Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN source traffic showing under LAN interface

    Firewalling
    3
    7
    925
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oit last edited by

      Hello,

      We have LAN, WAN 1 and WAN 2. The WANs are configured as Gateway Groups.
      I have firewall rules on LAN to send all traffic on to the Gateway Group.

      We have configured a VLAN as such:
      1. Create a VLAN 2 on re0 under: Interfaces: VLAN
      2. Assign it to an interface under: Interfaces: Assign network ports
      3. Enable the interface and give it an IP address 192.168.4.254/24
      5. Enable DHCP on the VLAN 2 interface; with DNS being 8.8.8.8 and gateway is my managed switch
      6. Add a rule all to all in the VLAN 2 tab under; Firewall: Rules

      My users can get their DHCP leases without any issue, but still can't access the internet; while people on the LAN network can access internet without any issue. Looking at firewall logs i can see that the traffic from users of network 192.168.4.0 is showing up under interface LAN, I suppose they should show up under interface VLAN 2. The traffic is not blocked though.

      Any idea please?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Where are you pointing them to for their gateway - your switch??  Why would the gateway not be 192.168.4.254? Pfsense vlan interface?

        How did you setup the port on your switch connected to pfsense.  This should be a trunk port..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • O
          oit last edited by

          Hello,

          Thanks for the reply.
          The port is indeed trunk.

          We have done Inter-Vlan routing using the managed switch.

          Regards

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            So do you have routes on pfsense to these other networks on your managed switch that is doing routing?

            Please draw up your network and post.. So is this vlan a transit network to your downstream router?  Odd that you would put dhcp clients in a transit network?  A drawing would be most helpful.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • O
              oit last edited by

              Here you go attached. The default VLAN is 1 by the way.


              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Yeah.  That's all hosed.

                The transit network can be untagged. (I would do tagged to eliminate any reliance on VLAN1.)

                Eliminate the VLAN2 and VLAN2 interface on pfSense.  Instead make a gateway for 192.168.1.252 and create a static route for 192.168.4.0/24 to that gateway.

                Enable DHCP in the switch for VLAN2.

                PC0 should be on yet another vlan, created just like VLAN2.  It shouldn't be on the same VLAN as the transit network to pfSense (192.168.1.0/24).

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  You will also need to make sure you lan rules (transit network to your downstream router) allows the IP ranges of your vlans vs just lan net.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post