Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN source traffic showing under LAN interface

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oit
      last edited by

      Hello,

      We have LAN, WAN 1 and WAN 2. The WANs are configured as Gateway Groups.
      I have firewall rules on LAN to send all traffic on to the Gateway Group.

      We have configured a VLAN as such:
      1. Create a VLAN 2 on re0 under: Interfaces: VLAN
      2. Assign it to an interface under: Interfaces: Assign network ports
      3. Enable the interface and give it an IP address 192.168.4.254/24
      5. Enable DHCP on the VLAN 2 interface; with DNS being 8.8.8.8 and gateway is my managed switch
      6. Add a rule all to all in the VLAN 2 tab under; Firewall: Rules

      My users can get their DHCP leases without any issue, but still can't access the internet; while people on the LAN network can access internet without any issue. Looking at firewall logs i can see that the traffic from users of network 192.168.4.0 is showing up under interface LAN, I suppose they should show up under interface VLAN 2. The traffic is not blocked though.

      Any idea please?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Where are you pointing them to for their gateway - your switch??  Why would the gateway not be 192.168.4.254? Pfsense vlan interface?

        How did you setup the port on your switch connected to pfsense.  This should be a trunk port..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • O
          oit
          last edited by

          Hello,

          Thanks for the reply.
          The port is indeed trunk.

          We have done Inter-Vlan routing using the managed switch.

          Regards

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So do you have routes on pfsense to these other networks on your managed switch that is doing routing?

            Please draw up your network and post.. So is this vlan a transit network to your downstream router?  Odd that you would put dhcp clients in a transit network?  A drawing would be most helpful.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • O
              oit
              last edited by

              Here you go attached. The default VLAN is 1 by the way.

              network.JPG
              network.JPG_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Yeah.  That's all hosed.

                The transit network can be untagged. (I would do tagged to eliminate any reliance on VLAN1.)

                Eliminate the VLAN2 and VLAN2 interface on pfSense.  Instead make a gateway for 192.168.1.252 and create a static route for 192.168.4.0/24 to that gateway.

                Enable DHCP in the switch for VLAN2.

                PC0 should be on yet another vlan, created just like VLAN2.  It shouldn't be on the same VLAN as the transit network to pfSense (192.168.1.0/24).

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  You will also need to make sure you lan rules (transit network to your downstream router) allows the IP ranges of your vlans vs just lan net.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.