Pfense vlan sg2100

I have an issue with my s2100. I have a few vlans that connect fine to the internet but other that won’t.
I can ping pfsense.org from diagnostic>ping using the correct interface with success.
There are no firewall rule blocking anything.
The VM gets an IP but can’t go online.
I changed the DNS server still nothing from dhcp server for each network.
I checked the DNS resolved and it is unabled. I am able to go online on some of them.

It makes no sense to me. Please help…

Need a lot more info. You mentioned a VM? Is the firewall in the hypervisor turned on by any chance? How is the network in your hypervisor configured? Pictures of your pfSense configuration screens would help. How is your pfSense box connected to the internet. What’s on the WAN side?

Thank you so much for reaching.

I have a sg2100 with pfense+ I migrated from pfsenseCE. The VM is in Proxmox and I have a VLAN for it that is not able to go online.(It got an IP though)

This is another firewall rule

I have several vlans.

Here is a diagram I was working on.

Perhaps the best way to troubleshoot is to connect a laptop to the switch over the same vlan that your vm uses, then test. If it’s not that then check your rules, NAT and DNS config.

Personally, when I setup my vlans, I have a base suite of rules that I use on all then tweak them slightly for what I need.

I think your firewall rules are a little messed up and I think you have way too many VLANs. Just my personal opinion. But it is easiest to start simple and add complexity rather than start complex and try to simplify. By way of example, and my way is not necessarily the “right way” its just one way, that works for me. But in my network I have 5 VLANs not including WAN or LAN: Home, Guest, IOT, Television, Server and Server mgmt. Home is tightly locked down access -wise and only my wife and I can use it. It is my “power” VLAN, in that it can access any other VLAN. Guest is my kids, IOT is all my ring cameras, Television is for the Roku sticks, Server is anything that touches the public internet, like my Wordpress websites, Nextcloud, etc., and server management is the management interfaces for my Proxmox machines, switch, pfsense, etc. In the attache pics, ignore the firewall rules with the yellow hand symbol. These were added by pfBlocker NG. All of my VLANs except home have the following rules

My Home VLAN (the “power” VLAN) looks like this

My WAN

My LAN

Using the above (which I took from one of Tom’s videos, thank you Tom!), all VLANs can get to the internet, and none of the VLANs can talk to/see each other at all, except for the HOME VLAN which has one way rights to connect to other VLANs, which I only do for trouble shooting purposes. Nothing sits on my LAN interface. It has no DHCP server, and it is not connected to anything. I also block DNS and DNS over TLS through pfBlocker NG

Someone may point out where I am doing something wrong, and that would be appreciated, but so far this set up seems o work for me.

1 Like

I did that. My pc got and Ip but can’t go online. I have pfsene as DNS using unbound.

Alright, and thanks for taking the time to assist. I will compare them to yours and test.

I think a key difference is in the firewall rules order. You have “block everything else” as the last two rules. I am not sure but suspect that is messing you up. Firewall rules work from top down, so they way I have it is with explicit blocking first (to the firewall device, to other VLANs, etc) THEN a pass everything rule. Your rule allowing access to the internet needs to be last I think. AND I think you need specific rules before that blocking the other VLANs

I was thinking that if the rule match it will not go further down the rule. Is that correct? I might have misinterpreted the docs.

I will remove that rule and test. I will post the results soon.

Sounds like you have a config error then. For a vlan that is working, I would copy the rules to your vlan that isn’t work and inspect your NAT outbound rules too, when it’s working then modify the rules to what you need on that vlan.

Still nothing. I copy all the rules from the vLan that works and deleted all the other ones. Still get an ip using the DHCP server but can’t ping google.com.

Thanks for helping guys. Only of my alias to block the private ip had my subnet range. I removed it. I am good!