Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN works only one direction?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    54 Posts 7 Posters 17.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      doktornotor Banned
      last edited by

      There are lots of bugs in your head. No need to post to a forum asking for help when you instead of providing requested information keep posting useless noise and utterly ridiculous claims. There are people using hundreds of VLANs with pfSense in production. Quit this bullcrap.

      Ktnxbye.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        first user to ping a vlan??  What??

        Dude I ping between my vlans without any problems.. You have to allow it in the rules..  Out of the box you have lan.. the rules on lan (192.168.0/24) are any any.. So if you create a new opt interface for vlan 100 lets call it (192.168.100/24.  I will be able to ping anything on vlan100 from lan.  But vlan100 wouldn't be able to do anything because pfsense does not create any rules on opt interfaces.  You have to create them..

        So depending how you create them you would be able to ping or not ping, etc. etc..

        Post up your lan rules, post up rules of one of your vlan interfaces.

        Look
        my lan is 192.168.9.0/24
        I have a vlan I call wlan 192.168.2.0/24

        As you can see here is client on lan pinging client on wlan

        user@ubuntu:~$ ping 192.168.2.11
        PING 192.168.2.11 (192.168.2.11) 56(84) bytes of data.
        64 bytes from 192.168.2.11: icmp_seq=1 ttl=63 time=1.39 ms
        64 bytes from 192.168.2.11: icmp_seq=2 ttl=63 time=0.837 ms
        64 bytes from 192.168.2.11: icmp_seq=3 ttl=63 time=1.02 ms
        ^C
        –- 192.168.2.11 ping statistics ---
        3 packets transmitted, 3 received, 0% packet loss, time 2003ms
        rtt min/avg/max/mdev = 0.837/1.085/1.392/0.233 ms
        user@ubuntu:~$ traceroute 192.168.2.11
        traceroute to 192.168.2.11 (192.168.2.11), 64 hops max
          1  192.168.9.253  1.035ms  0.216ms  0.414ms
          2  192.168.2.11  1.036ms  0.753ms  1.408ms

        You also have to worry about host firewall rules in another segment.  Out of the box for example a windows box will block ping from anything outside its network.

        I just do not understand how you get to such a state?  How is your touching a firewall and network equipment without basic understanding of the most basic of concepts?  This is your network?  And you don't have a drawing?  Or can not draw up a basic one in like 2 minutes?  You don't have to list out all 50 vlans if you had that many.. 2 would work for an example to get across what your issue is or isnt..

        Screenshots of your rules take all of 10 seconds...

        People can not help you without details.. And if your more fluent in another language which I take it english is not native for you - you might get better help on that section of board, might be easier get across your setup.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          I searched internet and sees lots of forums where problems arise related to VLANs.

          Yeah mostly because the people having such problems don't know what they are doing.

          You have it in your head that it's a "bug" and can't get out of that mode.

          At a minimum, post the EXACT STEPS to take to reproduce "the bug."  It's the first thing anyone in development will ask for in the bug report.  If it's a bug in the VLAN code it ought to be easily reproducible on a small bench/lab setup.  Or is that too much work too?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • M Offline
            magnifico
            last edited by

            @johnpoz:

            Post up your lan rules, post up rules of one of your vlan interfaces.

            I have in pfsense in every interface only one rule that allows all connections, all protocols. In interface configuration there is only IP and gateway to next hop. Interface is assigned to VLAN8 and VLAN8 is assigned to physical interface. This physical interface is VMWare Workstation virtual network card that is connected to virtual switch. Virtual switch is binded to windows2008 host physical network card where is allowed only vmware binding protocol. Then this network cat5 cable goest to TP-Link L2 switch, then to other TP-Link L2 switch and then into TP-link wifi router WAN. WiFi router can ping pfsense interface but pfsense ping tool cant ping WiFi router WAN.

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Probably because, as has been said many times, your policy routing is probably sending the pfSense-originated traffic out some other gateway because that's what you told it to do, while pinging into the pfSense interface is working because of reply-to for the return traffic. Since you refuse to post details, that is just a guess.

