connected to the switch of the WLAN Router i can access it over 192.168.19.2). Also a Ping from the PfSense Router Works…)





  • Noone?



  • I had a hard time following your write up,so I'll just explain what I'm seeing in the screen shots.

    Your LAN interface is allowing everything

    Your UGWLAN is explicitly blocking all devices on UGWLAN from hitting 192.168.1.1:6543, but is allowing all other ports for that IP. UGWLAN is blocking all other connections to any other 192.168.. IP address, keeping UGWLAN from talking to the rest of your private network.

    All other traffic is allowed to send data out the LB gateway.



  • A diagram would help here. www.gliffy.com is a good site for that. But if I under stand your question the reason you can't reach the LAN side of your WLAN router is because you have it working as a NAT and not a router. Remember unsolicited packets trying to ingress a NAT routers WAN port will be discarded unless a port forward is setup. Try putting your WLAN router in router mode and you should be good to go. Make sure you run a routing protocol like RIP, otherwise you will have to set up static routes on both sides.