How to set the same VLANs between the switch and PfSense
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
What do you mean? There is no wateway assigned, as the menu mentions as well I should not assign a gateway if that's a LAN to LAN communication
What?? Where pfsense connection to your isp device is its WAN!!! That is how it gets to the internet.. No shit it would never work without a gateway..
Again going to state this with emphasis - you need to research the basic concepts of how a router works, what a network is..
I clearly went over this..
Without a gateway - where would pfsense send traffic that was destined for some network its not directly attached too??
192.168.0.1 and 192.168.0.220 are in the same network for what I know with a mask of 255.255.255.0, the communication should happen automatically, it's like 2 hosts in the same VLAN, don't tell me what I'm wrong even here :D ...
Obviosuly I consider this case correct without firewall rules blocking the traffic.What it may not be obvious for PfSense is how to take the traffic from other interfaces and route it to the UPLINK, in that case I think a gateway is needed, and it should be the PfSense Gateway, like 192.168.0.220 (current UPLINK port), or any custom IP if it is possible, I need to check. I strongly don't think is the same IP of the WebGUI.
Regarding the graph, maybe I confused your previous graph, where you mentioned NO GATEWAY between the PfSense box and the downstream switch, that's another story.
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
the communication should happen automatically, it's like 2 hosts in the same VLAN, don't tell me what I'm wrong even here :D ...
OMG dude.. Really? Yes they would be able to talk to each other - but why would pfsense send traffic for say 8.8.8.8 to 192.168.0.1 unless it was set as the gateway, ie the default route for pfsense.
Where do you have pfsense sending traffic this is not local? How would anything get to the internet if not sent to your ISP device? What is pfsense default gateway set too?
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
the communication should happen automatically, it's like 2 hosts in the same VLAN, don't tell me what I'm wrong even here :D ...
OMG dude.. Really? Yes they would be able to talk to each other - but why would pfsense send traffic for say 8.8.8.8 to 192.168.0.1 unless it was set as the gateway, ie the default route for pfsense.
Where do you have pfsense sending traffic this is not local? How would anything get to the internet if not sent to your ISP device? What is pfsense default gateway set too?
That was my initial guess :D
I think I just got confused about the previous sentence, where you said a gateway it was not needed, but actually you were referring to the pfsense --> <-- switch communication, where I also have truncate ports with different VLANs on the same port.
I'll test it and let you know
-
Ok the gateway was all about it, what a bs...... :D
Now I have another problem, which makes tiredesome every troubleshooting or setup I do...
Real world example:
Management interface:
- IP set as 192.168.2.1
- mask 255.255.255.0 or /24
- no DHCP whatsoever
- The connection from my laptop works
Management interface change
I changed the interface IP to 192.168.20.1, mask 255.255.255.0 or /24 (I can't connect anymore, I'm using the same port and I reconfigured my laptop in this way):
- laptop IP 192.168.20.2
- gateway 192.168.20.1 (nothing else than the interface IP)
- no DHCP whatsoever
Revert the change
I reverted the change directly from the machine, basically assigning the IP 192.168.2.1 to the same interface, no DHCP again, nothing specific.
Yes, I tried to hit 192.168.2.1 :D from the WebGUII can't connect anymore, normally I would expect my laptop to be the problem, specifically in this case.
With "ifconfig" I see that the IP is correctly assigned, but I can't see the gateway and it's normal so far...
I checked the respective network config file under /etc/sysconfig/network/scripts/ , well, it's not there... Actually many of them are missing there.... The only thing I noticed is that there are few wireless and wired connections, so not only one of this type, but that's it, what I need is not there.Even after I re-created the network config in the laptop UI, the config is not in that directory...
Also, this file is empty: /etc/sysconfig/network , and it shouldn'tLooking at this doc, these 2 things mentioned above should be there... https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/ch-Network_Interfaces.html
The doc is a bit old but I don't think they made changes on how this component works...In the end, I found the config file under /etc/NetworkManager/system-connections/ , it contains all the correct details, even though I found strange this line:
[ipv4]
address1=192.168.2.1/24,192.168.2.1As you can see, the gateway is on the same line of the machine IP address... I think it's weird but looking at other files it seems correct.
PfSense system reboot it didn't help...
I'll configure a new interface, but this looks a bit crazy.
I exausted my ideas, let me know what you think :D
-
@jt40 what rules did you put on pfsense "management" interface you created?
If you had set the source to 192.168.20/24 or something sim at first and then changed the IP, this rule would not have changed.
The rule on the management interface your creating should prob be source "management net". This way when you change the management IP on pfsense, the alias for "management net" would change to reflect the network network.
When troubleshooting local connectivity like laptop plugged directly into pfsense port, or even via a switch with devices on the same network.
First thing to validate is you can arp for the IP your trying to talk to on the same network.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 what rules did you put on pfsense "management" interface you created?
