Only one VLAN works with WAN
-
Hello.
This by all appearances seems to be a networking issue. I have tried many things to overcome it but nothing seems to work.
Hopefully someone has some suggestions.Environment:
Lan Side consists of a 3750x with L3 routing on.
3750x consists of three vlans 192.168.12.0 (vlan 12), 192.168.6.0 (vlan 6), and 192.168.127.0 (vlan 127)
GigabitEthernet2/0/26 (switch port access vlan 12) connects to pfsense LAN interface.
ip default-gateway 192.168.12.200
ip route 0.0.0.0 0.0.0.0 192.168.12.200pfsense LAN interface has IP address of 192.168.12.200
pfsense WAN interface has IP address of 10.205.66.200
There are no firewall rules in place yet except for allow all inbound and outbound.Problem:
From any IP on vlan 12 I can ping the LAN and the WAN interface and I can access the internet on the WAN side.
All other IP addresses (vlan 6 and vlan 127) cannot ping the LAN or the WAN interface.Using pfsense packet capture I see the following if pinging from vlan 127:
The LAN interface gets the request but the reply goes out the WAN interface.
This seems to be because the default route on pfsense is the WAN interface and pfsense has placed in a route back to the 192.168.12.0 (vlan 12) network.The closest I got to getting vlan 127 working was to login via ssh to pfsense and placed in a route to 192.168.127.0 out the lan interface.
This allowed vlan 127 to ping both the LAN interface and the WAN interface BUT cannot access any internet on the WAN side.Thanks
-
…
There are no firewall rules in place yet except for allow all inbound and outbound.
...Did you create rules on each of the VLAN interfaces? In the Firewall: Rules page, there will be tabs for each interface, you need to explicitly create allow all rules for anything other than the LAN interface, which by default has an allow all rule.
-
I think so. I attached my LAN and WAN firewall rule images.
-
My bad, I mis-read your initial post.
I see that Vlan 6 and 127 are only defined on the C3750, correct?In this case, you need to create a static route for these.
Go into System -> Routing
Create a new gateway, which corresponds to the address of the C3750 in the 192.168.12.0 subnet. You didn't indicate what this was in the initial post.
When you're creating the new gateway, be sure to set the Interface to LAN. Do not check "Default Gateway".Next, in the routing tab, add routes for each of the destination networks, 192.168.6.0 and 192.168.127.0 via the newly created gateway.
-
Wow. that seems to work for the 127 network. I was wondering why pfsense was not letting me add routes back to the LAN side.
That is because I did not create a gateway back to the LAN side.
So I added in the route and one of my vlan 127 machines work now.
I will added the others in.Thank you so much.
-
The hosts on VLAN 12 have to choose the correct router for access to VLANs 6 and 127.
You probably want a fourth VLAN for the transit network between the switch and pfSense with no other hosts on it.
Then:
Set all the hosts to use their switch virtual interface as their default gateway.
Set the switch to use pfSense as the default gateway
Create a gateway for the switch on pfSense
Create static routes for all the VLAN networks with the switch as the gateway.
Be sure pfSense is set to pass traffic from, and NAT for, all the VLAN networks. -
Lan Side consists of a 3750x with L3 routing on.
If this is a Layer3 switch you can or must be ensure where and who should route your entire network
traffic, the pfSense or the Layer3 Switch, also the entire VLANs. Often and mostly are some points against
or for the one or other method! This might be tending and pending on other needs or benefits you was not
telling around in the opening post.Doing the routing only with pfSense might be a single point of failure if the pfSense is failing
Doing it without pfSense some things could be not working really smooth and liquid.
But let the pfSense routing only the WAN - LAN and WAN - DMZ traffic would be bringing
you up to own two routing points and if then the pfSens is failing the rest of the LAN is
working well through the Layer3 switches.
