Multi VLAN Port Fowarding
-
I'm sure this is a easy one ::) Trying to open port 80 to VLAN 200 on my network and its not getting through. Im picking the destination has Perimeter subnet "VLAN 200" and setting the redirect target ip.
LAN - VLAN 100
PERIMETER - VLAN 200
GUEST - VLAN 300
-
Can you explain more your setup?
What is the nat IP you want to send the traffic to?Generally, VLAN or not VLAN doesn't matter when you are doing NAT-PortForwarding
-
Can you explain more your setup?
What is the nat IP you want to send the traffic to?Generally, VLAN or not VLAN doesn't matter when you are doing NAT-PortForwarding
Sure,
I was thinking you needed to set the destination type… I got it working by leaving that on any but whats the point of destination?
Here's a diagram
-
Your destination needs to be the public IP address connections go to (Usually "WAN address"). Your VLAN doesn't matter. pfSense will route to 192.168.38.2 by whatever means at its disposal.
-
Your destination needs to be the public IP address connections go to (Usually "WAN address"). Your VLAN doesn't matter. pfSense will route to 192.168.38.2 by whatever means at its disposal.
So what is the point of source and destination? I was thinking I am am opening a port from the wan to the perimeter subnet and targetting 192.168.38.2.
So what if I wanted to open a connection from my LAN "VLAN 100" to my PERIMETER "VLAN 200" wouldn't I pick VLAN 100 as my source and VLAN 200 as my destination?
-
Do you know what NAT does?
You want connections to the http port on your WAN address to be forwarded to the http port on 192.168.38.2 right?
Source will limit the IPs that users can connect FROM - this is almost always "any" for something like a web server.
Destination is the address external users CONNECT TO, this is usually "WAN address" or a VIP on WAN.
Redirect Target IP is the host connections are port-forwarded TO.
Allow the NAT rule to create a tracking firewall rule and you're done.
So what if I wanted to open a connection from my LAN "VLAN 100" to my PERIMETER "VLAN 200" wouldn't I pick VLAN 100 as my source and VLAN 200 as my destination?
On your LAN interface you would create a firewall rule:
pass IPv4 any source "LAN net" dest "PERIMITER net"
You don't need port forwards because you're not using NAT. These pass (or block) rules can be as open or restrictive as you want.
-
Yes I understand what NAT does.
"Destination is the address external users CONNECT TO, this is usually "WAN address" or a VIP on WAN."
~ This is what is confusing me I figured my destination is VLAN 200. But I guess there not physically connecting to that so its not used?
On your LAN interface you would create a firewall rule:
pass IPv4 any source "LAN net" dest "PERIMETER net"
You don't need port forwards because you're not using NAT. These pass (or block) rules can be as open or restrictive as you want.
Just gave this a try for the hell of it - I guess I would need some sorta inter-vlan routing for it to actually work correct?
C:\Users\jbpollard>tracert 192.168.38.2
Tracing route to 192.168.38.2 over a maximum of 30
1 <1 ms <1 ms <1 ms 10.38.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out. -
Of course. You need router/layer3 interfaces on each VLAN. That's what I presume is at the end of the trunk at the top of your diagram.
-
Of course. You need router/layer3 interfaces on each VLAN. That's what I presume is at the end of the trunk at the top of your diagram.
I guess ill have to do some reading on intervlan routing with pfsense then. Pfsense is the router were all the vlan gateways are.
-
Did you create the VLANs on pfSense and assign them to interfaces?
That's all you need to do. After that pfSense treats them like any other interface.
-
Did you create the VLANs on pfSense and assign them to interfaces?
That's all you need to do. After that pfSense treats them like any other interface.
Yep, I have the 3 vlans setup inside pfsense. I created a rule to allow any type of traffic from VLAN100 to VLAN200 and then any from VL AN200 to VLAN100 and tired to ping with no luck.
-
Also tired in and out on each interfaces rules
-
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.
And a way I tried to explain it:
Firewall rules are processed when a session is started coming INTO an interface. This means connections from your LAN computers to web pages, DNS servers, mail servers, etc., are handled by rules on your LAN interface. If you have port forwards permitting connections from the internet inbound to local servers these go on your WAN interface. This is the single concept that you need to grasp when designing your network at the start.
It is impossible for your PERIMETER interface to RECEIVE traffic with a source of "LAN net". When we say RECEIVE, we mean like "In from the the wire." There are no rules you can put on the LAN interface to reject or pass traffic that has already been accepted by pf destined for LAN. that decision was made when the traffic was RECEIVED into pfSense.
If you want PERIMETER to access LAN you put this on PERIMETER:
Pass IPv4 any source "PERIMETER net" dest "LAN net"
If that doesn't work, check your damn windows firewall on the destination machine. It's almost always that. It doesn't bite people until they run multiple subnets because windows treats the local subnet as friendly.
-
And I see rules up there that are TCP only. Do protocol any. ping isn't TCP and won't be passed by those. DNS is usually UDP and won't be passed by those.
-
And I see rules up there that are TCP only. Do protocol any. ping isn't TCP and won't be passed by those. DNS is usually UDP and won't be passed by those.
Yeah I noticed that and changed it.
And Its all working for me now :D
And the above explanation helped a lot thanks for all the help!
