Cant ping vlan on pf sense from any device?

TravelMore

Hello, I am trying to set up VLAN2O on my PF Sense box so I can put any smart devices on it (smart bulbs primarily). The end goal is to get VLAN20 onto my Unifi AP as well because the smart bulbs are wifi. I have vlan20 setup on my pf sense but I think this is where the issue lies but I am not sure, explanation and settings are below.

I have a Netgear poe switch w/port4 PF LAN on VLAN20, Tagged.

Below is my network.

I believe I have the PF Sense settings setup correctly and will share screenshots below. (ignore vlan10 its not in use).

firewall allow rule settings:

firewall block rule

vlan20 DHCP settings

Netgear Ports: Port 1 is a NAS, Port 2 is the Pihole, (Port 3 empty), Port 4 Tagged is the PF Sense LAN, (Port 5,6,7 empty), Port 8 Untagged is just a cat5 cable for a pc plugin (currently nothing in port 8), Port11 is the dumb switch (this connects to my Cisco POE switch), Port 17 is another NAS.

Cisco POE switch: Unifi AP is port 8 w/vlan20 and tagged I believe.

Jarhead

@travelmore
You don't have to redact private IP addresses.
It's better to show the rules from Interfaces/Rules instead of expanded like you did. The order of rules is very important.

Are you sure you applied settings on the interface itself?
If you look at the interfaces pic, the vlan doesn't have an IP assigned.

TravelMore

@jarhead in the 3rd pic, i believe where it says General config, i am under the impression where it says static IPV4 config. the IP4 address there was setting the 'router ip' for vlan20, or how you mentioned the interface for vlan20 assigned. is that not correct?

johnpoz

@travelmore but last pic there for the interfaces doesn't show any IP, says na.

Why did you create a vlan and tag it 1? Vlan 1 is not a normal vlan you tag, this is the default vlan of switches for an untagged network, etc.

And your trying to run vlans over that dumb switch? While that can work - its not a good idea normally..

But what are the interface configs for your switches? You have your vlans tagged on the port going to your dumb switch, and then tagged on the port going into your 2960. And then I take it your running vlans on your AP. So what are the ports on the 2960 those APs are connected to?

And sounds like you only have tagged vlan 20 on the pfsense lan port to the 8324 switch?

TravelMore

@johnpoz yes it shows n/a I am not sure why it does because I thought I defined everything properly above (the dhcp settings and the ipv4 in pic 3 or 4 i believe, etc).

As far as vlan1, idk, i would have to go back and look. i have no clue why that is there. Its been a while since I've set this up so it could have just been testing purposes but nothing actually defined in it. there is no interface for vlan1, no firewall rules w/vlan1 and no dhcp settings for vlan, so i think that was just a 'test' or something that i forgot to remove.

Yes I am trying to run vlans over the dumb switch because that is literally the only way i can get everything connected. may i ask why it is not a good idea normally?

On the cisco2960 i have vlan20 tagged (i believe) and only port 8 is on vlan20 because that is the port the Unfi AP is plugged into. Besides that the only other thing plugged in on the cisco switch is the cable to my dumb switch.

here are screenshots from my cisco2960:

As far as the Netgear switch:
Netgear Ports: Port 1 is a NAS, Port 2 is the Pihole, (Port 3 empty), Port 4 Tagged is the PF Sense LAN, (Port 5,6,7 empty), Port 8 Untagged is just a cat5 cable for a pc plugin (currently nothing in port 8), Port11 is the dumb switch (this connects to my Cisco POE switch), Port 17 is another NAS.

I do have my Unifi AP setup w/vlan20.

What pic/what are you referring to when you said "And sounds like you only have tagged vlan 20 on the pfsense lan port to the 8324 switch?"

Thank you for your help!

johnpoz

@travelmore said in Cant ping vlan on pf sense from any device?:

may i ask why it is not a good idea normally?

because dumb switches do not understand tags.. While they might pass them, it has been known for some switch, normally older ones to strip them, or not pass the traffic. While any modern switch should not care and just pass the traffic on - the problem is it doesn't understand them. So any broadcast or multicast would be sent everywhere because it doesn't understand the tags.

Now per your drawing you seem to be using it as just a connection with only thing connected is the 2 switches that do understand tags, so as long as that dumb switch passes them that should work.

