pfSense routing between VLANs

triplehradio_tech · October 10, 2020, 4:44am

Hi,

I am setting up pfSense and other equipment at home behind my existing router before I deploy it.

I have pfSense setup with 2 VLANs: 10 and 20, they are both on the LAN interface.
Each VLAN is assigned to an interface, enabled, has DHCP enabled, and an ip range set like 10.0.10.1/24 and 10.0.20.1/24

My switch (tp-link TL-SG1016DE) has VLANs setup with both tagged on the pfSense port and untagged on the relevant ports for two windows 10 machines.

Both machines are getting the correct ip assigned for their subnet and both have internet access.

I have setup an allow all rule on both VLANs but cant get the machines to ping each other.
(eventually i want to add rules to only allow certain machines to talk to each other)

There must be something obvious that I’m missing but all the tutorials I’ve looked at just said “set an allow all rule and it just works”

Any suggestions or links appreciated,

Thanks, Tim.

Dutch_Master · October 10, 2020, 12:33pm

Your networks need bridging on the pfSense machine to enable to see each other. However, that kinda negates the reason for getting 2 different networks for those machines in the first place.

risk · October 10, 2020, 6:33pm

No, ping only requires routing to work and firewalling to not drop stuff.

Try using tcpdump on pfsense, see if icmp packets are actually lost in the pfsense host / on the firewall.

Novasty · October 10, 2020, 7:28pm

What do your firewall rules look like?

So I have 2 VLANs as well, one for my primary home network (1.0) & one for my smart devices (3.0). Three if you count VPN network (2.0).

My 1.0 & 2.0 can communicate to all other networks, but 3.0 is not allowed to communicated outside of its own VLAN except to the internet.

1.0 Rules

3.0 Rules

triplehradio_tech · October 11, 2020, 9:37am

By bridging do you mean firewall rules?

The reason for two networks is that one will have mission critical data and internet traffic and the other is only for control, monitoring, backups etc. and I want to limit internet bandwidth and do other QOS on the non critical network.

For now I have an allow all rule to try and get it working but I will later lock it down so only certain machines can communicate.

triplehradio_tech · October 11, 2020, 9:53am

VLAN 10 Rules:

VLAN 20 Rules:

I have disabled the default rules on the default LAN network except for the anti-lockout rule.

The machine on the 20 VLAN can ping google(dot)com, pfsense on the same VLAN (10.0.20.1), and also pfsense on the 10 VLAN (10.0.10.1) but not the other windows machine on the 10 VLAN (10.0.10.3)

Could it be something to do with the fact that I’m running it behind another router? It is a different IP range (192.168.0.1/24) and I disabled Block RFC1918 Private Networks and Block bogon networks as was recommended in a tutorial for setting up in a “lab” environment.

Dexter_Kane · October 11, 2020, 10:36am

Could it be the firewall on the windows machine? The fact that you can ping the pfsense interface on another VLAN indicates that it’s routing correctly. You can always check the firewall logs in pfsense but those rules should work.

triplehradio_tech · October 11, 2020, 11:13am

Temporarily turned off both windows firewalls and now i can ping one way (from 20 to 10) but not the other?

Remote desktop works both ways. (and didnt before)

Something strange is going on with ICMP in the windows firewall?

Should also mention that the 20 machine is running Windows 10 Enterprise LTSC (not activated yet), and the other machine is Windows 10 Pro.

Novasty · October 11, 2020, 4:46pm

It shouldn’t do anything, but out of pure curiosity, what would happen if you clearly define the source in your rules?

So if you look at my rules, it clearly defines the source as its own network.

Theoretically, this shouldn’t change anything but you never know.

You should be able to RDP just fine regardless.