              Rules on the VLAN interface have nothing to do with traffic originating from pfSense.  You also have floating rules which CAN affect traffic in the outbound direction of an interface but you refuse to post actual details about those, too.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • D Offline
                doktornotor Banned
                last edited by

                Or he's blocking the traffic on the unknown wifi router's WAN firewall (which shouldn't be doing any routing in the first place and should most likely be connected via a LAN port). Or… pfS FW rules requested -> nothing. Diagram request - some messy setup description posted instead. Logs? Nothing. Who needs any info after all. It's pfSense bug with VLANs, 333% -- because noone ever pinged a host on VLAN before!!!

                Why are we still wasting time here?  ::)

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "In interface configuration there is only IP and gateway to next hop"

                  Lan interfaces would not have gateway.. What do you think is the next hop??

                  I'm just here for your witty comments dok – you always make every day brighter with your wonderful way with words and cheerful disposition towards incompetence..  I don't know how you do it, but pretty much every post of yours puts a smile on my face ;)  Another applaud for you btw.. 300 is just around the corner.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • B Offline
                    bennyc
                    last edited by

                    @magnifico:

                    WiFi router can ping pfsense interface but pfsense ping tool cant ping WiFi router WAN.

                    You're still very sparse with information  ??? When you say ping the Wifi router WAN, is that an ip in the same subnet as where the IP of pfSense in vlan 8 resides?
                    Repeat test with pfSense: Diagnostics: Traceroute, and post output please.

                    4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                    1x PC Engines APU2C4, 1x PC Engines APU1C4

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      diag, traceroute and then post output..  JFC dude that is a lot of work for what is clearly a bug in pfsense use of vlans.. Just search the internet and see how many problems you get with vlans.. ;) ROFL….

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • B Offline
                        bennyc
                        last edited by

                        @johnpoz:

                        diag, traceroute and then post output..  JFC dude that is a lot of work for what is clearly a bug in pfsense use of vlans.. Just search the internet and see how many problems you get with vlans.. ;) ROFL….

                        Agree  ;D nearly fell of my chair when I read your post.

                        Anyhow, it's an intrguing design with enough routers to keep one busy. I've read this for the fifth time or so trying to see the picture (he's refusing to draw  ::) ):

                        @magnifico:

                        They are all LANs, 5 interfaces, all equals, for LAN subnet communication. When I dont set gateway, then I cant use policy routing, but pfsense is set up exactly only for LAN subnet policy based routing (source and destination important in routing decision). Also when I dont have set up gateways, then traffic dont come back into the same interface as it enters pfsense. My pfsense dont route only local subnets but also subnets behind other routers….........To internet I have 2 subnets before final routers, 192.168.3.0 and 192.168.10.0. Policy must choose gateway depending on source IP. For LANs I have 3 subnets 192.168.2.0 192.168.1.0 and 192.168.4.0 Between pfsense and computers I have more routers. Some 192.168.12.0 subnet computers reach pfsense through  192.168.1.0 subnet and some through 192.168.2.0 subnet. Usual routing table is unable to choose interface because they are all 192.168.12.0 subnet computers, going to internet through different LANs and different WANs.

                        And now I'm in doubt my request for traceroute is going to bring anything usefull. I also fail to see why he thinks it's a vlan issue, this is clearly routing stuff. And not even sure one can accomplish what he wants by using pfSense?

                        Maybe we should ask for a drawing  ;)

                        4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                        1x PC Engines APU2C4, 1x PC Engines APU1C4

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          doktornotor Banned
                          last edited by

                          @bennyc:

                          Maybe we should ask for a drawing  ;)

                          1 Reply Last reply Reply Quote 0
                          • B Offline
                            bennyc
                            last edited by

                            @doktornotor: Where do you keep finding them ;D  Hilarious…

                            @johnpoz:

                            Lan interfaces would not have gateway.. What do you think is the next hop??

