Physical PFsense box with virtual DMZ in ESXI



  • Hi All,

    Having a strange issue and hoping someone can help. As the title says, I have a physical pfsense routing vlans to esxi. Everything is configured and working properly, firewall rules are doing exactly what I expect, except for one little thing. I have multiple WAN connections - 1 from ADSL and one 3G. The 3g is used for my laptop when there is high load on the adsl. I set up a firewall rule that I just enable when I want to switch latop over to 3g. The latop is connected to my LAN and I can ping all machines including the webservers on my DMZ exactly as should be. When I switch to 3g as my main WAN connection I can still ping all LAN machines and VMs but noting on the vlan(dmz). I'm a bit noob so not sure what I could be missing. Why would switching WAN connections affect my internal LAN/vLAN communications? (when I switch back to my ADsl WAN - which is the default - everything works fine).

    Any advise appreciated. Thanks.


  • LAYER 8 Netgate

    When you redirect traffic to a specific gateway (policy routing) the order of the rules matters.  If you put the pass rule on LAN that catches traffic from your laptop to the DMZ above the rule that sets your 3G modem gateway I'll bet it starts working fine.

    I'm doing sort of the same thing.  In order to get at my XENWAN network for my virtual rack of pfSenses from LAN I have to pass traffic from LAN to XENWAN without setting a gateway, then have the normal pass rule that sets a gateway.

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    in short, you need a rule above the policy routing rule that passes the traffic from LAN to DMZ with gateway set to default.

    ![Screen Shot 2015-01-26 at 1.29.37 AM.png](/public/imported_attachments/1/Screen Shot 2015-01-26 at 1.29.37 AM.png)
    ![Screen Shot 2015-01-26 at 1.29.37 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-26 at 1.29.37 AM.png_thumb)



  • Hi Derelict,

    Thanks for the assistance. I’m not home so can’t test right now but I’m not quite sure I follow. On my LAN rules all I do is set my laptop to be allowed to any (like the default lan rule) except I change the gateway under “advanced setting” to the 3g gateway and enable/disable this rule as I need. Then under that there is the default LAN rule (allow to any) which uses the default - WAN gateway (ADSL).  The DMZ only has 2 rules: 1) block dmz to lan and 2) allow dmz to all but lan.

    As I was typing this I saw your update, thanks for the details :) will need to test later. Like I said I'm still noob at all this but I'm just wondering why changing WAN gateways would affect traffic between local subnets? Surely traffic from my LAN to vLAN/dmz is not passed trough the WAN and is routed according to rules on the subnets? Shouldn't it just be a case of the laptop on the lan is trying to access the DMZ and then go according to that? What involvement would the WAN have with this?

    Sorry for all the question, just trying to wrap my head around all this  :-[


  • LAYER 8 Netgate

    Why would switching WAN connections affect my internal LAN/vLAN communications?

    Because it does.  :)

    Policy routing changes the way you need to treat internal traffic.


Log in to reply