Categories

  • 450 Topics
    1k Posts
    S

    I have a 2 TNSR routers connected to a pair of MLAG connected switches. I also have my own IPV4 subnet that is being announcec by BGP via Interface 1 on the first TNSR device. I have no problems at all right now, all of the servers on my network can access the internet and be accessed via their public IP address.

    What I am struggling with now is segregating clients into VLANs. When I create an access VLAN (22) for my client, I can no longer access the internet. My understanding is that I must create a bridge so that the VLAN22 can access the LAN interface with the gateway IP assigned. Each VLAN client will have a public IP from the single /24 subnet.

    When I followed the instructions for TNSR VLAN, nothing seemed to be problematic, but when I created the bridge things went wonky. Not only do the VLANs not work, but I also lose access to the non-VLAN devices.

    interface bridge domain 10
    flood
    uu-flood
    forward
    learn
    exit

    int Interface1
    bridge domain 10
    enable
    exit
    int Interface1.22
    bridge domain 10
    enable
    exit
    interface loopback bridgeloop
    instance 1
    exit
    interface loop1
    ip address 10.25.254.1/24
    bridge domain 10 bvi
    enable
    exit

    I did try changing the loop1 IP to my gateway IP and removing it from Interface1 but that didn't help. Maybe I am going about this wrong, but I need some guidance if possible.

    Thanks,
    Shawn

    For background:
    On TNSR device1:
    Interface1 is connected to a switch that carries my upstream BGP using a 10.34.14.0/24 address for now.
    Interface2 is the interface that has my gateway IP 23.x.x.x/24 and is also the port connected to the first switch.
    Interface3 is connected to a second switch and has no IP address

    TNSR device2 :
    Interface1 is connected to the switch that carreies the BGP but has no IP address and for all practical purposes is doing nothing

    Interface 2 is connected to the 2nd switch and has no IP address

    Interface 3 is connected to the first switch and has no IP address

    As you can see, the 2nd TNSR device is mostly sitting around doing nothing but eventually should be integrated in via VRRP or whatever I can get working.

  • 120k Topics
    761k Posts
    M

    @stephenw10 I did some further test on SSL_ERROR_BAD_MAC_READ.
    I fund out that I had the same issue on a live cd of Debian 12 as well.

    I then ran memtest86 test suite and found out that it seems to be an issue with my RAM memory. I will exchange the RAM memory during next week and retest to install pfsense 2.7.2.

    I do not belive that pfsense 2.8 installation issues is caused by the RAM memory, but I will retest this as well.

    I will reach out here with an update and some advise from you if I am not successful in my endeavor.

  • 20k Topics
    127k Posts
    patient0P

    @MartynK that's ok, it's a bit odd that a reboot was necessary. Maybe it was the MTU changes?

  • 43k Topics
    267k Posts
    C

    Resumo:
    Criei uma VM usando Virtualbox no meu notebook, meu notebook está conectado na internet pelo wifi e nessa VM eu instalei o pfsense . Essa VM tem 3 adaptadores de placa de rede que são:

    Adaptador 1:
    Conectado a: NAT

    Adaptador 2:
    Conectado a: Placa de rede exclusiva do hospedeiro
    Nome: Virtual box host-only ethernet adapter
    Modo promíscuo: recusar

    Adaptador 3:
    Conectado a: Placa em modo bridge
    Nome: Realtek (Entrada de rede onde eu conecto outro dispositivo)
    M0do promíscuo: Permitir tudo

    Na instalação, coloquei o adaptador 1 como WAN, o 2 como LAN, e o 3 como OPT1 de modo que eles ficaram da seguinte forma:

    Host (meu notebook): IP 192.168.56.1

    WAN: => em0 => (pegou o IP que meu roteador de internet deu)
    LAN: => em1 => 192.168.56.2
    OPT1: => em2 => 192.168.56.3

    Meu objetivo é: Acessar a interface do pfsense através da Lan, conectar outro dispositivo no notebook através do cabo de rede e dessa forma, se conectar no OPT1, e assim esse dispositivo se conectar na internet, seguindo a ilustração abaixo.

    Dispositivo => firewall (pfsense que está no meu notebook host) => Internet

    O dispositivo, foi conectado e pegou o IP 192.168.56.10
    Problema:
    O dispositivo não consegue se conectar à internet. Não consegui identificar o motivo.