                            Well… Not always true  :o

                            If it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed.
                            So the next hop for the LAN could the SVI of the vlan (on the L3 switch), and that is not on pfSense (but the subnets are known by pfSense (System:Routing:Routes). And so on.

                            One thing is true however. You cannot ping the vlan  ;D ;D  (sorry, couldn't help myself  8))

                            So magnifico, how about a drawing?

                            --edit: cleaned up, removed non relevant info--

                            4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                            1x PC Engines APU2C4, 1x PC Engines APU1C4

                            1 Reply Last reply Reply Quote 0
                            • M Offline
                              magnifico
                              last edited by

                              Problem is resolved, thanks all for help and still never undervalue bugs. There are still lots of bugs. Captive portal example dont work but no problem, I use Kerio portal, its better stuff….The problem with ping wasn in WiFi router, there was firmware upgrade before......And also before I noticed that switching off state and making double rules for both direction wasnt worked in first try, but this is also not very important, usually I like to use statefull mode....Pfsense is good, but it can be even better when developers write documentation, test it more and then it can be usable also for enterprises. So, good luck and thank you all, I hope I can now configure it myself in a while.

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                doktornotor Banned
                                last edited by

                                @magnifico:

                                Captive portal example dont work but no problem, I use Kerio portal, its better stuff….The problem with ping wasn in WiFi router, there was firmware upgrade before......

                                Because your wifi router should NOT be routing, as I already told you. It should be set up as a dumbed-down AP with no DHCP, no firewall, pretty much everything turned off, and connected via LAN to a switch.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD Offline
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  So your "bug" was actually the config in another device and you still blame pfSense, the pfSense Developers, and pfSense documentation.  Nice.

                                  Is there a bug in pfSense VLANs? Inquiring minds want to know.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • B Offline
                                    bennyc
                                    last edited by

                                    @magnifico:

                                    The problem with ping wasn in WiFi router, there was firmware upgrade before…..

                                    Right. No vlan bug??  :o
                                    Oh well… Good thing is you didn't had to make a drawing...  ::)

                                    4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                                    1x PC Engines APU2C4, 1x PC Engines APU1C4

                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      magnifico
                                      last edited by

                                      @bennyc:

                                      @magnifico:

                                      The problem with ping wasn in WiFi router, there was firmware upgrade before…..

                                      Right. No vlan bug??  :o
                                      Oh well… Good thing is you didn't had to make a drawing...  ::)

                                      Yes, there wasnt needed drawing.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        "f it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed."

                                        That would not be a "gateway" that would be a ROUTE you set to the specific network..  When you add a gateway to an interface it becomes a WAN interface..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          magnifico
                                          last edited by

                                          @johnpoz:

                                          "f it is connected to other L3 switches or networks for which pfSense is NOT doing the routing (there are more subnets to reach on those interfaces), that would be needed."

                                          That would not be a "gateway" that would be a ROUTE you set to the specific network..  When you add a gateway to an interface it becomes a WAN interface..

                                          No, it doent become WAN interface. What is exactly "WAN" interface? What is WAN? Do you mean Internet? No, I example dont have any internet in pFsense, Internet is long-long away from pFsense, there is only LAN, bottomless LAN with no edge….....In pfsense wiki (altough its no any documentation, its crap) I was readed that when I want to use policy routing, then I must put gateway address into interface where this gateway locates. First I tried without this, not worked, then readed about that and then worked. Second rule is when you want use reply-to, then rule must be set in interface tab, not floating tab. Of course all those requirements are only bad GUI implementation. Not at all all peole know this without first experiment and read about it. Its just big mess and not at all good practice to make administration interface. Those requirements are stupid, all this can be mede automatic and no more mess, forums questions and misunderstandings. ...p.s. Switch are usually L2, not L3

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            doktornotor Banned
                                            last edited by

                                            @magnifico:

                                            there is only LAN, bottomless LAN with no edge….....

                                            Pretty much explains it. Thanks for wasting everyone's time and no need to come back any time soon.

                                            P.S. The WAN is the interface with default GW. You cannot have a pfSense box without one.  ::)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.