Categories

  • Discussions about TNSR

    444 Topics
    1k Posts
    S

    I have a 2 TNSR routers connected to a pair of MLAG connected switches. I also have my own IPV4 subnet that is being announcec by BGP via Interface 1 on the first TNSR device. I have no problems at all right now, all of the servers on my network can access the internet and be accessed via their public IP address.

    What I am struggling with now is segregating clients into VLANs. When I create an access VLAN (22) for my client, I can no longer access the internet. My understanding is that I must create a bridge so that the VLAN22 can access the LAN interface with the gateway IP assigned. Each VLAN client will have a public IP from the single /24 subnet.

    When I followed the instructions for TNSR VLAN, nothing seemed to be problematic, but when I created the bridge things went wonky. Not only do the VLANs not work, but I also lose access to the non-VLAN devices.

    interface bridge domain 10
    flood
    uu-flood
    forward
    learn
    exit

    int Interface1
    bridge domain 10
    enable
    exit
    int Interface1.22
    bridge domain 10
    enable
    exit
    interface loopback bridgeloop
    instance 1
    exit
    interface loop1
    ip address 10.25.254.1/24
    bridge domain 10 bvi
    enable
    exit

    I did try changing the loop1 IP to my gateway IP and removing it from Interface1 but that didn't help. Maybe I am going about this wrong, but I need some guidance if possible.

    Thanks,
    Shawn

    For background:
    On TNSR device1:
    Interface1 is connected to a switch that carries my upstream BGP using a 10.34.14.0/24 address for now.
    Interface2 is the interface that has my gateway IP 23.x.x.x/24 and is also the port connected to the first switch.
    Interface3 is connected to a second switch and has no IP address

    TNSR device2 :
    Interface1 is connected to the switch that carreies the BGP but has no IP address and for all practical purposes is doing nothing

    Interface 2 is connected to the 2nd switch and has no IP address

    Interface 3 is connected to the first switch and has no IP address

    As you can see, the 2nd TNSR device is mostly sitting around doing nothing but eventually should be integrated in via VRRP or whatever I can get working.

  • Discussions about pfSense Software, click a category below

    120k Topics
    760k Posts
    M

    same here but only after reboot.

  • Discussions about pfSense software packages

    20k Topics
    127k Posts
    D

    @AngryAnt said in [pfSense -> pfSense NUT connection

    Screenshot_20250602_183327.png

    Items unrelated to your problem:

    You have "user = root" set in the optional arguments to driver. This is probably unnecessary and should be removed unless you have really good reason for it like a missing quirk. If the issue is a missing quirk, you should add the missing quirk instead.

    You have NOTIFYCMD set in Additional configuration for upsmon.conf. Unless you are really expert with NUT configuration, this is probably a bad idea.

    Items related to your problem:

    You do not want the two lines granting access to This Firewall (self) on port 3493. These lines would be used for the "option 2" approach to remote NUT access instead of the "option 1" approach you are taking. [Edit: note also that the destination address for these rules is wrong for the "option 1" approach -- it would have needed to be 127.0.0.1]

    In the NAT entry for 3493, you have the Filter rule association enabled, which produces the last line of your LAN rules. Given that you have a rule that allows LAN subnets, which presumably includes 192.168.1.0/24, to go anywhere, this is unnecessary. You can/should set the Filter rule association to "none". NB: The source of LAN subnets could simply be changed to Any unless there is some mechanism by which packets that do not originate from the LAN can appear on the LAN interface.

    You appear to have a block on 192.168.1.3 to RFC1918 addresses. Given that your firewall is inside RFC1918 address space, this is a problem not only for NUT but also for DNS/NTP, etc.

    Do you have anything in Floating rules that might be in override the rules for LAN?

    I recommend using upsc to test connectivity prior to attempting use NUT remote access. So from a shell on the remote systems use the command "upsc ups@192.168.1.1".

    Have you looked at the firewall log for entries relating to port 3493?

  • Discuss pfSense in other languages

    43k Topics
    267k Posts
    H

    @eagle61 said in Dual Stack IPv6 an der pfSense - Interface verliert Verbindung:

    @heiko3001 Wozu ist das VDSL_GW gut?

    Erscheint mir ohne weitere Begründung überflüssig

    Das ist dafür da, dass ich aus dem LAN das Webinterface des VDSL-Modems erreiche.

  • Information about hardware available from Netgate

    2k Topics
    20k Posts
    S

    @Burizado said in Netgate Configuration Export (6100 MAX):

    The importance of off device backups of your configuration

    We save the file after every time making changes. Sometimes I add a note to the filename like " (added VLAN)".

    For the more, or maybe less, paranoid, there is https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html.

  • Information about hardware available from Netgate

    44 Topics
    211 Posts
    AriKellyA

    It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

  • Feel free to talk about anything and everything here

    3k Topics
    19k Posts
    stephenw10S

    The only other thing you might would be some sort or proxy redirect the request via a device behind the adapter. But that seems like a lot of effort!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.