Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN works only one direction?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    54 Posts 7 Posters 17.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      heper
      last edited by

      @magnifico:

      gateways for every interface (to be able to policy-route and to be able reply-to into the same interface where packets come). Also I have set for every interface rule to allow all connections, all protocols.

      could you elaborate on that? gateways should be created only, for REMOTE/unknown networks such as WAN.
      there is almost never a good reason to create gateways for locally connected/managed networks (yes there are exceptions).

      creating bogus gateways will, however, allways get things messed up.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        What he said.  The only time you need a gateway is to route to networks that pfSense doesn't have a route for already.  pfSense has a route for every network assigned to an interface by default.  You don't need to route traffic to connected networks, you just need to pass traffic using rules on the source interface to the destination interface's network.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          magnifico
          last edited by

          @heper:

          could you elaborate on that? gateways should be created only, for REMOTE/unknown networks such as WAN.
          there is almost never a good reason to create gateways for locally connected/managed networks (yes there are exceptions).

          creating bogus gateways will, however, allways get things messed up.

          They are all LANs, 5 interfaces, all equals, for LAN subnet communication. When I dont set gateway, then I cant use policy routing, but pfsense is set up exactly only for LAN subnet policy based routing (source and destination important in routing decision). Also when I dont have set up gateways, then traffic dont come back into the same interface as it enters pfsense. My pfsense dont route only local subnets but also subnets behind other routers….........To internet I have 2 subnets before final routers, 192.168.3.0 and 192.168.10.0. Policy must choose gateway depending on source IP. For LANs I have 3 subnets 192.168.2.0 192.168.1.0 and 192.168.4.0 Between pfsense and computers I have more routers. Some 192.168.12.0 subnet computers reach pfsense through  192.168.1.0 subnet and some through 192.168.2.0 subnet. Usual routing table is unable to choose interface because they are all 192.168.12.0 subnet computers, going to internet through different LANs and different WANs.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            You are probably dealing with asymmetric routing back from the local networks in one way or another.

            https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Asymmetric_Routing

            Diagram your network and trace the traffic flow in both directions and whatever the problem is will become clear.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M Offline
              magnifico
              last edited by

              @Derelict:

              You are probably dealing with asymmetric routing back from the local networks in one way or another.

              https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Asymmetric_Routing

              Diagram your network and trace the traffic flow in both directions and whatever the problem is will become clear.

              No, I have nowhere asymmetric routing and I dont want asymmetry in routings no any case, all connections must come back exactly the same road as they start. Problem is with VLAN8. VLAN8 is cannected to 192.168.2.0 subnet. There is only this VLAN8 and nothing more. All 2.0 and 12.0 computers reach internet through this VLAN interface and I can ping also pfsense from those computers, but I cant ping no 2.0 no 12.0 computers from 3.0 subnet and also I cant ping them from pfsense ping tool also. …..There cant be any asymmetry because I ping 192.168.2.2 from 192.168.2.1 and cant get answer, but when I ping 192.168.2.1 from 192.168.2.2 then I get answer. There is no problem at all with routing. This must be some bug related to VLAN.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                It's not a bug, dude.

                Draw a diagram.

                Post your rules and interface configs.

                There cant be any asymmetry because I ping 192.168.2.2 from 192.168.2.1 and cant get answer, but when I ping 192.168.2.1 from 192.168.2.2 then I get answer.

                pfSense is not involved at all in that circumstance.  All the traffic is on the same segment.  Unless one of those is the pfSense interface address in which case check the firewall rules on that interface to be sure they allow the traffic.  ICMP echo-request in that case.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M Offline
                  magnifico
                  last edited by

                  @Derelict:

                  It's not a bug, dude.

                  Draw a diagram.

                  Post your rules and interface configs.

                  Rules:
                  Floating:
                  IPv4 TCP *          * This Firewall 80 (HTTP)   *         none
                  IPv4 TCP *         * This Firewall 443 (HTTPS) * none
                  IPv4 * NO_GAIA_hosts * * * OPT2_WAN2_GW none
                  IPv4 * NO_GAIA_networks * * * OPT2_WAN2_GW none

                  Other interfaces:
                  All allow.

                  VLAN8 interface config:

                  There is nothing set more than IP 192.168.2.1 and gateway 192.168.2.2

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Instead of posting what you think you've done, post what you've actually done.

                    If you really have pass any any any rules on the VLAN interface it would be working.  That or you need to bypass policy routing for something.

                    I'll ask again for a diagram.

                    Why are you messing around with floating rules?  What interfaces are they on in what direction?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      magnifico
                      last edited by

                      @Derelict:

                      Instead of posting what you think you've done, post what you've actually done.

                      If you really have pass any any any rules on the VLAN interface it would be working.  That or you need to bypass policy routing for something.

                      I'll ask again for a diagram.

                      Why are you messing around with floating rules?  What interfaces are they on in what direction?

                      What you mean about "diagram"? Do you want to say that "floating rules" are in beta testing and actually dont work? Rules in interface tabs there are only one rule in every interface tab and this rule allows all traffic, any direction, any protocol. Floating rules apply for every interface and processed prior other rules (I have set quick option). Two fires rules allow connection to pfsense. Two last rule direct some computers traffic (source) to WAN2 (destination). As I understand I dont need rule for pinging from pfsense to local subnet directly connected to pfsense. Altough I tested also to explicitly put rule from pfsense to vlan8 subnet but it wasnt changed nothing.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Floating rules work fine if you've configured them correctly.

