VLAN to LAN allow rules

itam1212

I'm having a problem with traffic between my VLAN40 (192.168.40.0/24) and my main LAN (192.168.2.1)
I'm able to ping machines from both LAN or VLAN to other side and get reply.

I have a print server (192.168.2.250) on my main LAN which I need to access from a computer belongs to VLAN40.

I have the following firewall rules:
LAN

VLAN40

but I am unable to print and my firewall logs are full of these:

Any ideas what am I doing wrong?
I've read about Asymmetric Routing and tried few of the tips (Bypass firewall rules for traffic on the same interface) without luck.

Thanks a lot for your time

chpalmer

1st thing- think of all the tabs as gates at their interface.

On LAN get rid of the rule with "source" as VLAN40 net.

and

On VLAN40  get rid of the rule with "source as LAN net.

Truthfully the first rule on each of them would allow the traffic to the other. So both rules following it would not be needed.
And the first rule would also allow traffic to all your other VLANs as well.

2nd try this-  Go to NAT and on outbound hit save.  Screen shot of that page would be nice.

chpalmer

LAN is also a /24?

itam1212

Thank you chpalmer appreciate the help.

I've tried your suggestions but same error in the log.

and yes I believe 192.168.2.1 / 255.255.255.0 for my main LAN. is this a problem?
Here is the screenshot of NAT > OutBound

itam1212

another interesting thing is that in the firewall log I only see 192.168.2.250 appears as the Source IP, when I try to filter is as Destination I get no results.
is it just picking up on the acknowledgment and not initial request?

Derelict

Nothing to do with outbound NAT.

If you expect some sort of auto-discover to work across the router you're probably going to be disappointed.

Add the printer directly, don't try to browse for it.

itam1212

I don't expect Auto Discovery.
I am able to find and add the printer but when trying to print it fails.

I can ping the print server or telnet over port 9100 (blank screen) but the test prints fail and the FW log shows me those entries.

Derelict

Out of state - totally normal. Check the default gateway in the printer / print server.  Hmm. Being able to ping it probably means that's not the problem.

Something in the print server that prevents printing from "foreign" networks, perhaps?

The bottom two rules on both LAN and VLAN40 are useless.  Delete them.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

johnpoz

Out of state traffic can also point to a problem with asyncronous routing..  Since the firewall never saw the syn to setup the state, but just sees the syn,ack like what your traffic is showing.

itam1212

@Derelict:

Something in the print server that prevents printing from "foreign" networks, perhaps?

Thanks you are correct.
my network setting on the print server were wrong.