Traffic will go out the WAN of the UDM if the devices are using the UDM as a gateway.
All clients have their gateway as the Pfsense box via DHCP and/or static. The āGateway IPā set in the Default Network in the UDM is the IP of the UDM itself.
I donāt understand how suddenly theyāve started to route out of the WAN instead of via the other port
The only way for clients to route data out the UDM is for those clients to have the UDM as the gateway, or if the pfsense is set to route through the UDM.
1 Like
Tom,
Trying to reconfigure a netgate 7100 in front of a UDMse. Both were running with a rPi with piHole. Having studied your vids on the subject, worked great for a couple of years, till the rPi had a bad day. So, went through an update cycle, on the 7100 (including pfBlocker) & USMse (including their new ZBF).
I cannot re-figure out how to couple the machines through the trunk, as was with the 2023 video. As such, pfS is NOT serving any UDM based subnets, so no pfBlocker benefit.
Iāve not found any discussion of the ZBF downstream of a pfS system.
Iām stuck. Advice?
Thanks.
That video above is still accurate, I am not clear on what part is not working.
Before ZBF & Network 9.2.87, one could easily define the UDM as a member of a subnet (x.x.x.2), turn off the UDM DHCP, define the gateway, DHCP, DNS, NTP servers.
With 9.2.87, whatever the UDM host is defined to be, becomes the gateway, with no apparent way to override.
my stepsā¦
On the UDM, running 9.2.87, created the netTEST subnet, put it in the TrunkZone, Host as 192.168.151.2, netmask as /24. The GUI then defines the GateWay with the same ipAddr as the Host. Define the VLANid as 151. Set DHCP Mode to None.
Dedicate a UDM Ethernet port for the 151 traffic, by defining the portās Native VLAN. Set Tagged VLAN mgmt to Allow ALL, even though Block ALL would be best.
On the UDM ZBF, ensured the TrunkZone included netTEST.
S>D
TrunkZone>Gateway Allow ALL any/any
TrunkZone>Internal Allow Return
On the 7100ā¦
Defined VLAN 151 as a child of the lagg0 interface. Added the lagg0:151 network port to become Interface OPT15. Enabled the OPT15 interface, static IP of 192.168.151.1
Enabled the Kea DHCP Server for the OPT15 interface with an address pool 192.168.151.11-.254 Defined the DNS & NTP servers as ā¦151.1
Ensured the DNS Resolver included OPT15 in its Network Interfaces to respond to.
For OPT15, created an Allow ALL any/any rule on the pfS firewall.
Lastly, Trunk Port on the 7100 switch port #7, defined members as 7t, 9t, 10t with its own VLAN tag of 1221, which is OPT8. It is an Enabled Interface, with a static ipAddr. DHCP Service is enable on OPT8 with a limited range pool as 10.12.21.3-6.
pfS DNS for the Trunk port OPT8ā¦
Allow TCP/UDP UDMnets to pfSFW ports 53,67-68,123
Allow * any/any to PFSnets *
The UDM port page reportsā¦
Tx & Rx on the netTEST port
Tx on the Trunk port but Zero Rx.
BUT, the untagged PC attached to the UDM netTEST port, never gets an ipAddr.
However, if a physical port on 7100 is dedicated to be the ā¦1 member of a UDM network that is defined thereon with a 3rd party Gateway, things behave. Though I donāt think pfBlocker is yielding the behaviors I was seeing with piHole.
To me, it seems the UDM 9.2.87 GUI prevents the Trunking option, by fixing the Host ipAddr as the GateWay.
And my firewall rules are likely faulty.
Confused. So seeking suggestions. Thanks.