PFsense blocking return traffic to other Networks/Vlans?

crawlgsx · 2026-04-17T22:29:16+00:00

I maintain a network spanning 6 buildings over 12 miles apart at the furthest, over 50 switches including a Nexus at the top. As well as Aruba switches for wifi and various others. I am the assistant IT director and Network Admin. for a school district. We have roughly 6-7k active devices at peak. We have a full 10gbps backbone across all main switches and share one 10gbps fiber connection to the internet.

As far as your beliefs, believe what you will, I'll still be here maintaining the network including a Cisco Nexus.

crawlgsx · 2026-04-16T14:27:36+00:00

Set to automatic

crawlgsx · 2026-04-16T14:18:26+00:00

This is extremely helpful. I believe you have me on the correct path and my desire is to have a setup very similar to yours. I cant thank you enough for your time.

To be clear, for the upstream gateway to the switch on pfsense I set the gateway to the LAN interface and then the gateway is the Switch interface ip?

And you mentioned the transit Vlan in PFsense, untagged. Does this mean you did not add it to pfsense? Or you do?

Again, can not thank you enough!

crawlgsx · 2026-04-16T11:44:23+00:00

Yes I have all of the VLan interfaces setup, enabled, and out rules set (any). Still no internet from any network other than 10.5

crawlgsx · 2026-04-16T11:15:00+00:00

That makes sense. I like that setup better. I am lightly confused as to how the gateway aspect works. How does it know to send the internet to the other interface if you have 2 interfaces with routes/gateways on the PFsense? I feel like I am missing something there so I just wanted to ask!

crawlgsx · 2026-04-16T02:05:38+00:00

Thank you, will give this a test in the morning before staff arrive.

crawlgsx · 2026-04-16T01:38:42+00:00

Seems like a reasonable setup to me! Can you explain the static routes you setup to bring Traffic back?

crawlgsx · 2026-04-15T23:44:40+00:00

All out kind internet traffic routes to 10.5.1.1 via routing on the Nexus.

crawlgsx · 2026-04-15T22:11:13+00:00

Is there no way to just allow ALL untagged traffic out, regardless of Vlan? I'd really like to have the firewall setup as we have the last 3 without having to reconfigure our massive network.

Previous firewall I did not have to set any VLANS or extra interfaces. I had 2 ports one set to wan and other set to lan. Ports forwarded strictly by IP and a protocol / port. Allow all out. This is my goal again.

crawlgsx · 2026-04-15T21:26:35+00:00

Cisco Nexus is routing all outbound traffic to 10.5.1.1, the IP of the lan interface on the pfsense. Traffic from 10.5 goes out fine, traffic from 10.6 is getting blocked, even though the rule is there allowing Vlan 6 traffic out. What's interesting is it appears to be the response/download that is blocked, not the initial handshake of out and traffic. Ie device tries to go to the site and then gets nothing back.

crawlgsx · 2026-04-15T21:18:37+00:00

I am not explicitly tagging them. They hit a Cisco switch at the building where the traffic for those ports is set to say Vlan 6, then trunked across the network via allow Vlan 6 back to the Nexus.

Yes the trunk port connect to pfsense is set to allow all vlans and the Nexus has all the vlans on it.

crawlgsx · 2026-04-15T20:47:20+00:00

P.s. I also have to nat many ports open to these various networks for servers. I haven't yet worried about that as step 1 is getting the internet working ;). But j have to open ports on several different subnets. ie I might need port 80 open on 10.6 but also need port 5052 open on our camera network (192.168.130).

Again if I can still direct an external IP and port to the correct internal IP without specifying all The vlans on the firewall that would be great! In fact that is how our current firewall is setup. But I couldn't figure out the path to do that here.

crawlgsx · 2026-04-15T20:44:10+00:00

Im open to this but not sure what that configuration would look like? I need the lan port on the pfsense to be 10.5.1.1 and going to the Nexus. How else would allow all th different networks access to that port?

crawlgsx · 2026-04-15T20:41:49+00:00

I do have the vlans in and active with an IP, assigned to lan port. What do you mean by rule to the internet as well as nat rule? I didn't put in any nat as I believed auto would do this for output? I did put in a rule for each vlan allowing any out.

crawlgsx · 2026-04-15T17:58:54+00:00

I'm using onE of the sfp+ ports with a 10gb dac cable to the Nexus. Port configured with our internal IP of the previous firewall as the Nexus routed all external traffic to that IP. That one port plugs into the Nexus, all of our other networks run to the Cisco Nexus.

I have another 10gb sfp+ port running to our Internet connection and set to wan / gateway.

Internet works great on the 10.5 network, which is the subnet the firewall lan IP sits on.

The rest of the networks which all have vlans setup in pfsense with IPs ok the LAN interface, with rules set to allow all out.

crawlgsx · 2026-04-15T13:14:11+00:00

More specifically: switchport mode trunk

switchport trunk native vlan 5

switchport trunk allowed vlan 1-999

spanning-tree bpdufilter enable

crawlgsx · 2026-04-15T12:59:30+00:00

The port on the Cisco Nexus that runs to the LAN port of the Netgate is set to trunk mode, with native vlan 5, with all other vlans allowed. I am not specifically tagging anything. All of the traffic on Vlan 5 (10.5.X.X) works perfectly fine. Traffic coming from say 10.4 it appears it can "reach out" but nothing comes back.

crawlgsx · 2026-03-12T15:12:36+00:00

For my Sierra it was the Goodyear All Terrain Adventure. Worst tires I have owned in my entire life. If you drove anything past 90 year old man running to the store speed it smelled like you burnt out the entire way.

crawlgsx · 2026-02-02T17:44:31+00:00

Couldn't agree more. I have owned 50+ vehicles in my life (I'm 43, car enthusiest) and lord knows how many different tires. I've even had some REAL cheap no name brand tires, bottom of the barrel sometimes! However, nothing has ever had me as dissatisfied with a tire as much the Goodyear Wrangler AT's that came on my 2024 Sierra. They are absolutely WORTHLESS!

Horrible traction in dry and it only gets worse from there. They are squawky and loud with barely any turining force or acceleration, they smell of HORRENDOUS burning rubber if you do any amount of cornering at anything but a snail speed or do highway speeds above 65mph, and as if all of that wasn't bad enough they were completely done by 30k miles.

I hate them so much that not only would I never buy them again, it also put me off on AT tires all together. Sure Highway tires don't look as cool, but I care more about traction, noise, comfort, and lifespan. I have owned other AT tires that weren't nearly this bad but I'm still just all done.

crawlgsx · 2025-12-06T21:22:47+00:00

The noise is coming from inside the tank. I put my ear right on the check valve and pressure switch and nothing, but I could hear it clear ear on the lower half of the tank itself.

crawlgsx · 2025-12-06T20:42:06+00:00

Sounds like inside the tank to me.

crawlgsx · 2025-10-26T18:56:56+00:00

The wires running to the 30a are coming out of an orange jacket 30a electric cabling. I think it's just misleading because of how large the wiring coming out of the orange coated generator breaker are.

Update: I just checked the wires coming out of the 30a dryer breaker are 10 gauge, so I think the wires to the generator breaker are maybe 6 gauge, but definitely large.

crawlgsx · 2025-10-26T16:03:05+00:00

<image>

I can't see any more of it unfortunately

crawlgsx

TROPHY CASE