VLANs and Routing - Help
-
Hi
I need some help with routing traffic using PfSense, I have a L2 managed switch and 2 subnets. The switch has been configured so Port 1 (PfSense link) has both vlans tagged, Port 7 has VLAN 20 untagged and port 8 has VLAN 30 untagged.PfSense as follows
Em0 > WAN, 10.10.10.15, Gateway 10.10.10.1
Re0 > LAN, 192.168.1.1
Re0_vlan20, 192.168.20.1
Re0_vlan30, 192.168.30.1
System > Advanced > Firewall/NAT > Disable all packet filtering is checked (turned off) so I know the firewalling rules don’t get in the way. All the NAT rules have been deleted.I have a device (PC20) connected to port 7 of the switch configured with an IP of 192.168.20.15, 255.255.255.0 and a default GW of 192.168.20.1, similarly I have a device (PC30) connected to port 8 on the switch configured with an IP of 192.168.30.15, 255.255.255.0 and a default GW of 192.168.30.1. Both devices can ping 192.168.1.1, 192.168.20.1, 192.168.30.1 and 10.10.10.15. Neither device can ping 10.10.10.1 or any internet address 8.8.8.8, 8.8.4.4 etc etc. A trace route from PC 20 show hop 1 to 192.168.20.1 then 29 hops that time out.
Attached is a screen shot of the routing table in Pf.
The issue looks to me like the routes might be wrong but I’m not sure, can anyone help?
Thanks
-
All the NAT rules have been deleted.
How does the router at 10.10.10.1 know how to get back to 192.168.20.0/24 and 192.168.30.0/24?
-
All the NAT rules have been deleted.
How does the router at 10.10.10.1 know how to get back to 192.168.20.0/24 and 192.168.30.0/24?
Good question, from what I've read I had thought the routes were automatically configured! Do I hVe to add them manually??
-
If you were using NAT, the router at 10.10.10.1 would need to know how to get to 10.10.10.15, which would be a connected network so it would have a route.
Since you're not, you have to create static routes (or run OSPF or something) that tells 10.10.10.1 to send traffic for the other networks to 10.10.10.15.
If 10.10.10.1 was pfSense I would:
Create a gateway for 10.10.10.15 on interface LAN
Create a static route sending 192.168.20.0/24 out that gateway on interface LAN
Create a static route sending 192.168.30.0/24 out that gateway on interface LANYou then need firewall rules on WAN of 10.10.10.15 passing traffic from wherever you want to 192.168.20.0/24 and 192.168.30.0/24.
These need to be as open or restrictive as you need.
-
If you were using NAT, the router at 10.10.10.1 would need to know how to get to 10.10.10.15, which would be a connected network so it would have a route.
Since you're not, you have to create static routes (or run OSPF or something) that tells 10.10.10.1 to send traffic for the other networks to 10.10.10.15.
If 10.10.10.1 was pfSense I would:
Create a gateway for 10.10.10.15 on interface LAN
Create a static route sending 192.168.20.0/24 out that gateway on interface LAN
Create a static route sending 192.168.30.0/24 out that gateway on interface LANYou then need firewall rules on WAN of 10.10.10.15 passing traffic from wherever you want to 192.168.20.0/24 and 192.168.30.0/24.
These need to be as open or restrictive as you need.
Thanks for your response.
My WAN interface (10.10.10.15) has a gateway of 10.10.10.1 which is an ADSL router.
I had planned on leaving the default LAN subnet/interface for management, is there a way to route traffic from VLAN20 or VLAN30 without it hitting the LAN interface?
-
That was all an example on what to do on 10.10.10.1 if it was pfSense. Since it hasn't been made clear it is pfSense.
-
I don't understand why the wan connection (10.10.10.15 in PfSense) cant act as a standard internet gateway for any clients that sit behind it, why does 10.10.10.1 need to be able to contact anything on the LAN/VLAN(s)?
-
Because whatever is on 10.10.10.1 does not have a route to:
Re0 > LAN, 192.168.1.1
Re0_vlan20, 192.168.20.1
Re0_vlan20, 192.168.30.1Typically people NAT so all connections appear to 10.10.10.1 as coming from 10.10.10.15, which 10.10.10.1 DOES have a route to on a connected interface.
Again, how does 10.10.10.1 know to send traffic for 192.168.20.1 to 10.10.10.15 for further routing?
-
The 10.10.10.0 Network is just the adsl router and Pfsesne WAN interface. Do I have to worry about the route from 10.10.10.1 back to Lan,vlan20 and vlan 30 because NAT is disabled in the Pfsense?
-
Yes. You have a device 10.10.10.1 trying to send traffic to 192.168.20.0/24. It needs a route. This isn't a pfSense thing. It's an IP thing. You need to enable automatic NAT.
-
I've enabled Automatic outbound NAT rule generation, no rules were generated and PC30 (192.168.30.15) still cannot ping 8.8.8.8, am I missing something here?
-
Yes. Two subnets on one segment is not the way to do things. If you INSIST on doing that, you'll have to switch back to manual, NOT delete all the NAT rules, and duplicate the rules for 192.168.20 to 192.168.30. I can't for the life of me figure out why you would want to do that. If you want a 30 subnet, create VLAN 30 and put those hosts there.
-
There is a typo in my original post which I will connect now, I do indeed have a vlan30 for 192.168.30.x subnet.
My apologies.
-
Changing back to automatic should create the correct rules. If not, I guess back to manual and duplicate the rules for 192.168.20.0/24 for 192.168.30.0/24.
-
Thanks for persevering with this!
I was testing this in a lab that I thought was identical to my live setup, as it turns out the switch had some misconfiguration on it.
All working now, thanks!
-
Something I have now noticed is that the web interface sometimes takes a long time to respond/load. Would anyone know if this is something to do with the multiple virtual interfaces?
-
No. It's not anything due to having multiple virtual interfaces in and of itself. They look just like regular interfaces to pfSense.
-
Are you using Firefox?
If so, there were changes in a recent Firefox release that messed up the way it processes old certificates that you had made exceptions for (like the first time you go to pfSense webGUI.
Posts like this explain how to clean up Firefox: https://forum.pfsense.org/index.php?topic=82828.msg458036#msg458036
