VLAN works only one direction?



  • Hi, I have set up one VLAN in only one interface. Computers behind VLAN can access internet and all others computers and ping them. But all computers behind other interfaces cant ping computers behind VLAN. I have set up gateways for every interface (to be able to policy-route and to be able reply-to into the same interface where packets come). Also I have set for every interface rule to allow all connections, all protocols.



  • @magnifico:

    gateways for every interface (to be able to policy-route and to be able reply-to into the same interface where packets come). Also I have set for every interface rule to allow all connections, all protocols.

    could you elaborate on that? gateways should be created only, for REMOTE/unknown networks such as WAN.
    there is almost never a good reason to create gateways for locally connected/managed networks (yes there are exceptions).

    creating bogus gateways will, however, allways get things messed up.


  • Netgate

    What he said.  The only time you need a gateway is to route to networks that pfSense doesn't have a route for already.  pfSense has a route for every network assigned to an interface by default.  You don't need to route traffic to connected networks, you just need to pass traffic using rules on the source interface to the destination interface's network.



  • @heper:

    could you elaborate on that? gateways should be created only, for REMOTE/unknown networks such as WAN.
    there is almost never a good reason to create gateways for locally connected/managed networks (yes there are exceptions).

    creating bogus gateways will, however, allways get things messed up.

    They are all LANs, 5 interfaces, all equals, for LAN subnet communication. When I dont set gateway, then I cant use policy routing, but pfsense is set up exactly only for LAN subnet policy based routing (source and destination important in routing decision). Also when I dont have set up gateways, then traffic dont come back into the same interface as it enters pfsense. My pfsense dont route only local subnets but also subnets behind other routers….........To internet I have 2 subnets before final routers, 192.168.3.0 and 192.168.10.0. Policy must choose gateway depending on source IP. For LANs I have 3 subnets 192.168.2.0 192.168.1.0 and 192.168.4.0 Between pfsense and computers I have more routers. Some 192.168.12.0 subnet computers reach pfsense through  192.168.1.0 subnet and some through 192.168.2.0 subnet. Usual routing table is unable to choose interface because they are all 192.168.12.0 subnet computers, going to internet through different LANs and different WANs.


  • Netgate

    You are probably dealing with asymmetric routing back from the local networks in one way or another.

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Asymmetric_Routing

    Diagram your network and trace the traffic flow in both directions and whatever the problem is will become clear.



  • @Derelict:

    You are probably dealing with asymmetric routing back from the local networks in one way or another.

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Asymmetric_Routing

    Diagram your network and trace the traffic flow in both directions and whatever the problem is will become clear.

    No, I have nowhere asymmetric routing and I dont want asymmetry in routings no any case, all connections must come back exactly the same road as they start. Problem is with VLAN8. VLAN8 is cannected to 192.168.2.0 subnet. There is only this VLAN8 and nothing more. All 2.0 and 12.0 computers reach internet through this VLAN interface and I can ping also pfsense from those computers, but I cant ping no 2.0 no 12.0 computers from 3.0 subnet and also I cant ping them from pfsense ping tool also. …..There cant be any asymmetry because I ping 192.168.2.2 from 192.168.2.1 and cant get answer, but when I ping 192.168.2.1 from 192.168.2.2 then I get answer. There is no problem at all with routing. This must be some bug related to VLAN.


  • Netgate

    It's not a bug, dude.

    Draw a diagram.

    Post your rules and interface configs.

    There cant be any asymmetry because I ping 192.168.2.2 from 192.168.2.1 and cant get answer, but when I ping 192.168.2.1 from 192.168.2.2 then I get answer.

    pfSense is not involved at all in that circumstance.  All the traffic is on the same segment.  Unless one of those is the pfSense interface address in which case check the firewall rules on that interface to be sure they allow the traffic.  ICMP echo-request in that case.



  • @Derelict:

    It's not a bug, dude.

    Draw a diagram.

    Post your rules and interface configs.

    Rules:
    Floating:
    IPv4 TCP *          * This Firewall 80 (HTTP)   *         none
    IPv4 TCP *         * This Firewall 443 (HTTPS) * none
    IPv4 * NO_GAIA_hosts * * * OPT2_WAN2_GW none
    IPv4 * NO_GAIA_networks * * * OPT2_WAN2_GW none

    Other interfaces:
    All allow.

