How to set the same VLANs between the switch and PfSense

JT40

I also did the following:

• Rebooted the laptop
• Assigned a new IPV4 IP to a new interface, never used with this setup. I did the same simple setup and assigned 192.168.5.1/24, no gateway assigned
• Reconfigured the laptop network and assigned the IP 192.168.5.200 or 192.168.5.2
• ARP table looks good
• Rebooted the WebConfigurator in PfSense

After all that, I can't connect to the WebGUI of PfSense... Thepage keeps loading until it doesn't timeout, but it's not a gateway timeout or something very well defined, it's just a timeout due to the browser config...

I also did:

• I checked the interface config in PfSense, it looks ok
• The traffic between UPLINK and modem/router (gateway) is all good, but it was already visible from a simple ping test.
• No other error messages, unless there is some sort of dmesg for such scenarios in BSD, something easy to read all in one place, I have experience with Linux but not BSD, so I'll need to dig almost from scratch.

What an experience, a bit speechless :D , fun but never had so many obstacles :D

JT40

I listed all the possible bugs here: https://forum.netgate.com/topic/168438/bunch-of-weird-things-happening-here/2

I also met this situation:
Configured the interface with HTTP from the backend, now it doesn't ask me anymore to set it up with HTTPS... So it remains in HTTP, this is definitely a bug.
Anyway, it doesn't make a difference for my case.

JT40

I also tried enabling DHCP, I successfully received the IP address in the range I specified, but I can't connect...

Interface IP: 192.168.2.1
Mask /24
DHCP range 192.168.2.2 <--> 192.168.2.254
IP received: 192.168.2.2

Looks good but I can't connect to the WebUI, HTTP or HTTPS same thing, but currently it's stuck with HTTP.
As mentioned previously, I can't change the protocol anymore...

I'm done for today, see you next week, LOL :D
Thanks everyone.

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

Looks good but I can't connect to the WebUI,

And what are the rules you put on the interface?

There are not rules on a new interface - you have to create them.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

Looks good but I can't connect to the WebUI,

And what are the rules you put on the interface?

There are not rules on a new interface - you have to create them.

No rules, very simple setup.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

Looks good but I can't connect to the WebUI,

And what are the rules you put on the interface?

There are not rules on a new interface - you have to create them.

To be honest I can't specify any rule there, if for "rules" you mean firewall rules.
The shell is quite limited in terms of setup, I recall interface IPV4, IPV6, gateway (if any), DHCP, HTTP or HTTPS, and that's it.

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

No rules, very simple setup.

How is it going to work with NO rules? You have to add the rules in the gui! It will not work without rules! Because the default rule is DENY! so no rules - nothing works! If you locked yourself out of the gui. Disable the firewall for a minute, access the gui and adjust the rules on this interface.

This is why if your going to do an admin interface, its should be the default LAN, which has the antilock out rule on it. And create other interfaces for your other networks.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

No rules, very simple setup.

How is it going to work with NO rules? You have to add the rules in the gui! It will not work without rules! Because the default rule is DENY! so no rules - nothing works! If you locked yourself out of the gui. Disable the firewall for a minute, access the gui and adjust the rules on this interface.

This is why if your going to do an admin interface, its should be the default LAN, which has the antilock out rule on it. And create other interfaces for your other networks.

I'll test it, but how did I login before???
In the backend, it asked me the same info as in the WebGui...
So every time I change the IP of the interface, it denies the WebGUI from every network interface?
What aboutt the rest of the communications? I'd be quite scared if every time I need to reconfigure everything... Especially because the rollback didn't allow me to connect, or it was not enough, say it as you wish.

Where is located this rule?? Do you mean firewall rule?

On the other side, it's possible that I won't change the interface IPs, or at least I should not change it if my assumptions are correct :D

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

Where is located this rule?? Do you mean firewall rule?

Yes the Firewall Rules!

How what worked - Your are so all over the place, have no idea.. But this is for sure.. If an interface has NO rules, nothing is allowed.. Default is DENY!

Maybe you had a floating rule that allowed it.

If you want an admin only network, or management port to use to manage the firewall. This should be the default lan interface. Since it has antilock out rule.. All your other networks would be created interfaces and have no rules on them. You would then create the firewall rules on those interfaces to allow the traffic you want. And they have no built in antilock rule.