If you had set the source to 192.168.20/24 or something sim at first and then changed the IP, this rule would not have changed.
The rule on the management interface your creating should prob be source "management net". This way when you change the management IP on pfsense, the alias for "management net" would change to reflect the network network.
When troubleshooting local connectivity like laptop plugged directly into pfsense port, or even via a switch with devices on the same network.
First thing to validate is you can arp for the IP your trying to talk to on the same network.
@jt40 what rules did you put on pfsense "management" interface you created?
I didn't set any rule, if what you mean is a firewall rule, there is no FW rule at the moment.
If you had set the source to 192.168.20/24 or something sim at first and then changed the IP, this rule would not have changed.
Due to my previous answer, I think that there is nothing to worry about here.
The rule on the management interface your creating should prob be source "management net". This way when you change the management IP on pfsense, the alias for "management net" would change to reflect the network network.
Thanks for the tip, but I still didn't create any rule, so my case it's much simpler.
When troubleshooting local connectivity like laptop plugged directly into pfsense port, or even via a switch with devices on the same network.
First thing to validate is you can arp for the IP your trying to talk to on the same network.
I can see the ARP table from the laptop, it's something like this:
<FIRST_PART_MISSING_OF_THE_NETWORK_INTERFACE_NAME>_gateway 192.168.2.1 at <MAC that is correct> [ether] on enp2s0The beginning means that I miss whatever is before _gateway. In any case it seems strange, that is actually the gateway name, the one that in PfSense is 192.168.0.1 (my modem/router).
Btw, I'm still able to ping google from the shell, so the UPLINK interface is working...
It doesn't show what interface did it use, but I guess that it used the UPLINK, not the MANAGEMENT interface, I don't have a gateway assigned on the MANAGEMENT interface.I'll reboot also my laptop, that's the last thing that remains for my knowledge...
Anyway, thank a lot so far to everyone :)
-
I also did the following:
- Rebooted the laptop
- Assigned a new IPV4 IP to a new interface, never used with this setup. I did the same simple setup and assigned 192.168.5.1/24, no gateway assigned
- Reconfigured the laptop network and assigned the IP 192.168.5.200 or 192.168.5.2
- ARP table looks good
- Rebooted the WebConfigurator in PfSense
After all that, I can't connect to the WebGUI of PfSense... Thepage keeps loading until it doesn't timeout, but it's not a gateway timeout or something very well defined, it's just a timeout due to the browser config...
I also did:
- I checked the interface config in PfSense, it looks ok
- The traffic between UPLINK and modem/router (gateway) is all good, but it was already visible from a simple ping test.
- No other error messages, unless there is some sort of dmesg for such scenarios in BSD, something easy to read all in one place, I have experience with Linux but not BSD, so I'll need to dig almost from scratch.
What an experience, a bit speechless :D , fun but never had so many obstacles :D
-
I listed all the possible bugs here: https://forum.netgate.com/topic/168438/bunch-of-weird-things-happening-here/2
I also met this situation:
Configured the interface with HTTP from the backend, now it doesn't ask me anymore to set it up with HTTPS... So it remains in HTTP, this is definitely a bug.
Anyway, it doesn't make a difference for my case. -
I also tried enabling DHCP, I successfully received the IP address in the range I specified, but I can't connect...
Interface IP: 192.168.2.1
Mask /24
DHCP range 192.168.2.2 <--> 192.168.2.254
IP received: 192.168.2.2Looks good but I can't connect to the WebUI, HTTP or HTTPS same thing, but currently it's stuck with HTTP.
As mentioned previously, I can't change the protocol anymore...I'm done for today, see you next week, LOL :D
Thanks everyone. -
@jt40 said in How to set the same VLANs between the switch and PfSense:
Looks good but I can't connect to the WebUI,
And what are the rules you put on the interface?
There are not rules on a new interface - you have to create them.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
Looks good but I can't connect to the WebUI,
And what are the rules you put on the interface?
There are not rules on a new interface - you have to create them.
No rules, very simple setup.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
Looks good but I can't connect to the WebUI,
And what are the rules you put on the interface?
There are not rules on a new interface - you have to create them.
To be honest I can't specify any rule there, if for "rules" you mean firewall rules.
The shell is quite limited in terms of setup, I recall interface IPV4, IPV6, gateway (if any), DHCP, HTTP or HTTPS, and that's it. -
@jt40 said in How to set the same VLANs between the switch and PfSense:
No rules, very simple setup.
How is it going to work with NO rules? You have to add the rules in the gui! It will not work without rules! Because the default rule is DENY! so no rules - nothing works! If you locked yourself out of the gui. Disable the firewall for a minute, access the gui and adjust the rules on this interface.
This is why if your going to do an admin interface, its should be the default LAN, which has the antilock out rule on it. And create other interfaces for your other networks.