    VLAN8 interface config:

    There is nothing set more than IP 192.168.2.1 and gateway 192.168.2.2


  • Netgate

    Instead of posting what you think you've done, post what you've actually done.

    If you really have pass any any any rules on the VLAN interface it would be working.  That or you need to bypass policy routing for something.

    I'll ask again for a diagram.

    Why are you messing around with floating rules?  What interfaces are they on in what direction?



  • @Derelict:

    Instead of posting what you think you've done, post what you've actually done.

    If you really have pass any any any rules on the VLAN interface it would be working.  That or you need to bypass policy routing for something.

    I'll ask again for a diagram.

    Why are you messing around with floating rules?  What interfaces are they on in what direction?

    What you mean about "diagram"? Do you want to say that "floating rules" are in beta testing and actually dont work? Rules in interface tabs there are only one rule in every interface tab and this rule allows all traffic, any direction, any protocol. Floating rules apply for every interface and processed prior other rules (I have set quick option). Two fires rules allow connection to pfsense. Two last rule direct some computers traffic (source) to WAN2 (destination). As I understand I dont need rule for pinging from pfsense to local subnet directly connected to pfsense. Altough I tested also to explicitly put rule from pfsense to vlan8 subnet but it wasnt changed nothing.


  • Netgate

    Floating rules work fine if you've configured them correctly.

    Good luck.



  • @Derelict:

    Floating rules work fine if you've configured them correctly.

    Good luck.

    How is "correctly" to be able to ping from pfsense ping tool to computer directly connected to pfsense interface?


  • Netgate

    You are not giving me the information I am asking for to help you find what you have configured wrong so good luck.  Maybe someone else's crystal ball is working.



  • @Derelict:

    You are not giving me the information I am asking for to help you find what you have configured wrong so good luck.  Maybe someone else's crystal ball is working.

    What information you want? Also, I disabled last two rules temporarily but still no ping.


  • Netgate

    A diagram of your network including all gateways and downstream routers.

    Proper screen captures of your firewall rules on both the VLAN8 interface and all the floating rules.  For floating rules you need to capture the actual rule config screen so we get interfaces and directions on which the rules apply.

    If not screen captures then a detailed listing of all fields on the rule config screens.

    Look at the diagram in my signature if you need to know what information is necessary to properly help you.

    My pfsense dont route only local subnets but also subnets behind other routers

    We need to know what all that is - at least insofar as it relates to the 192.168.2.xxx subnet.



  • @Derelict:

    A diagram of your network including all gateways and downstream routers.

    Proper screen captures of your firewall rules on both the VLAN8 interface and all the floating rules.  For floating rules you need to capture the actual rule config screen so we get interfaces and directions on which the rules apply.

    If not screen captures then a detailed listing of all fields on the rule config screens.

    Look at the diagram in my signature if you need to know what information is necessary to properly help you.

    My pfsense dont route only local subnets but also subnets behind other routers

    We need to know what all that is - at least insofar as it relates to the 192.168.2.xxx subnet.

    This diagram is big work and I myself dont have complete powerpoint or paint about it made, only free painted picture in piece of paper. But I think this is not important because rules dont have any meaning when I want to ping locally connected computer. I think the problem is in pfsense VLAN communication with my L2 switch or VMWare Workstation. Altough before pfsense there, in the same place was Mikrotik virtualmachine and I was able to ping. In VMWare host I have also always removed VLAN support from network cards - when there is support for VLANs, then Windows removes tags, but if its disable, it dont. And with Mikrotik it worked, so its must not problem with network cards configuration.


  • Netgate

    Okay. Good luck. If it's too much work for you it's certainly too much work for me.



  • A few minutes with Gliffy would suffice for a basic diagram to show what you're trying to do.

    I'm guessing you can't ping the local IPs because of your policy routing rules. Policy routing forces traffic to the specified gateway, which won't get you a reply on local interfaces since you're sending it out to your upstream router.



  • @cmb:

    A few minutes with Gliffy would suffice for a basic diagram to show what you're trying to do.