What pic/what are you referring to when you said "And sounds like you only have tagged vlan 20 on the pfsense lan port to the 8324 switch?"

this

I have a Netgear poe switch w/port4 PF LAN on VLAN20, Tagged.

But then you show this

What about your vlan 10? And if your tagging vlan 1, how would normal lan traffic even work? If you only have vlan20 tagged on that switch that connects to pfsense?

In your setup with 3 networks, your lan - which would be untagged and be on default vlan 1 (standard on any switch default untagged vlan)

A) Port should be vlan 1 (untagged) vlan 10 and 20 tagged.
B) Port vlan 1 untagged, vlan 10 and 20 tagged.
C) Port vlan 1 untagged, vlan 10 and 20 tagged.
D) Ports APs connect to vlan 1 untagged, vlan 10 and 20 tagged.

Now your other ports on your switch you can just put untagged in what vlan you want the device on.

Vlan 1 is not something that is normally tagged.. Some switches might support, but it is not a common setup. Which might explain why your not seeing an IP on the interface - because you only set it on the vlan and not native on the interface?

from your screen shot of your 2960.. While looks like you have a vlan 20 created, it doesn't seem to be assigned to any ports.

TravelMore

@johnpoz Thank you for the detailed explanation. I really appreciate that, it helps a lot. Yes I am using the dumb switch as just a connection.
Okay, so for the VLAN 1 and VLAN10 that picture (below) is on my PF Sense box (i am sure you probably know that but i just want to make sure we are on the same page and i don't want to assume).

In regard to the pic above, I don't recall if they have the vlan1 in there as default when setting up pf sense or not. I can delete it if need be, its been so long since I've messed w/any of the vlan stuff i might have just went in and set that as vlan1, named it, thinking okay i did something, when in reality i really didn't connect it to anything else so it is just sitting there not actually be useful (if that makes sense) I don't THINK its actually tied to anything, as here are the other pf settings I looked at to see if it was. If i need to check other settings in PF Sense to see if its tied to something important let me know. The same goes for vlan10, in pf sense, i think i just named it and let it be thinking i did something when in reality i didn't do anything useful.

That being said, literally the only vlan I have on my netgear switch (besides vlan1 default), is vlan 20. Here is a pic of the netgear below.

On my netgear switch, port 4 is my PF Sense box LAN and port 8 is used for me to plug in my PC to test if i can ping 192.168.20.1 (pf sense vlan IP).

That being said last night, i plugged in my laptop on my netgears switch to port 8, tried w/port 8 tagged vlan20 and untagged on vlan20 and got nothing. Results below. As you can see in the pic, the IP i set it to is not the IP it apparently had to the left in the cmd box. That was the results for both netgear port 8 on vlan20 being tagged and untagged.

However, I made sure I could see the mac add. of my PC on port 8 in my netgear switch and that it did match the mac my PC had. In the pic below, the yellow highlight is the mac of my pf sense box on port 4, so i know it at least sees that as well. For whatever reason in this screen shot below, it literally does not let me show vlan20 even if i type in the 20 into that text box to the right of search it comes up w/an error but as you can see from other pics vlan20 is set.

Here is my cisco switch config for port 8:
interface FastEthernet0/7
!
interface FastEthernet0/8
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/9

here is my unifi AP that is plugged into port 8 on my cisco switch. In unifi all i did was go in and hit networking, typed in the name and checked the box vlan-only network (screenshot below)

once i checked that it greyed everything else out and gave me this, (Smart Bulbs) below:

I would guess there would be more to that setup but not sure and figured i'd just start there w/that. I know i still have to figure out the PF Sense thing.

I went through your instructions:
A) Port should be vlan 1 (untagged) vlan 10 and 20 tagged.
B) Port vlan 1 untagged, vlan 10 and 20 tagged.
C) Port vlan 1 untagged, vlan 10 and 20 tagged.
D) Ports APs connect to vlan 1 untagged, vlan 10 and 20 tagged.