Lets go back again to what I said in the beginning.. Set pfsense up out of the box, with 1 network default lan.. Get it working... Then move on to creating other networks - using your default lan as your admin network.. You can change the IP range to be whatever you want, etc.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

Where is located this rule?? Do you mean firewall rule?

Yes the Firewall Rules!

How what worked - Your are so all over the place, have no idea.. But this is for sure.. If an interface has NO rules, nothing is allowed.. Default is DENY!

Maybe you had a floating rule that allowed it.

If you want an admin only network, or management port to use to manage the firewall. This should be the default lan interface. Since it has antilock out rule.. All your other networks would be created interfaces and have no rules on them. You would then create the firewall rules on those interfaces to allow the traffic you want. And they have no built in antilock rule.

Lets go back again to what I said in the beginning.. Set pfsense up out of the box, with 1 network default lan.. Get it working... Then move on to creating other networks - using your default lan as your admin network.. You can change the IP range to be whatever you want, etc.

Thank you, finally I understood what it was.

It's still a bit strange.
The anti lock out rule is now configured for the port 80 and 443 and it's enabled, but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.

I don't have any other rule on that interface, or any sort of alias yet.

As soon as I re-enable the firewall, it stops me from connecting to the WebGUI.

I used this guide: https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html
It doesn't mention other cases...

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.

NO its not a Bug - again default is DENY, if you have no rules to allow, traffic is DENIED! if no firewall running nothing could be denied.

The antilock rule is only on the LAN interface, if you create some new interface there is NO rules!

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.

NO its not a Bug - again default is DENY, if you have no rules to allow, traffic is DENIED! if no firewall running nothing could be denied.

The antilock rule is only on the LAN interface, if you create some new interface there is NO rules!

I'll check what you said, but now I f...... in another way :D

I re-enabled HTTP, and I disabled the firewall, I did only a minor change before this, unfortunately I forgot what change.
For sure no rules.

Well, without FW I reach the WebPage but I can't login, even though in the backend I can see that the login is successful.
I put the credentials and it stops there, I'll analyze the browser trace.

I never had so much fun with a system :D

JT40

ok it's an issue with the PHPSESSION, but in any case, I was able to access that page only with the firewall disabled...

At the moment my access is locked out, I received that message on the page, I need to wait awhile

JT40

I tested the firewall for a long time, here's my observations:

1. Even if I disable all the firewall rules on the interface to access the firewall UI, it's still necessary to disable the firewall in the backend in order to connect to the WebGUI...
   How do you see this if not a bug?

@johnpoz told me that if I disable all the firewall rules, the default becomes "deny", I think for a good reason :D , but is it all about that?
Well, I created a new and simple firewall rule to allow the traffic from any to any, with any protocoll as well, on that interface only.
Same behaviour, that was the only firewall rule enabled and I need to disable the firewall to get access...
I aslo tried network to network (same network basically), or IP to IP, nothing, same behaviour.

2. Every firewall change (every time you click on save changes), it reloads the firewall rules, so what I do is always disabling the firewall after every change to be able to browse the GUI again... It's in accordance to the previous point, but what a pain...

Until now I made only progresses, but so many challenges mate :D
Again, thanks everyone here that helps so deeply in my journey with PfSense.

Bob.Dig

@jt40 pfSense is not for everyone.

JT40

@bob-dig said in How to set the same VLANs between the switch and PfSense:

@jt40 pfSense is not for everyone.

Thanks for the feedback, but looking at the last message, tell me if I could have made some mistake.
That message was written before my test today, prepare yourself, you are gonna laugh hardly.

All looks good today, the firewall was re-enabled automatically overnight, which I don't mind if there is the auto-enable after some time, I still need to figure out where is such setting though.
The box has been working without reboot, magic happens during night :D .

Basically, alI I tried yesterday, today works well, firewall rules work as expected, IP to IP, network to IP, or network to network (not in every case though, but that could be my negligence)...