    I'm guessing you can't ping the local IPs because of your policy routing rules. Policy routing forces traffic to the specified gateway, which won't get you a reply on local interfaces since you're sending it out to your upstream router.

    No, I disabled those policy-routing rules, I have no rules now, it dont change noting, still cant ping. Policy routing in pfsense dont force ping reply to other interface, because in pfsense policy routing is statefull. This was the most reason why I installed pfsense. This is unique. Previously I had Mikrotik. In Mikrotik and in all other firewalls policy routing is always stateless, and I have tested many fiewalls.
    The "reply-to" is also unique, to revert back to the interface where packets enter pfsense. This is because FreeBSD is more powerful than Linux. It just gives such extra features and possibilities. Most firewalls are Linux based and lack those possibilities. So, pfsense have very good potential to become good or even one of the best enterprise firewall. But you dont have normal documentation and it contains now too much bugs for enterprise work. This VLAN problem is BUG!!! I had there Mikrotik before and was not ping problem. This on VLAN stuff. Also I find out that captive portal dont work and was problem with switching off state checking (to switching firewall into stateless mode wasnt possible - rules just dont worked).  Those are all bugs and you cant fix them in this way, hoping only to forum where nobodi dont care. You must test this software yourselt or hire someone tester. …..Those bugs are not very catastrophy and I still proceed using pfsense, altough traffic lack into VLAN is little frustrating but most important functionality that Im interested are working (especially statefull policy routing and reply-to).



  • @magnifico:

    This VLAN problem is BUG!!!

    That's a hard statement. VLAN = layer 2, from what you describe I would tend to think this is a Layer 3 issue.
    What about scanning that hand-made drawing? That will be the key to get better support, make people understand your setup.
    Also, did you traceroute your paths? Some output from the issue would be nice. (you can insert images here)



  • @bennyc:

    @magnifico:

    This VLAN problem is BUG!!!

    That's a hard statement. VLAN = layer 2, from what you describe I would tend to think this is a Layer 3 issue.
    What about scanning that hand-made drawing? That will be the key to get better support, make people understand your setup.
    Also, did you traceroute your paths? Some output from the issue would be nice. (you can insert images here)

    Seems that Im the first user who tested pinging VLAN.


  • Banned

    Yeah, definitely…@magnifico:

    Seems that Im the first user who tested pinging VLAN.

    Yeah, definitely…  ;D ::)



  • @doktornotor:

    Yeah, definitely…@magnifico:

    Seems that Im the first user who tested pinging VLAN.

    Yeah, definitely…  ;D ::)

    This is not funny, I talk seriously. Usually some commercial company says thankx for that and fix the problem. This was happened before in reality. This is exactly the reason why freeware have so much bugs. Because they dont care and dont test software before release. Some companies even never give beta versions to public….. I say what is needed to do - just install pfsense, set up VLAN into some interface and ping it....that all, no more chemistry needed.


  • Banned

    Yeah. It is extremely funny. Instead of wasting time with similar ridiculous claims, you could have produces the repeatedly requested network diagram about 10 times already.



  • You ping an IP,  not a VLAN. At best, you ping the SVI (which belongs to the VLAN) on your L3 switch, or an IF on pfSense.
    Look, your setup seems… complex to understand by description.
    Do yourself a favor, get that paper scanned, or take a photo of it. Or work on it in excel or something similar.
    Keep it simple though, blocks with ranges, devices (with ip's an cidr), gateways. Shouldn't be that hard, and can serve for other things than just this topic.

    IMHO that will be way more productive, and might give the people here the opportunity to help you out. (bug, design or config issue)


  • Banned

    And while at it, kindly post the rest of the requested info as well…



  • @doktornotor:

    Yeah. It is extremely funny. Instead of wasting time with similar ridiculous claims, you could have produces the repeatedly requested network diagram about 10 times already.

    You dont need this diagram, you are not able anyway to fix this bug. To ask diagram for such simple bug only shows your uncompetency.
    Only hope is when some developer sees this thread and she/he knows what to do and fix the bug, without any diagram. I searched internet and sees lots of forums where problems arise related to VLANs.