    Recursos:

    Dentro do dispositivo, usei o comando Ip “router -n” e deu o seguinte resultado:
    .
    root@00000200120003DD:~# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.56.3 0.0.0.0 UG 10 0 0 eth0.2
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0.2
    192.168.56.0 0.0.0.0 255.255.255.0 U 10 0 0 eth0.2
    192.168.230.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

    Dentro do PFsense rodei o comando “pfctl -sn” e o resultado foi:

    No tat proto carp all
    Nat-ancho "natearly/* ALL
    Nat-ancho "Natrules/* ALL
    Nat on em0 inet from 192.168.56.0/24 to any 10.0.2.15 port 1024:65535
    No rdr proto carp all
    rdr-anchor "tftp-proxy/*" all

    Verifiquei os logs do firewall e são:

    19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:48191 192.168.56.3: 53 UDP
    19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:48191 192.168.56.3: 53 UDP
    19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:47805 192.168.56.3: 53 UDP
    19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:47805 192.168.56.3: 53 UDP
    19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10 8.8.8.8 ICMP
    19 de junho de 18:26:52 OPT1 (1000002520) 192.168.56.10:47883 192.168.56.3: 53 UDP
    19 de junho de 18:26:52 OPT1 (1000002520) 192.168.56.10:48294 192.168.56.3: 53 UDP
    19 de junho de 18:26:52 OPT1 (1000002520) 192.168.56.10:48294 192.168.56.3: 53 UDP

    Verifiquei a WAN usando o comando /usr/sbin/tcpdump -ni em0 -c '1000' -U -w - no PFsense e o resultado foi:

    13:28:08.501717 IP 10.0.2.15.31703 > 173.245.58.88.53: UDP, length 101
    13:28:08.516494 IP 173.245.58.88.53 > 10.0.2.15.31703: UDP, length 137
    13:28:08.521057 IP 10.0.2.15.17540 > 172.64.32.88.53: UDP, length 55
    13:28:08.539215 IP 172.64.32.88.53 > 10.0.2.15.17540: UDP, length 117
    13:28:08.540482 IP 10.0.2.15.38053 > 172.64.33.191.53: UDP, length 57
    13:28:08.559967 IP 172.64.33.191.53 > 10.0.2.15.38053: UDP, length 119
    13:28:08.561230 IP 10.0.2.15.42395 > 108.162.192.88.53: UDP, length 59
    13:28:08.576571 IP 108.162.192.88.53 > 10.0.2.15.42395: UDP, length 121
    13:28:08.578240 IP 10.0.2.15.64042 > 172.64.33.191.53: UDP, length 61
    13:28:08.596953 IP 172.64.33.191.53 > 10.0.2.15.64042: UDP, length 123
    13:28:08.599503 IP 10.0.2.15.50720 > 172.64.32.88.53: UDP, length 71
    13:28:08.622796 IP 172.64.32.88.53 > 10.0.2.15.50720: UDP, length 133
    13:28:08.623883 IP 10.0.2.15.17642 > 173.245.58.88.53: UDP, length 81
    13:28:08.640181 IP 173.245.58.88.53 > 10.0.2.15.17642: UDP, length 143
    13:28:08.641338 IP 10.0.2.15.38371 > 173.245.59.191.53: UDP, length 91
    13:28:08.658378 IP 173.245.59.191.53 > 10.0.2.15.38371: UDP, length 153
    13:28:08.663059 IP 10.0.2.15.52132 > 173.245.59.191.53: UDP, length 101
    13:28:08.676060 IP 173.245.59.191.53 > 10.0.2.15.52132: UDP, length 163
    13:28:08.678899 IP 10.0.2.15.7915 > 173.245.58.88.53: UDP, length 101
    13:28:08.694595 IP 213.251.188.134.53 > 10.0.2.15.55819: UDP, length 127
    13:28:08.700144 IP 173.245.58.88.53 > 10.0.2.15.7915: UDP, length 138
    13:28:08.706293 IP 10.0.2.15.45902 > 108.162.192.122.53: UDP, length 56
    13:28:08.723034 IP 108.162.192.122.53 > 10.0.2.15.45902: UDP, length 118
    13:28:08.725078 IP6 fd17:625c:f037:2:a00:27ff:feeb:9e00.33549 > 2803:f800:50::6ca2:c07a.53: UDP, length 56

