I have watched so many of the pfsense/unifi IoT segmentation/firewall videos from your youtube channel and they are amazing! Everything was so clearly explained that I was surprised when I reached the end of my project and was experiencing this issue, I’m sure it’s something simple I forgot but maybe someone here can help!
Pertinent Settings Screenshots: IoT Screenshots - Google Drive
Like the title suggests, I can’t seem to get internet from my newly created IoT vlan. I cannot ping the LAN pfsense gateway as expected (10.10.10.1), CAN ping the IoT pfsense gateway (10.10.20.1) and the WAN address/gateway, but I cannot ping anything on the internet (been trying google.com and 184.108.40.206 and obviously trying to simply open websites on a browser). What have i done wrong?
Also a bit interesting, is when connected to the IoT network i CANNOT access the pfsense WebUI at the IoT Network pfsense address (10.10.20.1) despite being able to ping it from terminal. However I can connect to the pf sense IoT address WebUI when connected to the LAN network (10.10.10.0/24 subnet)
As a test try removing the block rules and set it to allow all and see if it works then start adding the rules back.
Thanks for the reply Tom! Im so sorry I didn’t mention this, but I tried! With JUST a “* to *” pass rule on the IoT interface I still can’t ping the Internet (though then I can obviously ping 10.10.10.1)
Perhaps it’s your Nat rules.
I would perhaps copy the rules you have for your LAN and apply them to your vlan, then go from there.
I am away from my home network, but I uploaded a screenshot of my NAT rules to the folder I linked to above (here). I made no changes here, if I’m not mistaken they are auto-populated? What I have doesn’t seem quite right to me though…I don’t see any LAN Interface rules though, which rules exactly should I copy to test?
You don’t need that last rule on the outbound NAT.
It’s best to do everything manually so you can see the steps required.
If one interface is working then duplicate those rules / config onto another interface then go from there.
just to clarify: simply delete the last rule? as there are no LAN rules in the NAT, what I should duplicate is the existence of zero rules?
You need an entry for interface WAN to Source IoT, that last one needs to be modified (not deleted).
ok, thanks for your help. I will change that to interface Wan 10.10.20.0/24 * * * WAN Address * and report back
This worked!!! any chance you could please explain to me how this differs from the firewall rules? I’m slightly concerned about the * for destination, I wasn’t able to ping the LAN network but I just want to make sure I haven’t left it unnecessarily open.
Thanks so much!
As I understand it, that’s just a rule to to translate that Network to the outside world or your WAN address so to speak.
By default, the Firewall rules block incoming traffic. So you might want a rule, that says allow my ISP vlan to see my IoT vlan, but, don’t allow the IoT vlan to see the ISP vlan, you can easily do that in the firewall rules, it doesn’t have anything to do with NAT.
As I mentioned before, it’s best to learn what you are actually doing, IMO it’s best to do everything manually then when you want to repeat the steps it’s pretty easy for another network. Up to that point it’s quite painful but worth the effort. If I were you I’d keep notes it can be tricky to recall what you just did 5 minutes ago let alone a few months ago!
Oh I will! I totally agree on understanding what you’re doing and not JUST following the guides/videos. That’s why I was asking about the difference between NAT and firewall rules because that’s a nuance I don’t fully grasp yet, but I’ll keep googling. I was didn’t make that rule you were nice enough to help me change, hence why I was so curious/frustrated it didn’t work. Thanks again!
Perhaps the approach I’d recommend as you are using vlans is to set up a suite of vlans, say ISP, GUEST, IoT etc then use your LAN as a way to access pfSense directly when something goes wrong.
I’ve found this approach gave me the most flexibility as my network grew.
The other thing I would add is to take more than enough config backups, it saves so much hassle, obviously the one time you don’t is when you need it !
This is EXACTLY the kind of suggestions I love. Thank you so much for the “big picture” suggestions…
ha ha … you might also be unaware that netgate only keeps the latest version of pfSense on their site. So keep a local copy of the ISO in case you need to roll back to a previous version for some reason !
whoa! i don’t have the iso i use. I’m still on 2.45 (saying latest is 2.6). I’m always scared of breaking things when updating but I ALMOST did during this nonsense (until you came along!)
I would upgrade to be on the latest version. That way most of the bugs or vulnerabilities are taken care of. Pfsense is pretty good on quality control.
thank you for the suggestion, i think once i move all my devices over to the new vlan and it’s stable, i’ll give it a whirl (after backing up of course). Does anyone know where I can get old iso’s? or save the one i’m using? in case it’s a disaster…