VLANs and Different Getaways

Hi all,
have VLANs defined on xcp-ng, configured DHCP servers, and rules on the pfsense. Everything works fine, except one thing. I don’t have access from one VLAN to another, the only difference is that they are on different gateways.

LAN firewall rule:
IPv4* Lan net * * * NORDVPN - this is the main LAN under VPN

IPv4* VPN_FREE net * * * WAN_DHCP - VLAN not under VPN

I can’t ping devices from the main LAN on VPN_FREE LAN.
If I set the gateway on the main LAN to default, I can ping devices but in this case, the main LAN is not under VPN.
I guess I’m missing something, but can’t figure out what exactly :frowning:

Difficult to follow your actual text …

Might be easier to create an alias with all your vlans then use the alias in your rules to allow traffic to access LAN/vlans. The different gateways won’t make a difference if you define a rule to for LAN and for WAN traffic.

Perhaps there is another way but I’ve found the above to work.

My destination from LAN net is set to * which means everywhere, have no idea how alias would help in this case.
If i change gateway on the main LAN to default i have access to devices on VLANs

Sorry, english is not my mother tongue.

Adding screens, just in case it will be more helpful :slight_smile:
NAT Rules:

Main LAN firewall rules:

VPN_FREE_LAN firewall rules:

Please tell me if i’m doing something wrong. I am a newbie.

Sorry for adding pictures in different posts, it says that new users can put only one picture per post. :slight_smile:

Looks like my ping to is getting to its destination but reply goes to the -which is the IP of the VPN tunnel?

Solved the issue by:
“Don’t pull routes” check in the VPN client
and added additional rule for VLANs

When you specify a gateway in advanced settings of a rule, all traffic is routed to the gateway unless something else specifies otherwise. This is different from leaving the gateway as default in advanced settings. In that case, traffic can still find your other VLANs.
There are two solutions. Above your rule with the specified gateway, add a rule permitting traffic to the VLANs or, better, to all private ip addresses through use of an alias. I.e.,,,
A more elegant solution is to add into the same rule specifying the gateway a set of destinations, for example, the alias with all private IP addresses. But make it the “inverse” of those addresses. That would mean that if the traffic is not heading to a private IP address, the rule with the specified gateway is applied and the traffic goes to the gateway. If the traffic is headed to a private address, there is no match and the rule is skipped. You should in either case have a default allow to anywhere rule at the bottom without a specified gateway.

1 Like

Thank you for your input.

Impovich, sorry I hadn’t scrolled down to see that you’d solved the problem when I composed my response. As an addendum, at the end I should have said: You should in either case have a default allow to anywhere rule at the bottom without a speified gateway if you want traffic routed to the internet when your VPN is down. I think the absense of such a rule creates a block if the VPN is down, something that Tom achieved in a different way in his video, but I haven’t tested that.

Hey Stan, I have a floating blocking rule which blocks access to the WAN in case the VPN client is down. Thank you.

EDIT: Did so because floating rule covers few VLANs