I have multiple VLANs on my network and use one for administering my equipment PFSense Truenas core switches and access point. I decided to allow my Linux desktop to access the management network from the general purpose network to eliminate the need for moving the network cable to a different switch port whenever i needed to access a device on the management network.
This works fine for most things but Truenas was a bit problematic occasionally needing a page reload to get the page to display.
I checked the logs and found that the connection was being blocked by the Default deny rule even though I had the LAN to Management pass rule at the top of the list of the LAN firewall rules. It is flaky because the page will load if reloaded from the browser. I even used the easy rule pass to create a rule to pass the blocked traffic and that created a rule that was essentially the same as the one I had created originally.
Any thoughts on why this is occurring or something to try to correct it?
It is not a deal breaker just a bit annoying and puzzling
I did more research and it seems I have an asymmetrical connection because the Truenas box has multiple vlan interfaces one on the same subnet as the desktop. This causes the TCP connection to quit on the route through the router and try to talk on the lan only which is blocked. I may need to do a NAT to the Management segment although that may be more trouble than it’s worth.
Any suggestions would be welcome.
I’d remove the vlan from the Truenas box and just let the router handle everything, unless you need storage too. I have several Truenas in my plant and they are on 3 different physical networks, no issues with managing them across pfsense as my router.
I do need the Truenas box on the LAN so I am going back to moving the plug on the switch. Probably not a more elegant solution as the Truenas box sees the connection through the Pfsense routing as from the 192. network on it’s 10. interface for login but tries to respond via the 192. interface especially if tabbed out on the browser causing the tcp ack to show up on an interface it wasn’t expected on. I considered blocking the connection to 192. but that is where most storage connections come from.