Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can’t access TrueNAS machine outside its own VLAN

    General pfSense Questions
    vlan openvpn ping truenas
    2
    7
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      agomendes
      last edited by

      I’ve a problem to access a NAS machine, but this is not making much sense.

      My global configuration is something like this:

      LAN – 192.168.5.0
      pfSense machine, switches, centralized controller

      VLAN 10 – 192.168.10.0
      TrueNAS machine, printer, user computers

      VLAN 20 – 192.168.20.0
      User computers

      VLAN 30 – 192.168.30.0
      Access Points

      OpenVPN Tunnel – 192.168.50.0

      Basically, everything works fine except when we try access to TrueNAS machine outside its own VLAN.

      I created all rules to let the traffic pass between VLANs and OpenVPN, but something should be wrong. To make sure that I’m not blocking traffic from / to a specific IP, I’m leaving pass all range of IPs. Under pfSense logs, all traffic looks ok - nothing appears blocked. However, I can’t PING or access the TrueNAS machine outside VLAN 10 (locally or using OpenVPN). But I access perfectly the printer, which is into the same VLAN. The only way to access the TrueNAS is from a PC that is connected directly into the same VLAN.

      Any idea about what could be wrong?

      Many thanks for all your help.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @agomendes
        last edited by

        @agomendes said in Can’t access TrueNAS machine outside its own VLAN:

        OpenVPN Tunnel – 192.168.50.0

        Is that a typo - use of tunnel network that overlaps one of your own networks wouldn't be correct setup.

        NAS is own firewall comes to mind. The nas not having a gateway set to point back to pfsense as another. How are you trying to connect to the nas - L2 discovery not going to work across vlans.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        A 1 Reply Last reply Reply Quote 0
        • A
          agomendes @johnpoz
          last edited by agomendes

          @johnpoz

          Many thanks for your answer.

          Can you be a little more precise about what you are trying to explain me?

          Just to clarify, I'm not having access (or even PING) to the NAS from VPN, LAN or any other VLAN that is not the one where TrueNAS belongs. From a PC connected to the same VLAN, I’ve full access to web interface, shares, etc…

          What is really weird is that I’ve a network printer in the same VLAN of TrueNAS and with it everything is running well (ping, print from other VLANS or VPN, etc…).

          As for now I'm using “open configs” to let pass all traffic and protocols from all IP range (xxxx/24), exactly to make sure that I've same rule for all devices, but I can't understand why I've access to the printer and not the TrueNAS.

          If it helps, when I try to ping the TrueNAS (outside its own VLAN), the pfSense Packet Capture of the interface is the following:

          10:03:56.033293 IP (tos 0x0, ttl 127, id 48780, offset 0, flags [none], proto ICMP (1), length 60)
          192.168.50.2 > 192.168.10.20: ICMP echo request, id 1, seq 557, length 40
          10:04:01.037589 IP (tos 0x0, ttl 127, id 48781, offset 0, flags [none], proto ICMP (1), length 60)
          192.168.50.2 > 192.168.10.20: ICMP echo request, id 1, seq 558, length 40

          So, it looks that something reaches to the corresponding VLAN, right?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @agomendes
            last edited by johnpoz

            @agomendes dude my bad.. I saw your lan as 192.168.50 and your tunnel as 192.168.50 - doh!

            Yeah your pinging the device - if it has a firewall, which most NASes do - then it could be set to not answer anything unless its on the same network. Validate your nas firewall allows the traffic you want to allow.

            Other reason you might not be able to talk to NAS if no gateway set on the nas, and it just doesn't know how to answer to that IP, since no gateway - or different gateway than pfsense IP on your nas vlan.

            Or another reason is your tagging traffic out of your vlan interface, and how your setup your nas is never seeing the traffic, because it doesn't understand that it should be looking for that tagged traffic..

            Normally a with vlans pfsense would send with tag, the switch would say oh that is vlan X traffic.. Send that to to stuff on that vlan, but remove the tag on the device on the access port..

            example

            pfsense -- vlan X (tagged) --- switch --- vlan X (untagged) nas

            But if you have it like this

            pfsense -- vlan X (tagged) -- Nas

            Then the nas would have to be set to know about vlan X tag.

            Or dumb switch (not vlan capable)

            pfsense -- vlan X (tagged) -- dumb switch -- vlan X (tagged) Nas..

            If you see pfsense sending the traffic to the NAS ip, and its too the correct mac address.. But you get no answer that screams firewall on that device. or the device has no gateway, or different gateway, and pfsense never sees the reply to send it back to the IP wanting to talk to the nas. Or for whatever reason the nas is never seeing the traffic in the first place to be able to answer..

            But if your seeing traffic sent to the nas, and nas can actually access the internet through pfsense - get an ip from pfsense dhcp, etc. Then screams nas firewall just not set to allow that source IP to talk to it..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 2
            • A
              agomendes
              last edited by

              @johnpoz

              Oh god! Indeed, I realise now that I didn’t define any VLAN on the TrueNAS. The interface is just configured to have an IP that is used into the VLAN range, but nothing else (it's why I don't have problems when I use other machine connecterd to the same VLAN).

              It makes sense that this could be the cause of the issue.

              Next Monday I’ll reconfigure everything and come back to say what it is the result.

              Meanwhile, many thanks for your support and clarifications.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @agomendes
                last edited by johnpoz

                @agomendes said in Can’t access TrueNAS machine outside its own VLAN:

                I didn’t define any VLAN on the TrueNAS.

                You normally would not want or need to do this. Because your device would be connected to a vlan capable switch that would handle the vlans tags for you. Normally end use devices are ignorant of what vlan they are on.. Devices like routers or switches or AP, etc. are normally the only sort of devices that need to understand be setup to know what tag ID is what vlan, etc.

                And in my example like this
                pfsense -- vlan X (tagged) -- Nas

                Not sure why you would tag that interface at all if only the NAS was connected to that pfsense interface.

                Only scenario I can think of would be using a "dumb" non vlan aware switch.. Or if you were wanting to run multiple vlans for say vms or docker containers on your nas. I do this for example.. One of the interfaces on the nas carriers tagged vlans, and the other interface is used for native access to its normal "nas" network..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                A 1 Reply Last reply Reply Quote 0
                • A
                  agomendes @johnpoz
                  last edited by

                  @johnpoz

                  Yap! You are right... Some times we don’t think as it should be. It’s exactly the same situation that I’ve with the printer – just an IP assign and everything is working.

                  As far as I know, TrueNAS (before FreeNAS) has not any internal firewall. At least configurable with the GUI. I’ll investigate deeper.

                  Maybe it’s the gateway (I’ve some doubts that is wrong), so I’ve to confirm.

                  For testing, I’ll also change the NAS to the LAN (same net where I’ve also the pfSense) and check if anything changes.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.