                        Good luck.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          magnifico
                          last edited by

                          @Derelict:

                          Floating rules work fine if you've configured them correctly.

                          Good luck.

                          How is "correctly" to be able to ping from pfsense ping tool to computer directly connected to pfsense interface?

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            You are not giving me the information I am asking for to help you find what you have configured wrong so good luck.  Maybe someone else's crystal ball is working.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • M Offline
                              magnifico
                              last edited by

                              @Derelict:

                              You are not giving me the information I am asking for to help you find what you have configured wrong so good luck.  Maybe someone else's crystal ball is working.

                              What information you want? Also, I disabled last two rules temporarily but still no ping.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                A diagram of your network including all gateways and downstream routers.

                                Proper screen captures of your firewall rules on both the VLAN8 interface and all the floating rules.  For floating rules you need to capture the actual rule config screen so we get interfaces and directions on which the rules apply.

                                If not screen captures then a detailed listing of all fields on the rule config screens.

                                Look at the diagram in my signature if you need to know what information is necessary to properly help you.

                                My pfsense dont route only local subnets but also subnets behind other routers

                                We need to know what all that is - at least insofar as it relates to the 192.168.2.xxx subnet.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • M Offline
                                  magnifico
                                  last edited by

                                  @Derelict:

                                  A diagram of your network including all gateways and downstream routers.

                                  Proper screen captures of your firewall rules on both the VLAN8 interface and all the floating rules.  For floating rules you need to capture the actual rule config screen so we get interfaces and directions on which the rules apply.

                                  If not screen captures then a detailed listing of all fields on the rule config screens.

                                  Look at the diagram in my signature if you need to know what information is necessary to properly help you.

                                  My pfsense dont route only local subnets but also subnets behind other routers

                                  We need to know what all that is - at least insofar as it relates to the 192.168.2.xxx subnet.

                                  This diagram is big work and I myself dont have complete powerpoint or paint about it made, only free painted picture in piece of paper. But I think this is not important because rules dont have any meaning when I want to ping locally connected computer. I think the problem is in pfsense VLAN communication with my L2 switch or VMWare Workstation. Altough before pfsense there, in the same place was Mikrotik virtualmachine and I was able to ping. In VMWare host I have also always removed VLAN support from network cards - when there is support for VLANs, then Windows removes tags, but if its disable, it dont. And with Mikrotik it worked, so its must not problem with network cards configuration.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD Offline
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    Okay. Good luck. If it's too much work for you it's certainly too much work for me.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • C Offline
                                      cmb
                                      last edited by

                                      A few minutes with Gliffy would suffice for a basic diagram to show what you're trying to do.

                                      I'm guessing you can't ping the local IPs because of your policy routing rules. Policy routing forces traffic to the specified gateway, which won't get you a reply on local interfaces since you're sending it out to your upstream router.

                                      1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        magnifico
                                        last edited by

                                        @cmb:

                                        A few minutes with Gliffy would suffice for a basic diagram to show what you're trying to do.

                                        I'm guessing you can't ping the local IPs because of your policy routing rules. Policy routing forces traffic to the specified gateway, which won't get you a reply on local interfaces since you're sending it out to your upstream router.

                                        No, I disabled those policy-routing rules, I have no rules now, it dont change noting, still cant ping. Policy routing in pfsense dont force ping reply to other interface, because in pfsense policy routing is statefull. This was the most reason why I installed pfsense. This is unique. Previously I had Mikrotik. In Mikrotik and in all other firewalls policy routing is always stateless, and I have tested many fiewalls.
                                        The "reply-to" is also unique, to revert back to the interface where packets enter pfsense. This is because FreeBSD is more powerful than Linux. It just gives such extra features and possibilities. Most firewalls are Linux based and lack those possibilities. So, pfsense have very good potential to become good or even one of the best enterprise firewall. But you dont have normal documentation and it contains now too much bugs for enterprise work. This VLAN problem is BUG!!! I had there Mikrotik before and was not ping problem. This on VLAN stuff. Also I find out that captive portal dont work and was problem with switching off state checking (to switching firewall into stateless mode wasnt possible - rules just dont worked).  Those are all bugs and you cant fix them in this way, hoping only to forum where nobodi dont care. You must test this software yourselt or hire someone tester. …..Those bugs are not very catastrophy and I still proceed using pfsense, altough traffic lack into VLAN is little frustrating but most important functionality that Im interested are working (especially statefull policy routing and reply-to).

                                        1 Reply Last reply Reply Quote 0
                                        • B Offline
                                          bennyc
                                          last edited by

                                          @magnifico:

                                          This VLAN problem is BUG!!!

                                          That's a hard statement. VLAN = layer 2, from what you describe I would tend to think this is a Layer 3 issue.
                                          What about scanning that hand-made drawing? That will be the key to get better support, make people understand your setup.
                                          Also, did you traceroute your paths? Some output from the issue would be nice. (you can insert images here)

                                          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                                          1x PC Engines APU2C4, 1x PC Engines APU1C4

                                          1 Reply Last reply Reply Quote 0
                                          • M Offline
                                            magnifico
                                            last edited by

                                            @bennyc:

                                            @magnifico:

                                            This VLAN problem is BUG!!!

                                            That's a hard statement. VLAN = layer 2, from what you describe I would tend to think this is a Layer 3 issue.
                                            What about scanning that hand-made drawing? That will be the key to get better support, make people understand your setup.
                                            Also, did you traceroute your paths? Some output from the issue would be nice. (you can insert images here)

                                            Seems that Im the first user who tested pinging VLAN.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.