Static route configuration: no Internet access on Pfsense + smart switch
-
@viragomann
Thank you VM a lot for the extended replay!I'm sitting for hours and checking the manuals and the system configurations both from the switch and Pfsense, but can not find other (than there already were) DNS settings which would prevent the traffic from the Internet... Also, I've adapted the rules in the Firewall to a Network alias instead of one IP. All without much success yet...
Tomorrow I will add more print-screens because its late here...
In any case, Thank you again for your input!LF
-
Hello VM,
I listened to your advice (about creating static routing all in the Pfsense without the switch) and spend some time with testing/monitoring of the system (especially the performance state of the CPU / RAM) and I discovered, indeed, that the memory state is sometimes getting bottlenecked while using PfblorerNG and especially TLD! So I disabled the TLD and the system runs now acceptable without of annoying latency.
It still did not solve my issue yet, but I think I will remove the switch form the setup and go to learn how to configure it all in one single system.
If it will not work, I will let ask again, but I hope it won't needed.
Many thanks for your time and all shared information, its already very useful.
LF
-
When you create downstream networks.
Unbound, acls will not auto allow these downstream networks via its auto acls.
The auto acls only allow networks directly attached to pfsense to query it.
If you want downstream networks to query for dns on pfsense, then you would have to create acls in unbound to allow that.
-
Oh, thank you JP!
I expected that somehow... but not in Pfsense...
Few days ago, while trying config that switch, I found some info Internet about ACL's and I did configure it on the switch (just a basic ACL that lets traffic from the IP of VLAN60 through, print screen attached).
But I didn't know what further is blocking the Internet-access and I could not find any hints in the logs of Pfsense! I started to believe that the switch is broken... Its really pain...
Ok, I will try to make an ACL in Pfsense, because I spend many days for it, all without success. Really.
Thankfully,
LF
-
still no success...
ping: cannot resolve yahoo.com: Unknown hostOnly IP pings come through.
Here is my basic ACL on Pfsense, tried both Allow and Allow Snoop:
-
Did you enable port 53 for DNS?
Domain Name Service it will resolve URLs to IP addresses without it no Internet will work.Here is a copy of my very basic firewall rules. I have DNS set up for anything from Lan can access port 53.
-
Hello
Jonathanlee
Thank you a lot for this contribution, please excuse me for such delay... (I was too busy with teaching music..).
Unfortunately I could not configure that portion of my network (also because I decided after many days of trying not to use VLANs, but make everything as easy as possible in Pfsense only), so I sent that smart switch back to the store.
Still I hope that your contribution will aid someone with the same question, because I've burned too many hours and could not manage it alone, so it still hurts...Again, thank you!
All the best, -
@lfred said in Static route configuration: no Internet access on Pfsense + smart switch:
Netgear MX510
I think your problem was most likely due to your switch not actually being a L3 switch..
From this thread
https://community.netgear.com/t5/Smart-Plus-and-Smart-Pro-Managed/MS510TX-trick-to-getting-routing-to-work-correctly/m-p/1885049#M15144This stated..
This type of switch can only work with VLAN routing per interface. It does not support all the members of the VLAN as it is only a L2 switch. If you wanted to have VLAN routing working on all of the devices, then you may need a fully manageable switch.So if you would of just used it as L2 and let pfsense route the vlans you wouldn't had any of your issues you were running into.
-
Thank you Johnpoz!
I suspected that there was something wrong with the switch, really. But they told me that its a really L3 layer device and therefore I was trying it for too long... So its actually a L2+ one. Hmmm...
In any case, that simpler setup within Pfsence only compensates all my earlier frustration, because it works better any smart switch (in my little music-lab).With many thanks and greetings to this forum,
-
@lfred yeah in the data sheet they use the term "Layer 2+/Lite L3 features"
If you would of just used it as L2 and done routing on pfsense between your vlans/networks you would of had far less trouble..
Routing at the switch level is almost never needed in any sort of home setup.. Unless what you have doing your routing is not really capable of routing at wirespeed.. And you really want some devices on their own vlans. But your really going to have way less ability to actually firewall between these segments. Even with a fully managed L3 switch, I have one the ability to limit traffic between these vlans is difficult and convoluted.
If you want to try vlans again - there are many entry level smart switches that can do vlans in the $40 price range.. which prob way less than that netgear you had.
