New pfsense firewall, cannot ping LAN interface, vlan issue, no internet access



  • Hello,

    We could really use some help.  Working on a new Netgate Pfsense firewall, have followed http://networktechnical.blogspot.com/2007/04/pfsense-how-to-setup-vlans.html to create vlans and interfaces, have em2 as our WAN ISP, and have em3 as LAN with tagged vlans on it, the procurve 2910 switch port is also tagged for all the same vlans, and dhcp is being handed out by the pfsense and works great, ip routing and ip gateway are programmed in the hp switch, and we can ping the switch management ip but cannot ping the pfsense lan, nor can we ping google.  We have also set up the firewall rules for the vlans to allow * from vlan to wan.

    Not sure if this is a simple step we are missing, it is our first time setting up a pfsense firewall.    Thank you for any help anyone can provide today! =)


  • Rebel Alliance Developer Netgate

    There are a couple potential things that could be wrong there. The easiest is the firewall rules, make sure that they allow all protocols and not only TCP.

    If you can't ping pfSense itself on the same subnet as the clients, it would have to be one of:

    1. Layer 2 issue, clients and pfSense are not on the same network (unlikely to be this if they are getting DHCP from the firewall)
    2. Incorrect firewall rules
    3. Incorrect local routing – If you have an L3 switch handling local routing between VLANs, pfSense does not need to be configured to handle the VLANs directly, it should leave that up to the L3 switch and contact those subnets using static routes (but that means you can't do DHCP for the VLANs on pfSense...)

    If this is a new Netgate device, you should have some bundled support time to use depending on which model you purchased (The m1n1wall doens't come with any support, but the APU, 7541, and c2758 do). If you have that option, contact Netgate support and we can assist from there as well.



  • Similar problem here:
    Hardware: Cisco SG500 in layer 2 mode and a old Astaro ASG 110/120 Rev. 3.  (the Astaro has four Intel 82559ER NICs)
    After configuring the vlans on the SG500 and the Astaro DHCP over vlans did not work and I could not ping the gateway over the vlans.

    The problem was solved by disabling the default vlan processing in hw:

    A small script /usr/local/etc/rc.d/disable-vlanhwtag.sh

    #!/bin/sh
    ifconfig fxp0 -vlanhwtag
    ifconfig fxp1 -vlanhwtag
    ifconfig fxp2 -vlanhwtag
    ifconfig fxp3 -vlanhwtag
    
    

    is fixing the problem at startup.


Log in to reply