+ Post New Thread
Results 1 to 13 of 13
Internet Related/Filtering/Firewall Thread, Accessing the internet with VLANS and pfSense in Technical; Hello everyone, I am having an issue trying to access the internet from some VLANS located behind a pfSense (which ...
  1. #1

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Angry Accessing the internet with VLANS and pfSense

    Hello everyone,

    I am having an issue trying to access the internet from some VLANS located behind a pfSense (which is doing NAT and is set to Automatic) box. The setup is as follows:

    VLAN 5 - 10.10.255.253 (Layer 3 Switch) -> 10.10.255.254 (pfSense LAN interface)

    VLAN 10 - 10.10.10.0/24
    VLAN 20 - 10.10.20.0/24
    VLAN 30 - 10.10.30.0/24

    The VLANs can ping each other so inter VLAN routing is working ok.

    I have set a default route of: 0.0.0.0 0.0.0.0 10.10.255.254

    I can ping 8.8.8.8 from the Layer 3 switch CLI, but for some reason, I cannot ping that address from any of the clients on any of the VLANS.

    The clients cannot ping 10.10.255.254 but the Layer 3 switch can.

    How can I get internet access on the clients?

    Thanks.
    Last edited by J_Worth; 6th March 2014 at 03:32 PM.

  2. #2

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,265
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    The clients need to have a default gateway set to be the IP interface of the Layer 3 switch for their vlan.

    Only the core switch should have a default gateway of the LAN interface of the pfsense box.

  3. #3
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,506
    Thank Post
    4
    Thanked 98 Times in 94 Posts
    Blog Entries
    1
    Rep Power
    52
    I am going to ask where do you want the routing to take place and to control inter vlan acl's?

  4. #4

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by psydii View Post
    The clients need to have a default gateway set to be the IP interface of the Layer 3 switch for their vlan.

    Only the core switch should have a default gateway of the LAN interface of the pfsense box.
    The clients have a default gateway of the IP interface of the vlan.
    The core switch has: 10.10.255.253 set on a vlan interface (5) and the pfSense has 10.10.255.254.


    Sent from my iPhone using EduGeek

  5. #5

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by nicholab View Post
    I am going to ask where do you want the routing to take place and to control inter vlan acl's?
    Routing is taking place on the Layer 3 switch. This is where VLAN ACLs will be placed.


    Sent from my iPhone using EduGeek

  6. #6

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,265
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Does the layer 3 switch have a default route defined?

  7. #7

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by psydii View Post
    Does the layer 3 switch have a default route defined?
    Yep. It has: 0.0.0.0 0.0.0.0 10.10.255.254

    I can ping 8.8.8.8 from the layer 3 switch but not the clients.


    Sent from my iPhone using EduGeek

  8. #8
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,506
    Thank Post
    4
    Thanked 98 Times in 94 Posts
    Blog Entries
    1
    Rep Power
    52
    Is the default route set on the switch? Have you set a second route on the pfsense box so it know to send all packets to the core switch?

  9. #9

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by nicholab View Post
    Is the default route set on the switch? Have you set a second route on the pfsense box so it know to send all packets to the core switch?
    That's what I've tried doing. On the pfSense box I have created a gateway on the LAN interface of 10.10.255.253
    I have then defined static routes back to the individual VLAN subnets. For example:

    Network: 10.10.10/24
    Gateway: LANRouting - 10.10.255.253
    Interface: LAN

    I have set a default route on the switch

    Sent from my iPhone using EduGeek
    Last edited by J_Worth; 6th March 2014 at 03:57 PM.

  10. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,871
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Question - is the edge router your own? Or is it ISP provided?

    We had an issue here recently where we were given a new IP range to extend into by our LEA/ISP/RBC was not added to the edge router by the LEA. So, even though we had the right routing rules set up on our core L3 switch, the new range failed to route to the internet.

    The LEA had to add rules to the edge router to allow traffic to traverse it from the new IP range.

  11. #11

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,265
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Of course you have. Reading too fast sorry.

    My last suggestion before I bow out and back to what has most of my attention IRL... are you sure there aren't any rules in on the pfsense box that might be doing this (say a rule that only allows traffic from the subnet on vlan5?)

    EDIT: you've basically already answered this too. I'm off back to the rock whence I crawled.
    Last edited by psydii; 6th March 2014 at 03:58 PM.

  12. #12

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by localzuk View Post
    Question - is the edge router your own? Or is it ISP provided?

    We had an issue here recently where we were given a new IP range to extend into by our LEA/ISP/RBC was not added to the edge router by the LEA. So, even though we had the right routing rules set up on our core L3 switch, the new range failed to route to the internet.

    The LEA had to add rules to the edge router to allow traffic to traverse it from the new IP range.
    The edge router is a LEA owned router. We have LEA range of 10.208.208.0/21, but we want to have flexibility and more addresses, so we want to place a pfSense between our LEA IP range and our custom ranges. Like this:

    School Network ----> pfSense (LAN 10.10.255.254 & WAN: 10.208.208.10) -----> LEA Router (10.208.208.1) -----> Internet

    pfSense is configured to use NAT, could this be causing the problem?
    Last edited by J_Worth; 6th March 2014 at 04:09 PM.

  13. #13

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I cracked it! I hadn't changed the default LAN rule from "LAN subnet" to "any". The router was pinging successfully because it was directly connected to the "LAN Subnet"

    Thanks for the pointers and your help.

SHARE:
+ Post New Thread

Similar Threads

  1. Wireless VLAN clients can't access the Internet
    By ccadit in forum Wireless Networks
    Replies: 39
    Last Post: 21st February 2014, 02:57 PM
  2. IMPERO: Some clients cant access the internet..
    By jamin100 in forum Network and Classroom Management
    Replies: 3
    Last Post: 30th November 2012, 03:21 PM
  3. Replies: 51
    Last Post: 3rd May 2012, 06:11 PM
  4. RUCKUS help - Guest access & the internet via Proxy
    By jamin100 in forum Wireless Networks
    Replies: 24
    Last Post: 15th March 2012, 09:21 AM
  5. How do your users access the Internet?
    By Bruce123 in forum Internet Related/Filtering/Firewall
    Replies: 10
    Last Post: 6th January 2011, 09:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •