Categories

• TNSR

  Discussions about TNSR

  • TNSR Announcements
  • TNSR Feedback
  • Problems Installing or Upgrading TNSR Software
  450 Topics

  1k Posts

  S

  I have a 2 TNSR routers connected to a pair of MLAG connected switches. I also have my own IPV4 subnet that is being announcec by BGP via Interface 1 on the first TNSR device. I have no problems at all right now, all of the servers on my network can access the internet and be accessed via their public IP address.

  What I am struggling with now is segregating clients into VLANs. When I create an access VLAN (22) for my client, I can no longer access the internet. My understanding is that I must create a bridge so that the VLAN22 can access the LAN interface with the gateway IP assigned. Each VLAN client will have a public IP from the single /24 subnet.

  When I followed the instructions for TNSR VLAN, nothing seemed to be problematic, but when I created the bridge things went wonky. Not only do the VLANs not work, but I also lose access to the non-VLAN devices.

  interface bridge domain 10
  flood
  uu-flood
  forward
  learn
  exit

  int Interface1
  bridge domain 10
  enable
  exit
  int Interface1.22
  bridge domain 10
  enable
  exit
  interface loopback bridgeloop
  instance 1
  exit
  interface loop1
  ip address 10.25.254.1/24
  bridge domain 10 bvi
  enable
  exit

  I did try changing the loop1 IP to my gateway IP and removing it from Interface1 but that didn't help. Maybe I am going about this wrong, but I need some guidance if possible.

  Thanks,
  Shawn

  For background:
  On TNSR device1:
  Interface1 is connected to a switch that carries my upstream BGP using a 10.34.14.0/24 address for now.
  Interface2 is the interface that has my gateway IP 23.x.x.x/24 and is also the port connected to the first switch.
  Interface3 is connected to a second switch and has no IP address

  TNSR device2 :
  Interface1 is connected to the switch that carreies the BGP but has no IP address and for all practical purposes is doing nothing

  Interface 2 is connected to the 2nd switch and has no IP address

  Interface 3 is connected to the first switch and has no IP address

  As you can see, the 2nd TNSR device is mostly sitting around doing nothing but eventually should be integrated in via VRRP or whatever I can get working.

• pfSense® Software

  Discussions about pfSense Software, click a category below

  • Messages from the pfSense Team
  • General pfSense Questions
  • Multi-Instance Management
  • Problems Installing or Upgrading pfSense Software
  • Firewalling
  • NAT
  • HA/CARP/VIPs
  • L2/Switching/VLANs
  • Routing and Multi WAN
  • Traffic Shaping
  • DHCP and DNS
  • IPv6
  • IPsec
  • OpenVPN
  • Captive Portal
  • webGUI
  • Wireless
  • SNMP
  • Documentation
  • Development
  • Gaming
  • Virtualization
  • Hardware
  • Bounties
  • Retired
  120k Topics

  761k Posts

  M

  @stephenw10 I did some further test on SSL_ERROR_BAD_MAC_READ.
  I fund out that I had the same issue on a live cd of Debian 12 as well.

  I then ran memtest86 test suite and found out that it seems to be an issue with my RAM memory. I will exchange the RAM memory during next week and retest to install pfsense 2.7.2.

  I do not belive that pfsense 2.8 installation issues is caused by the RAM memory, but I will retest this as well.

  I will reach out here with an update and some advise from you if I am not successful in my endeavor.

• pfSense Packages

  Discussions about pfSense software packages

  • Cache/Proxy
  • IDS/IPS
  • Traffic Monitoring
  • pfBlockerNG
  • UPS Tools
  • ACME
  • FRR
  • Tailscale
  • WireGuard
  20k Topics

  127k Posts

  P

  @MartynK that's ok, it's a bit odd that a reboot was necessary. Maybe it was the MTU changes?

• pfSense International Support

  Discuss pfSense in other languages

  • Chinese
  • Deutsch
  • Español
  • Français
  • Indonesian
  • Italiano
  • Russian
  • Nederlands
  • Norwegian
  • Portuguese
  • Polish
  • Romanian
  • Swedish
  • Turkish
  43k Topics

  267k Posts

  C

  Resumo:
  Criei uma VM usando Virtualbox no meu notebook, meu notebook está conectado na internet pelo wifi e nessa VM eu instalei o pfsense . Essa VM tem 3 adaptadores de placa de rede que são:

  Adaptador 1:
  Conectado a: NAT

  Adaptador 2:
  Conectado a: Placa de rede exclusiva do hospedeiro
  Nome: Virtual box host-only ethernet adapter
  Modo promíscuo: recusar

  Adaptador 3:
  Conectado a: Placa em modo bridge
  Nome: Realtek (Entrada de rede onde eu conecto outro dispositivo)
  M0do promíscuo: Permitir tudo

  Na instalação, coloquei o adaptador 1 como WAN, o 2 como LAN, e o 3 como OPT1 de modo que eles ficaram da seguinte forma:

  Host (meu notebook): IP 192.168.56.1

  WAN: => em0 => (pegou o IP que meu roteador de internet deu)
  LAN: => em1 => 192.168.56.2
  OPT1: => em2 => 192.168.56.3

  Meu objetivo é: Acessar a interface do pfsense através da Lan, conectar outro dispositivo no notebook através do cabo de rede e dessa forma, se conectar no OPT1, e assim esse dispositivo se conectar na internet, seguindo a ilustração abaixo.