For A, all the netgear settings are above, the pfsense port4 is on vlan1 and vlan20 w/vlan20 Tagged. For B, port8 i stated above for testing w/a laptop w/vlan20 tagged and untagged and shared the results. For C not sure because the only ports on my netgear switch at this moment that even need vlan20 is the pfsense port 4 and port 8 just for testing purposes, everything else on that switch does not need to be on vlan20 default vlan 1 is fine. For D, I believe this is setup, right, i shared the config for port 8 above, it is on vlan20 and tagged I believe, correct me if I'm wrong on that info.

Thank you for the help, I am still not sure where I should start from here but hopefully the information I gave above helps.

Maybe this pic from PF Sense will help?

Thank you for the help w/this. I am a lil frustrated because I am hoping to get this vlan setup and working w/the smart bulbs by tonight and I've been working on this literally all week trying to figure it out. If there is any testing/screenshots I can share let me know.

johnpoz

@travelmore said in Cant ping vlan on pf sense from any device?:

I don't recall if they have the vlan1 in there as default when setting up pf sense or not.

No that is not a default anything.. and its wrong..

I don't THINK its actually tied to anything

It is, clearly shows there that is on re0.. Unless you specifically want to tag your "lan" network, which sure shouldn't be 1.. The "LAN" interface would have an IP directly on it, native = untagged. And this would be vlan 1 on your switch.. Or whatever other vlan you want your lan to be on pfsense, but if native on the interface it would be untagged on your switch.

nly vlan I have on my netgear switch (besides vlan1 default), is vlan 20

Then why do you have a vlan 10 setup on pfsense?

Also your port g8 is clearly wrong - you have both vlan 1 and vlan 20 on it "untagged" That is wrong for sure..

Where is your actual wifi network setup on your AP that says SSID is vlan X, like this..

TravelMore

@johnpoz here I deleted vlan1 and vlan10 on PF Sense so now it is just vlan20.

I don't recall why i had vlan1 or vlan10 setup and i delete them because i know that I never used them i think it was literally me just going in and adding a new vlan, naming it and putting a # to it and that was literally it. i know that for a fact because this is as far as I've ever gone w/vlans until this attempt at trying to setup a vlan network for something specific.

here, on the netgear switch below, i have fixed the port8 you mentioned and set it to vlan20 tagged. If the below needs to be adjusted please let me know specifically what vlan/tagged/untagged needs to happen.

In regard to the unifi question, this is the settings for my wifi ssid

yesterday, all i did was go here under networks and create that vlan20 smart bulbs as shown here/and that other pic shows in the prior post.

tried pinging 192.168.20.1 from pf sense and still failed.

tried pinging 192.168.20.1 from my cisco switch, still failed

i know the pings would probably still fail but i wanted to try and troubleshoot anyway.
if needed i can plug a laptop into my port 8 switch on my netgear and test that.

johnpoz

@travelmore said in Cant ping vlan on pf sense from any device?:

tried pinging 192.168.20.1 from pf sense and still failed.

what IP is that suppose to be? That should be I would assume pfsense IP address on vlan 20?

I still don't see where you setup ssid to vlan 20? If your trying to ping pfsense IP from the switch. What is the switches svi, I would assume that would be on its vlan 1, for it to ping pfsense 20.1 IP it would have to have a default route. So from its IP on vlan 1, it could talk to pfsense to get to pfsense 20.1 IP.

Example: Here is a switch that is in my AV cabinet.. IT's management IP is on vlan 9.. It has a router to get to other networks that talk to pfsense..IP on the "lan" this is switches vlan 9, untagged.. Here is it pinging pfsense IP address on my vlan 4, which is my psk wifi vlan.

TravelMore

@johnpoz yes that is correct. the 192.168.20.1, see pic below. Now when i looked at videos on how to set this stuff up, they never said add a gateway, they had me go to DHCP right after which i will also share below. From my understanding, the 168.20.1 is the 'vlan20 router' IP.
as some mentioned it, then they showed setting up the DHCP scope for that vlan20. shown below.

for reference here is the vlan20 dhcp settings.

to answer your question "I still don't see where you setup ssid to vlan 20? "
honestly, i am not sure i did that, i don't think i did because I've shared everything that i have done so far. If i need to do that where (pf sense, unifi, cisco, netgear and what do i need to do)
here are the unifi settings if that helps.

here is a cisco snippet after you shared that screenshot.

johnpoz

@travelmore I sure hope you don't want any actual speed on your APs - that switch is mostly just fast ethernet (100mbps)...

