VLAN to VLAN routing issues



  • I am having routing issues with traffic from a specific VLAN to anywhere (other VLAN, out the WAN interface, etc.) that is not the same VLAN.  I have checked (repeatedly) my switch configuration.

    My setup:

    em0 - WAN - Public IP connected directly to my FiOS ONT
    bge0 - LAN (Default VLAN) - 192.168.250.0/24 - This works
    bge0, VLAN 101 - 'HOUSE_NET' - 192.168.1.0/24 - This works
    bge0, VLAN 102 - 'SHOP_NET' - 192.168.2.0/24 - Not tested yet
    bge0, VLAN 103 - 'WIRELESS' - 192.168.3.0/24 - This cannot connect to anything off-net
    bge0, VLAN 104 - 'VOICE' - 192.168.4.0/24 - Not tested yet
    bge0, VLAN 256 - 'MANAGEMENT' - 172.16.21.0/24 - This works

    All but MANAGEMENT have DHCP configured on them.  DHCP is configured for the correct gateway on each network (the .1 address in the subnet).
    The switch port that bge0 is connected to (a Cisco 3750) is configured for 802.1q trunking.
    All 6 VLANS (1, 101, 102, 103, 104, 256) are configured on the switch.  VLAN 256 is also configured as an interface on the switch with an IP address.
    I have multiple wireless access points, various vendors.  I can connect to any of them and receive a valid IP address.
    While associated with an AP, I can connect to that AP's management interface, or any other AP on the 192.168.3.0/24 net.  I cannot connect to anything else.  I can ping the default gateway for the WIRELESS net (192.168.3.1), I cannot ping any other gateway.  I can ping the WIRELESS gateway from the HOUSE_NET and MANAGEMENT networks.

    I have firewall rules configured in the FLOATING section using aliases to control most traffic:

    The INTERNAL_NETWORKS alias contains all of the bge0 networks, in CIDR notation.  The Appliances rule is for internet-connected devices (the Wii, Blu-Ray, etc). The any-any and INTERNAL_NETWORKS to any rules are temporary until I complete the rest of the rule base and identify the actual traffic that needs to pass the firewall.

    All of these rules, along with the default drop rule in each of the individual networks' rules, is marked to log, with the exception of the IPV6 and MS Services noise filter rules.  They are noise filters, I don't want to hear from them :D

    I see nothing in the logs indicating any traffic is being blocked.

    I have Apcupsd, OpenVPN Client Export Utility, pfBlockerNG, RRD Summary, and snort installed.  I previously removed squid, to make sure the proxy was not in the way.  Snort has not blocked any of the traffic I am attempting to reach.

    Finally, a bit about me - I am a network analyst in my day job, the team I am part of is responsible for the switching, routing, wireless, and firewall infrastructure for a very large multi-national corporation.  I am a bit familiar with how this is all supposed to work.  I have another pfSense firewall configured very similar to this one, and have no inter-VLAN communications issues, and the VLANs (where allowed) can get to the outside world.

    Thanks in advance for any and all suggestions and offers of assistance.  If you need additional information, let me know.



  • Are devices in 192.168.3.* actually getting the correct gateway 192.168.3.1 from pfSense DHCP?
    Maybe you put something accidentally in the Gateway field of DHCP Server setup for that interface?

    As you say, if 192.168.3.* is somehow accidentally in one of the pfB or Adware_sites then the blocked traffic should be logged.

    You could traceroue out of a 192.168.3.* client and then do packet capture on pfSense to see if anything is arriving at all.


Log in to reply