  • Banned

    There are lots of bugs in your head. No need to post to a forum asking for help when you instead of providing requested information keep posting useless noise and utterly ridiculous claims. There are people using hundreds of VLANs with pfSense in production. Quit this bullcrap.

    Ktnxbye.


  • Rebel Alliance Global Moderator

    first user to ping a vlan??  What??

    Dude I ping between my vlans without any problems.. You have to allow it in the rules..  Out of the box you have lan.. the rules on lan (192.168.0/24) are any any.. So if you create a new opt interface for vlan 100 lets call it (192.168.100/24.  I will be able to ping anything on vlan100 from lan.  But vlan100 wouldn't be able to do anything because pfsense does not create any rules on opt interfaces.  You have to create them..

    So depending how you create them you would be able to ping or not ping, etc. etc..

    Post up your lan rules, post up rules of one of your vlan interfaces.

    Look
    my lan is 192.168.9.0/24
    I have a vlan I call wlan 192.168.2.0/24

    As you can see here is client on lan pinging client on wlan

    user@ubuntu:~$ ping 192.168.2.11
    PING 192.168.2.11 (192.168.2.11) 56(84) bytes of data.
    64 bytes from 192.168.2.11: icmp_seq=1 ttl=63 time=1.39 ms
    64 bytes from 192.168.2.11: icmp_seq=2 ttl=63 time=0.837 ms
    64 bytes from 192.168.2.11: icmp_seq=3 ttl=63 time=1.02 ms
    ^C
    –- 192.168.2.11 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 0.837/1.085/1.392/0.233 ms
    user@ubuntu:~$ traceroute 192.168.2.11
    traceroute to 192.168.2.11 (192.168.2.11), 64 hops max
      1  192.168.9.253  1.035ms  0.216ms  0.414ms
      2  192.168.2.11  1.036ms  0.753ms  1.408ms

    You also have to worry about host firewall rules in another segment.  Out of the box for example a windows box will block ping from anything outside its network.

    I just do not understand how you get to such a state?  How is your touching a firewall and network equipment without basic understanding of the most basic of concepts?  This is your network?  And you don't have a drawing?  Or can not draw up a basic one in like 2 minutes?  You don't have to list out all 50 vlans if you had that many.. 2 would work for an example to get across what your issue is or isnt..

    Screenshots of your rules take all of 10 seconds...

    People can not help you without details.. And if your more fluent in another language which I take it english is not native for you - you might get better help on that section of board, might be easier get across your setup.


  • Netgate

    I searched internet and sees lots of forums where problems arise related to VLANs.

    Yeah mostly because the people having such problems don't know what they are doing.

    You have it in your head that it's a "bug" and can't get out of that mode.

    At a minimum, post the EXACT STEPS to take to reproduce "the bug."  It's the first thing anyone in development will ask for in the bug report.  If it's a bug in the VLAN code it ought to be easily reproducible on a small bench/lab setup.  Or is that too much work too?



  • @johnpoz:

    Post up your lan rules, post up rules of one of your vlan interfaces.

    I have in pfsense in every interface only one rule that allows all connections, all protocols. In interface configuration there is only IP and gateway to next hop. Interface is assigned to VLAN8 and VLAN8 is assigned to physical interface. This physical interface is VMWare Workstation virtual network card that is connected to virtual switch. Virtual switch is binded to windows2008 host physical network card where is allowed only vmware binding protocol. Then this network cat5 cable goest to TP-Link L2 switch, then to other TP-Link L2 switch and then into TP-link wifi router WAN. WiFi router can ping pfsense interface but pfsense ping tool cant ping WiFi router WAN.


  • Netgate

    Probably because, as has been said many times, your policy routing is probably sending the pfSense-originated traffic out some other gateway because that's what you told it to do, while pinging into the pfSense interface is working because of reply-to for the return traffic. Since you refuse to post details, that is just a guess.

    Rules on the VLAN interface have nothing to do with traffic originating from pfSense.  You also have floating rules which CAN affect traffic in the outbound direction of an interface but you refuse to post actual details about those, too.