  Dispositivo => firewall (pfsense que está no meu notebook host) => Internet

  O dispositivo, foi conectado e pegou o IP 192.168.56.10
  Problema:
  O dispositivo não consegue se conectar à internet. Não consegui identificar o motivo.

  Recursos:

  Dentro do dispositivo, usei o comando Ip “router -n” e deu o seguinte resultado:
  .
  root@00000200120003DD:~# route -n
  Kernel IP routing table
  Destination Gateway Genmask Flags Metric Ref Use Iface
  0.0.0.0 192.168.56.3 0.0.0.0 UG 10 0 0 eth0.2
  169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0.2
  192.168.56.0 0.0.0.0 255.255.255.0 U 10 0 0 eth0.2
  192.168.230.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

  Dentro do PFsense rodei o comando “pfctl -sn” e o resultado foi:

  No tat proto carp all
  Nat-ancho "natearly/* ALL
  Nat-ancho "Natrules/* ALL
  Nat on em0 inet from 192.168.56.0/24 to any 10.0.2.15 port 1024:65535
  No rdr proto carp all
  rdr-anchor "tftp-proxy/*" all

  Verifiquei os logs do firewall e são:

  19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:48191 192.168.56.3: 53 UDP
  19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:48191 192.168.56.3: 53 UDP
  19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:47805 192.168.56.3: 53 UDP
  19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10:47805 192.168.56.3: 53 UDP
  19 de junho 18:27:45 OPT1 (1000002520) 192.168.56.10 8.8.8.8 ICMP
  19 de junho de 18:26:52 OPT1 (1000002520) 192.168.56.10:47883 192.168.56.3: 53 UDP
  19 de junho de 18:26:52 OPT1 (1000002520) 192.168.56.10:48294 192.168.56.3: 53 UDP
  19 de junho de 18:26:52 OPT1 (1000002520) 192.168.56.10:48294 192.168.56.3: 53 UDP

  Verifiquei a WAN usando o comando /usr/sbin/tcpdump -ni em0 -c '1000' -U -w - no PFsense e o resultado foi:

  13:28:08.501717 IP 10.0.2.15.31703 > 173.245.58.88.53: UDP, length 101
  13:28:08.516494 IP 173.245.58.88.53 > 10.0.2.15.31703: UDP, length 137
  13:28:08.521057 IP 10.0.2.15.17540 > 172.64.32.88.53: UDP, length 55
  13:28:08.539215 IP 172.64.32.88.53 > 10.0.2.15.17540: UDP, length 117
  13:28:08.540482 IP 10.0.2.15.38053 > 172.64.33.191.53: UDP, length 57
  13:28:08.559967 IP 172.64.33.191.53 > 10.0.2.15.38053: UDP, length 119
  13:28:08.561230 IP 10.0.2.15.42395 > 108.162.192.88.53: UDP, length 59
  13:28:08.576571 IP 108.162.192.88.53 > 10.0.2.15.42395: UDP, length 121
  13:28:08.578240 IP 10.0.2.15.64042 > 172.64.33.191.53: UDP, length 61
  13:28:08.596953 IP 172.64.33.191.53 > 10.0.2.15.64042: UDP, length 123
  13:28:08.599503 IP 10.0.2.15.50720 > 172.64.32.88.53: UDP, length 71
  13:28:08.622796 IP 172.64.32.88.53 > 10.0.2.15.50720: UDP, length 133
  13:28:08.623883 IP 10.0.2.15.17642 > 173.245.58.88.53: UDP, length 81
  13:28:08.640181 IP 173.245.58.88.53 > 10.0.2.15.17642: UDP, length 143
  13:28:08.641338 IP 10.0.2.15.38371 > 173.245.59.191.53: UDP, length 91
  13:28:08.658378 IP 173.245.59.191.53 > 10.0.2.15.38371: UDP, length 153
  13:28:08.663059 IP 10.0.2.15.52132 > 173.245.59.191.53: UDP, length 101
  13:28:08.676060 IP 173.245.59.191.53 > 10.0.2.15.52132: UDP, length 163
  13:28:08.678899 IP 10.0.2.15.7915 > 173.245.58.88.53: UDP, length 101
  13:28:08.694595 IP 213.251.188.134.53 > 10.0.2.15.55819: UDP, length 127
  13:28:08.700144 IP 173.245.58.88.53 > 10.0.2.15.7915: UDP, length 138
  13:28:08.706293 IP 10.0.2.15.45902 > 108.162.192.122.53: UDP, length 56
  13:28:08.723034 IP 108.162.192.122.53 > 10.0.2.15.45902: UDP, length 118
  13:28:08.725078 IP6 fd17:625c:f037:2:a00:27ff:feeb:9e00.33549 > 2803:f800:50::6ca2:c07a.53: UDP, length 56

