VLANs - How to allow access to a SINGLE IP from another LAN network?
Hey! First timer with VLANs here. I am testing my first VLAN created network called test49, which I plan to use for IoT devices.
I want these devices to reach the Internet, without having access to my LAN network. I've created a simple rule for this matter:
This works like a charm. A device inside the test49 VLAN has access to the Internet, but without reaching to my private network. Now I want to allow access to the device inside test49 network to reach a SINGLE IP from my private network (I need this to keep my IoT devices connected to Home Assistant).
The HA (Home Assistant) has an IP of 192.168.2.14 and it's located on another network, which is not VLAN. This is the rule I created, and it is located at the top of the FW rules for test49 VLAN:
I thought that FW rules are read in order - meaning the first one should have the most weight. What am I missing, because this rule is not working? The device in test49 VLAN cannot reach 192.168.2.14
EDIT: Of course the problem wasn't inside pfSense but in me! I performed all of those tests via ESXi VMs, and it turned out that the ESXi virtual switch wasn't passing the VLAN packets to the VMs! Solved it via ESXi itself. Thank you all for helping!
They are read in order.
You can log the hits to the rule and see if it’s doing what you expect.
The first thing that comes to mind is - is you private network allowed to talk back?
If you’re on your non-IoT network and trace/ping to it - what happens? Both to the trace and hits on the logged firewall rules. It should travel to the firewall and then….
There are no rules on the other non-IoT network that allow any kind of traffic to the VLAN. My understanding is that if I have a rule that allows traffic from the VLAN to the other private network, traffic should be allowed and the rules for the return of the traffic should be handled by pfsense in the background.
Meaning I can ping the device inside the non-IoT network but the device in the non-IoT network cannot initiate a connection to the VLAN device.
May I ask if you happened to set this up? I think I’m in similar situation for example I want my printer to sit in my IoT vlan but want my pc on my main lan still able to communicate. Thanks for your time
Eventually I moved HA to the IoT VLAN which was more suiting for my needs.
Now for your case, have you tried to create a rule that allows your PC to access just the IP of the printer? Ofc the printer needs to have a static IP for this to work. I believe PC calling the printer (one way FW rule) should be enough.
As a test I would try to disable all (if any) block/reject rules and create a single pass Any to Any for the interface where the traffic originates. Does that work?
On the VLAN Interface I do not have any block/reject rules. I created another pass rule which sits on the top and allows ALL traffic from test49 net to LAN net. LAN is my default private network where all the devices sit in. I then went to the LAN FW rules and created another PASS rule to pass ALL traffic from LAN net to test49 NET. So both the VLAN and the LAN network have PASS rules and there are no block rules. Still doesn't work. Both networks are /24 - I do not know shit about subnets but FW rules should be Kings here, right?
The syntax is wrong on the 2nd rule (you're allowing the entire 192.168.50.0/24 range), but that's not the problem.
Do you have a pfsense interface on the 192.168.2.0/24 network? Go to diagnostics, ping and see if you can ping your HA host from the desired network.
In order for pfsense to route between different networks, it needs to have an interface with an address on each one.
The 192.168.2.1 network is my main and only functional one. This is the network which holds all of my devices. The other network I have is test49 VLAN, which is 192.168.50.1
So that's all I have and 192.168.2.1 network should have everything needed to run, as I'm currently working from it.
I’ve very recently gone for the same setup, my IoT devices are in a VLAN, but I’ve kept my Home Assistant RPi4 in my main LAN. My LAN is allowed to talk to the IoT VLAN, but not the other way round. IoT VLAN is allowed to talk to non-private IPs I.e the internet only. It’s working fine for me, if you know an easy way of me sharing quite a few screenshots then I’m happy to share my configuration.
Hey and thanks for tuning in! Yeah, I'm in the process of building up similar environment, with the only difference that the Internet of Shit devices must reach out to the HA instance (which is inside the protected LAN network).
My problem was that I was testing all of this in ESXi VMs, which shared a virtual port which was not passing through the VLAN packets. I managed to find a solution within ESXi... so it wasn't pfSense fault.