  • Banned

    Or he's blocking the traffic on the unknown wifi router's WAN firewall (which shouldn't be doing any routing in the first place and should most likely be connected via a LAN port). Or… pfS FW rules requested -> nothing. Diagram request - some messy setup description posted instead. Logs? Nothing. Who needs any info after all. It's pfSense bug with VLANs, 333% -- because noone ever pinged a host on VLAN before!!!

    Why are we still wasting time here?  ::)


  • Rebel Alliance Global Moderator

    "In interface configuration there is only IP and gateway to next hop"

    Lan interfaces would not have gateway.. What do you think is the next hop??

    I'm just here for your witty comments dok – you always make every day brighter with your wonderful way with words and cheerful disposition towards incompetence..  I don't know how you do it, but pretty much every post of yours puts a smile on my face ;)  Another applaud for you btw.. 300 is just around the corner.



  • @magnifico:

    WiFi router can ping pfsense interface but pfsense ping tool cant ping WiFi router WAN.

    You're still very sparse with information  ??? When you say ping the Wifi router WAN, is that an ip in the same subnet as where the IP of pfSense in vlan 8 resides?
    Repeat test with pfSense: Diagnostics: Traceroute, and post output please.


  • Rebel Alliance Global Moderator

    diag, traceroute and then post output..  JFC dude that is a lot of work for what is clearly a bug in pfsense use of vlans.. Just search the internet and see how many problems you get with vlans.. ;) ROFL….



  • @johnpoz:

    diag, traceroute and then post output..  JFC dude that is a lot of work for what is clearly a bug in pfsense use of vlans.. Just search the internet and see how many problems you get with vlans.. ;) ROFL….

    Agree  ;D nearly fell of my chair when I read your post.

    Anyhow, it's an intrguing design with enough routers to keep one busy. I've read this for the fifth time or so trying to see the picture (he's refusing to draw  ::) ):

    @magnifico:

    They are all LANs, 5 interfaces, all equals, for LAN subnet communication. When I dont set gateway, then I cant use policy routing, but pfsense is set up exactly only for LAN subnet policy based routing (source and destination important in routing decision). Also when I dont have set up gateways, then traffic dont come back into the same interface as it enters pfsense. My pfsense dont route only local subnets but also subnets behind other routers….........To internet I have 2 subnets before final routers, 192.168.3.0 and 192.168.10.0. Policy must choose gateway depending on source IP. For LANs I have 3 subnets 192.168.2.0 192.168.1.0 and 192.168.4.0 Between pfsense and computers I have more routers. Some 192.168.12.0 subnet computers reach pfsense through  192.168.1.0 subnet and some through 192.168.2.0 subnet. Usual routing table is unable to choose interface because they are all 192.168.12.0 subnet computers, going to internet through different LANs and different WANs.

    And now I'm in doubt my request for traceroute is going to bring anything usefull. I also fail to see why he thinks it's a vlan issue, this is clearly routing stuff. And not even sure one can accomplish what he wants by using pfSense?

    Maybe we should ask for a drawing  ;)


  • Banned

    @bennyc:

    Maybe we should ask for a drawing  ;)



  • @doktornotor: Where do you keep finding them ;D  Hilarious…

    @johnpoz:

    Lan interfaces would not have gateway.. What do you think is the next hop??

    Well… Not always true  :o

    If it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed.
    So the next hop for the LAN could the SVI of the vlan (on the L3 switch), and that is not on pfSense (but the subnets are known by pfSense (System:Routing:Routes). And so on.

    One thing is true however. You cannot ping the vlan  ;D ;D  (sorry, couldn't help myself  8))

    So magnifico, how about a drawing?

    --edit: cleaned up, removed non relevant info--



  • Problem is resolved, thanks all for help and still never undervalue bugs. There are still lots of bugs. Captive portal example dont work but no problem, I use Kerio portal, its better stuff….The problem with ping wasn in WiFi router, there was firmware upgrade before......And also before I noticed that switching off state and making double rules for both direction wasnt worked in first try, but this is also not very important, usually I like to use statefull mode....Pfsense is good, but it can be even better when developers write documentation, test it more and then it can be usable also for enterprises. So, good luck and thank you all, I hope I can now configure it myself in a while.