  Dentro do PFsense, ping para a 8.8.8.8 não tem perda de pacotes

  Nas regras do firewall, a única regra criada para OP1 é:

  Ação: Pass
  Interface: OPT1
  Family: IPV4
  Protocolo: any
  Origem: any
  Destino: any

  E a única regra para WAN é:

  Ação: Pass
  Interface: WAn
  Family: IPV4
  Protocolo: any
  Origem: any
  Destino: any

  E Em system, Routing, os gateways são:

  Nome
  Padrão
  Interface
  Portal
  Monitor de IP
  Descrição
  Ações

  WAN_DHCP

  WAN
  10.0.2.2
  10.0.2.2
  Interface WAN_DHCP Gateway

  WAN_DHCP6

  WAN
  fe80::2%em0
  fe80::2%em0
  Interface WAN_DHCP6 Gateway

  E o gateway padrão está como automático.

  Verifiquei o OPT1 usando o comando /usr/sbin/tcpdump -ni em0 -c '1000' -U -w - no PFsense e o resultado foi:

  09:37:34.397998 IP 192.168.56.10 > 208.67.220.220: ICMP echo request, id 5786, seq 0, length 64
  09:37:34.948301 IP 192.168.56.10.43467 > 192.168.56.3.53: UDP, length 37
  09:37:35.044877 IP 192.168.56.10.43467 > 192.168.56.3.53: UDP, length 37
  09:37:35.044911 IP 192.168.56.10.40736 > 192.168.56.3.53: UDP, length 37
  09:37:35.044916 IP 192.168.56.10.40736 > 192.168.56.3.53: UDP, length 37
  09:37:35.054197 IP 192.168.56.11.62186 > 192.168.56.3.53: UDP, length 49
  09:37:35.131690 IP 192.168.56.10.33297 > 192.168.56.3.53: UDP, length 39
  09:37:35.131725 IP 192.168.56.10.33297 > 192.168.56.3.53: UDP, length 39
  09:37:35.131731 IP 192.168.56.10.38883 > 192.168.56.3.53: UDP, length 39
  09:37:35.133528 IP 192.168.56.10.38883 > 192.168.56.3.53: UDP, length 39
  09:37:36.443785 IP 192.168.56.10.56036 > 192.168.56.3.53: UDP, length 40
  09:37:36.444012 IP 192.168.56.10.56036 > 192.168.56.3.53: UDP, length 40
  09:37:36.444027 IP 192.168.56.10.46740 > 192.168.56.3.53: UDP, length 40
  09:37:36.444036 IP 192.168.56.10.46740 > 192.168.56.3.53: UDP, length 40
  09:37:36.482636 IP 192.168.56.10 > 114.114.114.114: ICMP echo request, id 5800, seq 0, length 64
  09:37:36.772542 IP 192.168.56.11.58988 > 192.168.56.3.53: UDP, length 41
  09:37:36.772834 IP 192.168.56.11.57774 > 192.168.56.3.53: UDP, length 41
  09:37:37.565783 IP 192.168.56.10.43467 > 192.168.56.3.53: UDP, length 3

  Em Firewall, NAT, Outbound, eu configurei da seguinte forma a única regra:

  Modo NAT de Saída: Manual

  Mapeamentos:

  Interface: WAN
  Origem: Qualquer
  Porta de origem: Qualquer
  Destino: Qualquer
  Porta de destino: Qualquer
  Endereço NAT: Endereço WAN
  Porta NAT: Qualquer
  Porta estática: Porta de origem aleatória

• Official Netgate® Hardware

  Information about hardware available from Netgate
  2k Topics

  20k Posts

  S

  So you have replaced the LAN IP address with 10.10.10.10254? Are you using a public subnet on LAN?

  Was there a significant gap in the logs before that? The first thing logged there looks like a reaction to the LAN coming back up.

  Mostly what is concerning there is that igc0 is flapping repeatedly. What is it actually connected to? Did you try reassigning LAN to one of the other igc NICs?

• Netgate Announcements

  Information about hardware available from Netgate
  44 Topics

  211 Posts

  A

  It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

• Off-Topic & Non-Support Discussion

  Feel free to talk about anything and everything here

  • Forum Feedback
  • Community Job Board
  3k Topics

  19k Posts

  L

  @Wylbur Thank you!