Help with static route in pfSense

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
641
Not sure my setup is correctly implemented but I am trying to have one-way communications to a VLAN for cameras.

Need to isolate camera network (VLAN3) from accessing the internet or any other internal network but I need to be able to reach into the VLAN3 network.

Right now, the only way I can access VLAN3 is by putting a persistent static route in my laptops routing table. Is there a way to set this in pfSense? I tried creating a static route in pfSense but I am getting a "Time to Live Exceeded" error when pinging 192.168.3.x. I tried using 192.168.1.1 as the gateway to access 192.168.3.0

Should my Gateway in pfSense be 192.168.1.250 (the IP of the Brocade switch)? I can't figure out a way to set that up in pfSense. There is no option for this.

Here is my Brocade access-list:
access-list 100 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 100 permit tcp any any established
access-list 100 remark ALLOW VLAN3 TO RESPOND TO PING
access-list 100 permit icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
access-list 100 remark ALLOW CAMERAS TO TALK TO NVR
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 remark DENY VLAN3 TO RFC1918
access-list 100 deny ip 192.168.3.0 0.0.0.255 any
Here is my network diagram:
Screen Shot 2022-05-21 at 9.35.04 AM.png
 
Not specific to PFSense but yes would need a static route for 192.168.3.0/24 that points to 192.168.1.250 since that is that interface of the device that knows how to get there. 192.168.1.1 has no knowledge of 192.168.3.0/24. Personally I'd loose the layer 3 switch and add an interface to the the Supermicro box and do all my routing from place. The way you have it now unless you have ACLs on the brocade preventing it vlan1 and vlan3 can pass traffic to each other.
 
Unfortunately, I dont have a way to add another interface to the SuperMicro box. That would be ideal but can't do it.

As for the ACLs, did you see the ACL access list in the OP? I tested those ACLs and they seem to work in blocking VLAN3 from reaching anything.

I'll have to figure out how to do this in pfSense.

EDIT: Thanks Nicklebon! I wasn't thinking about it correctly until you pointed it out. Works perfectly!
 
Last edited:
What were you putting for the static routes that works on your laptops? What are you putting for the route that doesn't work on the pfSense box?

It sounded like you told the pfSense to get to .3.0/24 to use its own ip? That's not going to work, you'll need to tell it to go to the brocade for those addresses. The cameras also need to have a route to get back to .1.0/24, but maybe the brocade is their default route?

I've never seen a supermicro board with 3 nics? Usually it's 2 or 4 (plus a dedicated nic for IPMI), so I'm guessing you've got two on the board, plus an add-in card? They make add-ins with 2 or 4 nics on one card, which could get you an extra nic. Or you could put the pfsense on both vlans.
 
What were you putting for the static routes that works on your laptops? What are you putting for the route that doesn't work on the pfSense box?

It sounded like you told the pfSense to get to .3.0/24 to use its own ip? That's not going to work, you'll need to tell it to go to the brocade for those addresses. The cameras also need to have a route to get back to .1.0/24, but maybe the brocade is their default route?

I've never seen a supermicro board with 3 nics? Usually it's 2 or 4 (plus a dedicated nic for IPMI), so I'm guessing you've got two on the board, plus an add-in card? They make add-ins with 2 or 4 nics on one card, which could get you an extra nic. Or you could put the pfsense on both vlans.

Spot on, I needed to use the Brocade's IP.

By the way, you are correct about the NIC card. I added one extra. Do they make a card with 2+ NICs? This is exactly what I need for another project I am working on.

Do you have a recommendation for a 2 or 4 port NIC card? This would be amazing. For some reason, I thought one was the limited for a Supermicro build.
 
Do you have a recommendation for a 2 or 4 port NIC card? This would be amazing. For some reason, I thought one was the limited for a Supermicro build.
You can't go wrong with Intel, but, as others have said, no need to expand your LAN ports. VLANs are free and work great.
 
Do you have a recommendation for a 2 or 4 port NIC card? This would be amazing. For some reason, I thought one was the limited for a Supermicro build.
I don't have a specific recommendation, I've got a quad bypass NIC that was cheap, but getting those to work is weird, so best to pay a bit more and get something that just works. Anything with quad intel 1G or 10G should be good, I'd think. Search your favorite store for "quad nic" or "dual nic" or maybe "4 port nic" and pick something. I've heard Intel's 2.5G/5G isn't or wasn't up to snuff, so I'd skip those. I can't say I've had significant issues with realtek 1G either, although some complain of major flakiness, I've seen stuff at home, but only twice, and I didn't take the time to reproduce it; at least my realtek cards only do one interrupt for everything which isn't very efficient either; hopefully that's something they've added in newer chips?.
 
The old 1000 PT cards tend to be ancient PCIE and don't initialize in newer systems so I'd avoid those personally but I was using them for vmware so can't suggest any for pfsense.
 
Back
Top