-
J JT40 referenced this topic on
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
No rules, very simple setup.
How is it going to work with NO rules? You have to add the rules in the gui! It will not work without rules! Because the default rule is DENY! so no rules - nothing works! If you locked yourself out of the gui. Disable the firewall for a minute, access the gui and adjust the rules on this interface.
This is why if your going to do an admin interface, its should be the default LAN, which has the antilock out rule on it. And create other interfaces for your other networks.
I'll test it, but how did I login before???
In the backend, it asked me the same info as in the WebGui...
So every time I change the IP of the interface, it denies the WebGUI from every network interface?
What aboutt the rest of the communications? I'd be quite scared if every time I need to reconfigure everything... Especially because the rollback didn't allow me to connect, or it was not enough, say it as you wish.Where is located this rule?? Do you mean firewall rule?
On the other side, it's possible that I won't change the interface IPs, or at least I should not change it if my assumptions are correct :D
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
Where is located this rule?? Do you mean firewall rule?
Yes the Firewall Rules!
How what worked - Your are so all over the place, have no idea.. But this is for sure.. If an interface has NO rules, nothing is allowed.. Default is DENY!
Maybe you had a floating rule that allowed it.
If you want an admin only network, or management port to use to manage the firewall. This should be the default lan interface. Since it has antilock out rule.. All your other networks would be created interfaces and have no rules on them. You would then create the firewall rules on those interfaces to allow the traffic you want. And they have no built in antilock rule.
Lets go back again to what I said in the beginning.. Set pfsense up out of the box, with 1 network default lan.. Get it working... Then move on to creating other networks - using your default lan as your admin network.. You can change the IP range to be whatever you want, etc.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
Where is located this rule?? Do you mean firewall rule?
Yes the Firewall Rules!
How what worked - Your are so all over the place, have no idea.. But this is for sure.. If an interface has NO rules, nothing is allowed.. Default is DENY!
Maybe you had a floating rule that allowed it.
If you want an admin only network, or management port to use to manage the firewall. This should be the default lan interface. Since it has antilock out rule.. All your other networks would be created interfaces and have no rules on them. You would then create the firewall rules on those interfaces to allow the traffic you want. And they have no built in antilock rule.
Lets go back again to what I said in the beginning.. Set pfsense up out of the box, with 1 network default lan.. Get it working... Then move on to creating other networks - using your default lan as your admin network.. You can change the IP range to be whatever you want, etc.
Thank you, finally I understood what it was.
It's still a bit strange.
The anti lock out rule is now configured for the port 80 and 443 and it's enabled, but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.I don't have any other rule on that interface, or any sort of alias yet.
As soon as I re-enable the firewall, it stops me from connecting to the WebGUI.
I used this guide: https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html
It doesn't mention other cases... -
@jt40 said in How to set the same VLANs between the switch and PfSense:
but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.NO its not a Bug - again default is DENY, if you have no rules to allow, traffic is DENIED! if no firewall running nothing could be denied.
The antilock rule is only on the LAN interface, if you create some new interface there is NO rules!
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.NO its not a Bug - again default is DENY, if you have no rules to allow, traffic is DENIED! if no firewall running nothing could be denied.
The antilock rule is only on the LAN interface, if you create some new interface there is NO rules!
I'll check what you said, but now I f...... in another way :D
I re-enabled HTTP, and I disabled the firewall, I did only a minor change before this, unfortunately I forgot what change.
For sure no rules.Well, without FW I reach the WebPage but I can't login, even though in the backend I can see that the login is successful.
I put the credentials and it stops there, I'll analyze the browser trace.I never had so much fun with a system :D
-
ok it's an issue with the PHPSESSION, but in any case, I was able to access that page only with the firewall disabled...
At the moment my access is locked out, I received that message on the page, I need to wait awhile
-
I tested the firewall for a long time, here's my observations:
- Even if I disable all the firewall rules on the interface to access the firewall UI, it's still necessary to disable the firewall in the backend in order to connect to the WebGUI...
How do you see this if not a bug?
@johnpoz told me that if I disable all the firewall rules, the default becomes "deny", I think for a good reason :D , but is it all about that?
Well, I created a new and simple firewall rule to allow the traffic from any to any, with any protocoll as well, on that interface only.
Same behaviour, that was the only firewall rule enabled and I need to disable the firewall to get access...
I aslo tried network to network (same network basically), or IP to IP, nothing, same behaviour.- Every firewall change (every time you click on save changes), it reloads the firewall rules, so what I do is always disabling the firewall after every change to be able to browse the GUI again... It's in accordance to the previous point, but what a pain...
Until now I made only progresses, but so many challenges mate :D
Again, thanks everyone here that helps so deeply in my journey with PfSense. - Even if I disable all the firewall rules on the interface to access the firewall UI, it's still necessary to disable the firewall in the backend in order to connect to the WebGUI...
