pfSense Gold Subscription

Author Topic: Routing LAN VLAN to to WAN VLAN  (Read 283 times)

0 Members and 1 Guest are viewing this topic.

Offline tc3driver

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Routing LAN VLAN to to WAN VLAN
« on: October 26, 2017, 06:23:32 pm »
I am going to start off with an apology, this could fit into 3 different categories here, Moderators please feel free to move with impunity if this is not the proper place for this post.

So I have an interesting setup, for those who would ask "Why the hell would you want to do that!?!" The answer is a simple, we are in a transitional period here, and allowing this lan vlan to nat to the default wan vip would be a security risk now, in the future it would still be nice to have different traffic go out of different subnets.

Here is the current setup:

WAN:
VLAN 83

WLWAN:
VLAN 81

LAN:
VLANS 360 370 371 372 373 374 395

WLLAN:
VLAN 384

Desired routing outcome:
VLANS 360 370 371 372 373 374 395 route through to WAN vlan 83 via VIP (this currently works!)
VLAN 384 Route through to WLWAN VLAN 81 via VIP (Not functioning)

PFSense Version 2.4.1

Other information:
Currently using Manual NAT, CARP, and 2 systems for failover.  For testing have stopped CARP currently only using a single system.

So what we are trying to do is configure this to where anything routing through the firewall from vlan 384 should make it to the internet via vlan 81, what we are actually seeing is the raw requests with the rcf1918 ip addresses hitting local devices beyond the firewall.  I have the NAT rules in place, however they seem to be ignored.  However if I change the nat rules to go to through the WAN interface, it all works fine.  I should also note that the gateway for both VLANs have been added and are pingable.

Basic rules look like:
Interface: WLWAN
Rule: Any traffic from WLLAN to be pushed through to ip (WLWAN VIP).

There is also the firewall rule for the WLLAN which is allowing anything sourced from the WLLAN through.

And all the interfaces are configured and functional (the WAN Interfaces are both able to ping google, as an example, from the VIPs).

I am sure I am missing something simple, and I appreciate any help that can be provided.

Please feel free to ask any questions, or inquire for further information if there isn't enough provided.

I am sure you can see where my confusion lies on the part of where to post this.
« Last Edit: October 26, 2017, 06:55:03 pm by tc3driver »

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 466
  • Karma: +6/-0
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #1 on: October 31, 2017, 04:20:33 am »
Did you setup a manual outbound Nat rule for your wlwan?

Offline tc3driver

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #2 on: October 31, 2017, 05:25:38 am »
Yes I did. 

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 466
  • Karma: +6/-0
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #3 on: October 31, 2017, 09:22:23 pm »
That should work, can you post your configs?

Offline tc3driver

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #4 on: November 07, 2017, 01:06:05 pm »
Sorry for the delayed response, I was out most of last week.

Here are some screenshots of the configs.

Offline tc3driver

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #5 on: November 07, 2017, 05:02:34 pm »
It does seem to be working now, though I don't understand why.

When I changed the oubound nat rule from using the WLWAN to the WAN interface, it started working.  I am not a networking expert by any means of my imagination, this makes no sense to me.  I would assume that the VLAN Tagged interface would be the interface that one should use, not the interface with a different VLAN Tag.  For now this can be marked as solved wtih questions. 

Thanks for all your help and time.

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 466
  • Karma: +6/-0
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #6 on: November 07, 2017, 06:07:25 pm »
I'm glad you got it working. Normally when you want to do policy based routing and you have multiple WANs you would create a rule under that interface setting the gateway to the WAN interface of your choice. Then you have to go to the outbound nat and I usually set it to hybrid mode and I set a rule like something below:


Interface     Source            Source Port   Destination   Destination Port    NAT Address     NAT Port       Static Port       Description         Actions
 
 
WAN        192.168.45.0/24       *              *                    *                     WAN address      *                                      Default GW
 

Order here matters I believe (first match wins) so if your interface rule says to use WLWAN but the NAT outbound rule that matches first says to use the WAN then the traffic would be dropped. Looks like you have your interface rule set to any (*) which is allowing the desired behavior.

   

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Re: Routing LAN VLAN to to WAN VLAN
« Reply #7 on: November 07, 2017, 09:33:07 pm »
Quote
When I changed the oubound nat rule from using the WLWAN to the WAN interface, it started working.
That is because that is how it works. No mystery here. Outbound NAT on the WLWAN interface NATs traffic going out WLWAN, not WAN.

Outbound NAT does zero to affect what traffic is routed where. It only defines what translations take place when traffic flows out that interface.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM