Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Multi VLAN Port Fowarding

    NAT
    3
    15
    2894
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pollardhimself last edited by

      I'm sure this is a easy one  ::) Trying to open port 80 to VLAN 200 on my network and its not getting through. Im picking the destination has Perimeter subnet "VLAN 200" and setting the redirect target ip.

      LAN - VLAN 100
      PERIMETER - VLAN 200
      GUEST - VLAN 300


      1 Reply Last reply Reply Quote 0
      • G
        gabrielpc1190 last edited by

        Can you explain more your setup?
        What is the nat IP you want to send the traffic to?

        Generally, VLAN or not VLAN doesn't matter when you are doing NAT-PortForwarding

        1 Reply Last reply Reply Quote 0
        • P
          pollardhimself last edited by

          @gabrielpc1190:

          Can you explain more your setup?
          What is the nat IP you want to send the traffic to?

          Generally, VLAN or not VLAN doesn't matter when you are doing NAT-PortForwarding

          Sure,

          I was thinking you needed to set the destination type… I got it working by leaving that on any but whats the point of destination?

          Here's a diagram

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Your destination needs to be the public IP address connections go to (Usually "WAN address").  Your VLAN doesn't matter.  pfSense will route to 192.168.38.2 by whatever means at its disposal.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              pollardhimself last edited by

              @Derelict:

              Your destination needs to be the public IP address connections go to (Usually "WAN address").  Your VLAN doesn't matter.  pfSense will route to 192.168.38.2 by whatever means at its disposal.

              So what is the point of source and destination? I was thinking I am am opening a port from the wan to the perimeter subnet and targetting 192.168.38.2.

              So what if I wanted to open a connection from my LAN "VLAN 100" to my PERIMETER "VLAN 200" wouldn't I pick VLAN 100 as my source and VLAN 200 as my destination?

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Do you know what NAT does?

                You want connections to the http port on your WAN address to be forwarded to the http port on 192.168.38.2 right?

                Source will limit the IPs that users can connect FROM - this is almost always "any" for something like a web server.

                Destination is the address external users CONNECT TO, this is usually "WAN address" or a VIP on WAN.

                Redirect Target IP is the host connections are port-forwarded TO.

                Allow the NAT rule to create a tracking firewall rule and you're done.

                So what if I wanted to open a connection from my LAN "VLAN 100" to my PERIMETER "VLAN 200" wouldn't I pick VLAN 100 as my source and VLAN 200 as my destination?

                On your LAN interface you would create a firewall rule:

                pass IPv4 any source "LAN net" dest "PERIMITER net"

                You don't need port forwards because you're not using NAT.  These pass (or block) rules can be as open or restrictive as you want.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  pollardhimself last edited by

                  Yes I understand what NAT does.

                  "Destination is the address external users CONNECT TO, this is usually "WAN address" or a VIP on WAN."

                  ~ This is what is confusing me I figured my destination is VLAN 200. But I guess there not physically connecting to that so its not used?

                  On your LAN interface you would create a firewall rule:

                  pass IPv4 any source "LAN net" dest "PERIMETER net"

                  You don't need port forwards because you're not using NAT.  These pass (or block) rules can be as open or restrictive as you want.

                  Just gave this a try for the hell of it -  I guess I would need some sorta inter-vlan routing for it to actually work correct?

                  C:\Users\jbpollard>tracert 192.168.38.2

                  Tracing route to 192.168.38.2 over a maximum of 30

                  1    <1 ms    <1 ms    <1 ms  10.38.0.1
                    2    *        *        *    Request timed out.
                    3    *        *        *    Request timed out.
                    4    *        *        *    Request timed out.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    Of course.  You need router/layer3 interfaces on each VLAN.  That's what I presume is at the end of the trunk at the top of your diagram.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • P
                      pollardhimself last edited by

                      @Derelict:

                      Of course.  You need router/layer3 interfaces on each VLAN.  That's what I presume is at the end of the trunk at the top of your diagram.

                      I guess ill have to do some reading on intervlan routing with pfsense then. Pfsense is the router were all the vlan gateways are.

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Did you create the VLANs on pfSense and assign them to interfaces?

                        That's all you need to do.  After that pfSense treats them like any other interface.

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • P
                          pollardhimself last edited by

                          @Derelict:

                          Did you create the VLANs on pfSense and assign them to interfaces?

                          That's all you need to do.  After that pfSense treats them like any other interface.

                          Yep, I have the 3 vlans setup inside pfsense. I created a rule to allow any type of traffic from VLAN100 to VLAN200 and then any from VL AN200 to VLAN100 and tired to ping with no luck.










                          1 Reply Last reply Reply Quote 0
                          • P
                            pollardhimself last edited by

                            Also tired in and out on each interfaces rules




                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                              Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.

                              And a way I tried to explain it:

                              Firewall rules are processed when a session is started coming INTO an interface.  This means connections from your LAN computers to web pages, DNS servers, mail servers, etc., are handled by rules on your LAN interface.  If you have port forwards permitting connections from the internet inbound to local servers these go on your WAN interface.  This is the single concept that you need to grasp when designing your network at the start.

                              It is impossible for your PERIMETER interface to RECEIVE traffic with a source of "LAN net".  When we say RECEIVE, we mean like "In from the the wire."  There are no rules you can put on the LAN interface to reject or pass traffic that has already been accepted by pf destined for LAN. that decision was made when the traffic was RECEIVED into pfSense.

                              If you want PERIMETER to access LAN you put this on PERIMETER:

                              Pass IPv4 any source "PERIMETER net" dest "LAN net"

                              If that doesn't work, check your damn windows firewall on the destination machine.  It's almost always that.  It doesn't bite people until they run multiple subnets because windows treats the local subnet as friendly.

                              Chattanooga, Tennessee, USA
                              The pfSense Book is free of charge!
                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • Derelict
                                Derelict LAYER 8 Netgate last edited by

                                And I see rules up there that are TCP only.  Do protocol any.  ping isn't TCP and won't be passed by those.  DNS is usually UDP and won't be passed by those.

                                Chattanooga, Tennessee, USA
                                The pfSense Book is free of charge!
                                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pollardhimself last edited by

                                  @Derelict:

                                  And I see rules up there that are TCP only.  Do protocol any.  ping isn't TCP and won't be passed by those.  DNS is usually UDP and won't be passed by those.

                                  Yeah I noticed that and changed it.

                                  And Its all working for me now  :D

                                  And the above explanation helped a lot thanks for all the help!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post