Routing between LAN and VLAN2



  • My LAN is 10.0.1.0/24 for data network,
    and my phone is 192.168.1.0/24 for voice network.
    All ports in switch are untagged for 10.0.1.0/24 (vlan1 and default vlan); tagged for 192.168.1.0/24 (vlan 2.)

    At pfsense, LAN is 10.0.1.0/24, and I created a vlan2 interface for 192.168.1.0/24.

    My question is:
    how to enable traffic between LAN and VLAN2? 
    i.e. a computer in LAN can access devices in VLAN2, or a device in VLAN2 can access a computer in LAN?

    Thanks very much for any suggestions and helpful links.



  • Assuming you already have rule on the LAN tab to allow ipv4 any protocol traffic from LAN net to any destination, you'll need a rule on the VLAN2 tab to allow traffic from source VLAN2 net to either destination "any" or "LAN net".



  • Thank bjaffe. I did as you said. Our LAN and VLAN2 is used the same network card.

    Now I can ping from any of LAN (10.0.1.0/24) to VLAN2 interface IP (192.168.1.10), cannot ping other hosts in VLAN2 (192.168.1.0/24).

    Also in ARP table of pfsense, it only shows only one VLAN2 interface IP, no other hosts in VLAN2 displayed.

    What should I do?

    @bjaffe:

    Assuming you already have rule on the LAN tab to allow ipv4 any protocol traffic from LAN net to any destination, you'll need a rule on the VLAN2 tab to allow traffic from source VLAN2 net to either destination "any" or "LAN net".



  • Is it that I have to create a VLAN1 for 10.0.1.0/24? Then enable interconnection between VLAN 1 and VLAN 3. Then in this way, my LAN interface is useless.

    Wish any suggestions with urgent.


  • Rebel Alliance Global Moderator

    "All ports in switch are untagged for 10.0.1.0/24 (vlan1 and default vlan); tagged for 192.168.1.0/24 (vlan 2.)"

    How do you have the ports set??  And how did you create your vlan.. You assigned this vlan to your physical lan interface right?  See attached, I have multiple vlans on em2, and it also has its native (untagged) network wlan..

    On the switch the port connected to em2 trunked where those the vlans are tagged and the native vlan is set to 20 (untagged).  Notice the ge10 interface is native or PVID is set to 20, ports that are directly connected to a device don't need to be tagged.  Only interface that connect to say another switch or interface with vlans on it need to have vlans tagged.  Ports that connect to end user device, say computer for example normally are set to be untagged in the vlan you want that port/device in.  If your tagging that traffic, then you would have to set the interface on that device to understand the tag.. Or its going to be using the untagged.. You stated that you have all ports untagged for vlan 1 (default vlan) and then also have tagged traffic on it..

    That is not how I would normally do it for sure..

    So in my case pfsense em2 is native on vlan 20, it then has the other vlan interfaces assigned to it 100,200,300  So any untagged traffic it sees is assume to be going to the physical interface.. Any traffic that is tagged will be seen with the vlan interface that its tagged for.

    As to connectivity between normal untagged traffic on interfaces and vlan interfaces be it on the same physical interface or different ones just require firewall rules to allow the traffic you want.  To be honest when first setting it up use of any any rules makes it easy that you actually have connectivity..  Keep in mind any software firewalls running on the different vlan/network segment most likely will be blocking traffic from another network.  Windows machines for example would block pings coming from a different network other than the network they are on.. So if they are on say 192.168.1.0/24 and you ping them 192.168.2.0/24 they would not answer until you setup their firewall to allow that.