Hi I’m new to pfsenes and setup couple VLAN following Lawrence youtube video. Everything is working except there some weird issue with my IOT vlan. So below are the firewall rule for IOT which is 98% the same as my Guest Vlan except there a block of IP devices i have totally blocked off from WAN and I need to open an ICMP access for Nest device.
Here weird issue. All my IOT device on IOT VLAN work fine (ie Alexa work, Nest Hub play youtube, Fire stick work,etc) however when i try to open browser it say no internet. I try login to this Vlan via phone and laptop both statue no internet and I did confirm when I try to ping to google (184.108.40.206) nothing came back. But when i login to the guest Vlan (which pretty much is the same rule) everything work except can’t access to my local network which was part of the firewall.
The “Reject pfsense admin interfaces” should include the port(s) that you want blocked on the firewall and not the entire firewall.
You need to create the same rule on your IOT vlan as rule 4 on your guest vlan.
@ Tom Hmm ok I’ll take an closer look. But why did guest network is working ok with the same block firewall rule. Also I did once disabled this rule and the result is the same. But the weird part is how do the other IOT device get online? Google and Alexa all are still connected to web.
@FredFerrell that 4 guest rules are also on IOT. ie Block access to firewall, IGMP passage, Wan passage, Block local subnet. Just to make sure it was same I straight up copy the rule from guest and just changed the source input.
Before I dig more into I created an all open WAN and this is the result. There must be some type of setting on this VLAN somewhere that is wrong. But I just can’t find it. I checked with guest Vlan and all the setting is the same.
Only way i can get this VLAN to work if i do source IOT_Net and destination set to ANY. But why would it need access to my subnet???
Your last screenshot shows the computer with a DNS of 192.168.30.1, which I presume is your pfSense as that is the default gateway. Your rule does not allow access to the pfSense, so you have no DNS, which is why the error message says it can’t find a ip for Google. You will be able to ping devices on the internet as you are not using DNS to resolve anything, but are allowing access to the internet. Add a TCP/UDP rule for IOT_30 to 192.168.30.1 on port 53 and your DNS will be able to resolve, or set your DHCP server to hand out a DNS server that is not your pfSense.
That make since but I’ll believe I didn’t open an access to the firewall at one point during my previous troubleshoot. But I’ll give it another shot once I’m home. But why didnt the guest Vlan don’t have this issue as technically it have the same rule.
Perfect I think that does it thank you all. Hmm now im wondering why is the guest vlan working without getting access to its subnet gateway.