This is what I did today, mostly successful :

1. WebGUI connection always successful

2. Firewall rules behaved as expected for the WebGUI, even changing IP to network etc.

3. Firewall rules behaved as expected to reach the WAN from another interface , I couldn't believe it :D .
   The only thing is that I specified the modem/router from my ISP as a gateway, I think there is no other way to do it.
   Considering that I have 4 interfaces to use at the moment, I'll specify the same gateway in each interfaces, I hope it's safe enough in terms of security.

4. Firefox behaved bad today, I've got a HTTP 200 GET --> NS_BINDING_ABORTED
   This can happen for many reasons, I didn't investigate too much...
   Chrome works though, so today I can't blame the firewall in front of this case. I need to specify that yesterday Chrome didn't work, I had to disable every time the firewall to login.
   Yesterday I also rebooted the laptop and did a fresh test when the firewall was enabled, nothing changed.

What to say, today was productive again :) .
I'll check again tomorrow, just in case something changes overnight :D

SteveITS

@jt40 said in How to set the same VLANs between the switch and PfSense:

I'll specify the same gateway in each interfaces

Normally only the interface that connects to the network would have a gateway.

Aside from that, each interface would need a gateway in its subnet, so it can communicate with said gateway.

Glad it's working for you today. Make a backup of the config. :)

JT40

@steveits said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

I'll specify the same gateway in each interfaces

Normally only the interface that connects to the network would have a gateway.

Aside from that, each interface would need a gateway in its subnet, so it can communicate with said gateway.

In my case I think that I simply need firewall rules then, and that's what I did in the end, I made a mistake before, sorry.

I've set the firewall rules for a basic network is in this way:

• LAN5 (send everything from LAN5 network to WAN address)
• WAN (accept everything that comes from LAN5 network and send it to Single Host or Alias (Gateway IP)) (I have a modem/router in front of)
  The WAN is set to use the gateway and that's how it knows where to route the packets.

In this way I was able to get to internet, but does it look safe?
Forget about protocols and ports for now we could argue a lot abotu strategies here :D , moreover I mean if the routing is correct, I don't think there is something else that could work.

Glad it's working for you today. Make a backup of the config. :)

On man, the BACKUPP!!! At this point, more I do everything from scratch, more I learn, I won't try to rollback unless I'm actively using the network when making a change :D .

SteveITS

@jt40 Firewall rules don't sent traffic anywhere. They just allow it or block it. pfSense will know where to route traffic on its own interfaces, or send the rest to its gateway to get to the Internet. Are you thinking of NAT rules?

The default rule on LAN allows from LAN to any, meaning any other network. There are no default rules on any other interface, meaning all traffic is blocked. Rules apply to packets arriving on that interface.

JT40

@steveits said in How to set the same VLANs between the switch and PfSense:

@jt40 Firewall rules don't sent traffic anywhere. They just allow it or block it. pfSense will know where to route traffic on its own interfaces, or send the rest to its gateway to get to the Internet. Are you thinking of NAT rules?

I think it does auto NAT then, like simple routers out there.

The default rule on LAN allows from LAN to any, meaning any other network. There are no default rules on any other interface, meaning all traffic is blocked. Rules apply to packets arriving on that interface.

I don't have default rules when I create the interface, I think I disabled that function, it should be a good idea :) .
I've just set the rule in outbound for now, "any to WAN" to keep it easy for the initial testing.

Regarding NAT, I'll need to think on how to do it...

It seems that I got all set for a simple setup, now the rest of the story is on the switch after PfSense...
I think I'll need to do the following:

1. Create the VLANs on the switch (done)
2. Create the simple rules (if possible) on the switch
3. Create the same VLANs on PfSense on the same interface (truncate port)
4. Create firewall rules
5. The IP range will be a problem, the switch has 10.x.x.x by default, so I'll need to change it.
   I've read somewhere that 192.x.x.x at home could give some trouble with VPNs (or similar issue), most probably I'll need to change every IP to 10.x.x.x...

I need also to check why the mask is also 255.255.255.0 for 10.x.x.x, I think that the mask is the same for the meaning of the mask itself, but it's a different network than 192.x.x.x , therefore I'd need a virtual gateway, NAT or some other way that I don't know.

I think I'll open a new thread, this is going too wild :D .
Thanks a lot to everyone :) , you have been fundamental in this journey to get internet on one port at least, LOL :D