Isolating 1 of 4 VLAN - Unrestricted Public Access



  • We have a PFsense APU that is handling 4 VLAN's from an HP 2920 switch.

    One of those VLANS is a network of VM's that all have public static ip's assigned to them. This VLAN needs to have unrestricted access to/from public.

    I've read a bit on transparent bridging, but none of it seems to fit our issue. For clarification I've included a simple drawing.

    We need VLAN's 10, 30 & 40 to be properly firewalled/NAT as it is now. We need VLAN 20 to be the only one that PFsense just really doesnt bother with, simply forward any and everything to the outside world, no LAN IP's or anything.

    Any suggestion on how to properly accomplish this?



  • Netgate

    Doesn't sound like anything too difficult, but I read your description twice and still can't figure out what you want.



  • We have 4 VLAN's of which at the moment are all behind the firewall. We are trying to get "VLAN 20" (one of the 4), which has servers on it that all have public ips statically assigned to their nics, to have unrestricted access to the outside world. No Nating, DHCP, firewall. I want the VLAN 20 to behave as though it's just a dumb switch plugged right to the public web.


  • Netgate

    The carve out a subnet of your public IPs and assign it to the interface associated with VLAN 20, disable all NAT rules for that interface, and put pass any any rules for that subnet on WAN and VLAN 20.

    There is no other way to do it other than NAT.

    Or bridge VLAN20 with your outside interface.



  • Ok. I wanted to ensure there wasn't a best practice my nievate may have been missing.

    Could I simply run another wan to the second OPT port, not assign an ip to it (as to not tie up another public) and simply bridge the VLaN20 to that interface? That way the regular WAN and its IP will handle the 3 VLANs behind the typical firewall and VLAN20 wil have its own physical interface to the world with everything turned off?



  • Ok so here's what we've done:

    VLAN20 is set with the parent adapter OPT1 (HP Switch is there).

    Bridged VLAN20 and OPT0 (public facing interface) and assigned it to WAN.

    Set rules on OPT0 & VLAN20 to allow any.

    A VM on VLAN20 that is statically assigned with a public address still cannot ping out and we cannot ping in. Firewall logs don't show ICMP packets being blocked.


  • Netgate

    I think you want to assign WAN to BRIDGE0, not one of the member interfaces.



  • Yes, that's what has been done. Bridge1=OPT0+VLAN20, WAN=Bridge1


  • Netgate

    Not quite sure what to tell you. It works here.

    What are your settings for:

    net.link.bridge.pfil_member
    net.link.bridge.pfil_bridge

    ??



  • We sorted this out, it was a config within the HP switch for VLAN trunking that was causing issues with packet routing.

    Derelict, thanks again dude and sorry to waste your time.

    3 days, new infant, new work project, 6 hours total sleep; Kills the brain.