    Dentro do PFsense, ping para a 8.8.8.8 não tem perda de pacotes

    Nas regras do firewall, a única regra criada para OP1 é:

    Ação: Pass
    Interface: OPT1
    Family: IPV4
    Protocolo: any
    Origem: any
    Destino: any

    E a única regra para WAN é:

    Ação: Pass
    Interface: WAn
    Family: IPV4
    Protocolo: any
    Origem: any
    Destino: any

    E Em system, Routing, os gateways são:

    Nome
    Padrão
    Interface
    Portal
    Monitor de IP
    Descrição
    Ações

    WAN_DHCP

    WAN
    10.0.2.2
    10.0.2.2
    Interface WAN_DHCP Gateway

    WAN_DHCP6

    WAN
    fe80::2%em0
    fe80::2%em0
    Interface WAN_DHCP6 Gateway

    E o gateway padrão está como automático.

    Verifiquei o OPT1 usando o comando /usr/sbin/tcpdump -ni em0 -c '1000' -U -w - no PFsense e o resultado foi:

    09:37:34.397998 IP 192.168.56.10 > 208.67.220.220: ICMP echo request, id 5786, seq 0, length 64
    09:37:34.948301 IP 192.168.56.10.43467 > 192.168.56.3.53: UDP, length 37
    09:37:35.044877 IP 192.168.56.10.43467 > 192.168.56.3.53: UDP, length 37
    09:37:35.044911 IP 192.168.56.10.40736 > 192.168.56.3.53: UDP, length 37
    09:37:35.044916 IP 192.168.56.10.40736 > 192.168.56.3.53: UDP, length 37
    09:37:35.054197 IP 192.168.56.11.62186 > 192.168.56.3.53: UDP, length 49
    09:37:35.131690 IP 192.168.56.10.33297 > 192.168.56.3.53: UDP, length 39
    09:37:35.131725 IP 192.168.56.10.33297 > 192.168.56.3.53: UDP, length 39
    09:37:35.131731 IP 192.168.56.10.38883 > 192.168.56.3.53: UDP, length 39
    09:37:35.133528 IP 192.168.56.10.38883 > 192.168.56.3.53: UDP, length 39
    09:37:36.443785 IP 192.168.56.10.56036 > 192.168.56.3.53: UDP, length 40
    09:37:36.444012 IP 192.168.56.10.56036 > 192.168.56.3.53: UDP, length 40
    09:37:36.444027 IP 192.168.56.10.46740 > 192.168.56.3.53: UDP, length 40
    09:37:36.444036 IP 192.168.56.10.46740 > 192.168.56.3.53: UDP, length 40
    09:37:36.482636 IP 192.168.56.10 > 114.114.114.114: ICMP echo request, id 5800, seq 0, length 64
    09:37:36.772542 IP 192.168.56.11.58988 > 192.168.56.3.53: UDP, length 41
    09:37:36.772834 IP 192.168.56.11.57774 > 192.168.56.3.53: UDP, length 41
    09:37:37.565783 IP 192.168.56.10.43467 > 192.168.56.3.53: UDP, length 3

    Em Firewall, NAT, Outbound, eu configurei da seguinte forma a única regra:

    Modo NAT de Saída: Manual

    Mapeamentos:

    Interface: WAN
    Origem: Qualquer
    Porta de origem: Qualquer
    Destino: Qualquer
    Porta de destino: Qualquer
    Endereço NAT: Endereço WAN
    Porta NAT: Qualquer
    Porta estática: Porta de origem aleatória

  • Information about hardware available from Netgate

    2k Topics
    20k Posts
    stephenw10S

    So you have replaced the LAN IP address with 10.10.10.10254? Are you using a public subnet on LAN?

    Was there a significant gap in the logs before that? The first thing logged there looks like a reaction to the LAN coming back up.

    Mostly what is concerning there is that igc0 is flapping repeatedly. What is it actually connected to? Did you try reassigning LAN to one of the other igc NICs?

  • Information about hardware available from Netgate

    44 Topics
    211 Posts
    AriKellyA

    It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

  • Feel free to talk about anything and everything here

    3k Topics
    19k Posts
    L

    @Wylbur Thank you!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.