InterVLAN Routing Failing When Assigning Different Gateway

  • Hello all,

    I am trying to figure out an issue with inter-vlan routing when there are multiple WAN connections, each with its own gateway.

    My pfSense box has 3 ports on it, em0 is connected to WAN1 cable modem, em1 is connected to WAN2 modem, and em2 is connected to an HP-2530-48G switch, with 4 subinterfaces on it, VLAN 10, 11, 12, 200.

    VLAN 11 is the office DATA VLAN and VLAN 200 is the VLAN used for managing 4 Ubiquti Unifi access points. The default gateway is set as WAN1's gateway under the Routing menu, but I need traffic in VLAN 11 to go out over WAN2's gateway not the default gateway. Once I create a firewall rule, all traffic going out to use WAN2 gateway from VLAN 11 using the advanced gateway option in the rule, I am no longer able to access the resources, AKA SSH into the Unifi access points or the controller, in VLAN 200. If I change that rule to use the default gateway again, I am able to access resources in VLAN 200.

    How do I set it up so that traffic from VLAN11 goes out WAN2 gateway, but I am also still able to access the resources in VLAN200. It seems that once I change the gateway I am breaking inter-vlan routing. I feel it is just something I am not doing right on my end.

    Any ideas?

    Thank you.

  • Hi abeauchamp,

    Can you take a screenshot of the firewall rules on your VLAN11 interface, and the settings of the rule that you used to route traffic from VLAN11 out WAN2 please? Do you perhaps have set destination to any?

  • I do believe the destination is set to any.  I am not in front of a computer right now to get screenshots.

    What would I need to set the destination to in this situation?

  • If the destination is set to any, the ordering of the rules are very important. For instance, maybe the rule to allow access from VLAN11 to VLAN200 comes after the rule where you specify a gateway to be used? A screenshot of your rules on the VLAN11 interface would be helpful.

    When destination is set to any, you are in fact allowing access to all networks/interfaces, unless you have deny-rules that comes first.

  • Make sense.  I am not sure how I can craft a rule for a destination out on the internet.  Maybe a rule that is matched on destination not being an alias of my internal networks?

  • Once I have access to the system tomorrow I will post screenshots.

    Thank you for your help so far.

  • The way I did it to allow access to the Internet and not any of my local networks, is to create an alias containing all my local networks (including the WAN IP), lets call the alias for Local_Networks. Then I created a rule that has destination set to "not Local_Networks".

  • @abeauchamp it is working as it should. you are forcing ALL your traffic through a specific gateway…. this results in being unable to contact your other LAN networks.

    as @vindenesen said, create an alias for your LAN subnets. then put a new rule above your current one (proto: any src:any, dest: alias, gateway: * )

  • Banned

    Why not just use outbound NAT to route the traffic via WAN2?

  • @Supermule:

    Why not just use outbound NAT to route the traffic via WAN2?

    Wouldn't he still need a rule to route the traffic out WAN2, when the default gateway is on WAN1?

Log in to reply