And you have all ports other than 8 in vlan 1.. What port is your AP connected too?

So your lan is 192.168.1/24 your vlan 20 is 192.168.20/24

If you do not assign a SSID to your vlan network, then it would just be on your normal untagged network that the AP management is on.

TravelMore

@johnpoz It is all just old equipment I use for home use so no i do not care about speed. it supports my wireless devices just fine. My AP is connected to port 8 on my cisco switch.
Yes correct on pf sense, my lan1 is 192.168.1/24 your vlan 20 is 192.168.20/24.

I do not know how to assign a SSID to my vlan network. i do not know if i do that only unifi (if so how).

If i have to set anything up in Pf sense for this aside from what I already shared. I am not sure. As in PF Sense there is a wireless interface which i have nothing setup.

here is the firewall block rule.

here is the firewall allow rule

I was under the impression that I had to be able to ping 192.168.20.1 (pf sense vlan20 IP) from a device on my network (PC on netgear switch, or from cisco switch etc. for it to even see that and get a response). Then i was informed (from others) to try and ping 20.1 IP from pf sense itself and i couldn't etc.

What else do i need to do to get all of this working?

Thank you again for helping me. I really appreciate it.

johnpoz

@travelmore said in Cant ping vlan on pf sense from any device?:

Then i was informed (from others) to try and ping 20.1 IP from pf sense itself and i couldn't etc.

If pfsense can not ping its own IP - then yeah something is clearly wrong. I would fix that before you worry about anything else.. Rules wouldn't have anything to do with pfsense not being able to ping its own IPs.. Clearly something is not correct if pfsense can not ping its own IP, be a native IP directly on the interface, or a vlan interface.

Did you actually assign an interface for your vlan?

I already posted how to set ssid to a vlan in unifi..

TravelMore

@johnpoz yes I believe i did assign an interface to my vlan. this is what i see below.

then this is the vlan section

then this is the plan dhcp setup (just incase for reference)

here is the DHCP setup for vlan20 settings. i did just notice, that in this setting, i did not setup my DNS server as my pihole so idk if that is what the issue is? (i did not change it i left it be as the screenshot below and asked here incase it would be the issue)

for the unifi wifi part i went back and looked at your settings and made an adjustment to mine. please see below. I went to wifi, then hit create new wifi network, named it smart bulbs w/a password. I do not know if what i did was correct but I'm trying. When i did click on my default network, the vlan only network is grayed out (pic below) and so that is why i created a new network.

new network created called smart bulbs w/password.

here is networks over view:

here is wifi over view

johnpoz

@travelmore but pfsense can not ping itself? something is serious wrong then.

TravelMore

@johnpoz here is the actual pf sense box IP, it can ping itself but when it comes to the vlan20 IP i sent for it 20.1. it cannot.

johnpoz

@travelmore well something is wrong.. You should be able to ping pfsense own IP address.. Not sure how its going to work if it can not even talk to itself..

I would disable and re-enable the network interface..

What does your routing table look like? Here are my two tagged vlans in the route table, and me pinging them.

TravelMore

@johnpoz well, i disabled the interface and pinged it (just for measure) and got the results below.

THEN I enabled the interface as you suggested. Tried pinging it again and got this

then after seeing that progress, i went to my cisco switch and tried to ping, no luck.

then i tried to ping from my pihole that is physically connected to port 2 on my netgear switch (only on vlan1) and i could ping the 20.1 IP, see below.

here is the routing table, to note, there is nothing past the IPV6 Routes table.

Since we are making progress it seems by just disabling and renableing that interface, what are the next steps to get this to the end goal of vlan20 on my wireless AP?

Again, thank you so much for all your help.

johnpoz

@travelmore well I already went over why your switch might not be able to ping it. What is the route table look like on your switch.

So do clients that connect to your ssid on vlan 20, get an IP? When you created that new ssid and assigned it to your smart bulbs network, I saw that you created a smart bulbs network vlan only, I assume you set the vlan ID to 20.

But I don't see where you stated what port you connected your AP to your 2960, nor do I see any ports on the 2960 that you posted that are tagged for vlan 20 going to your AP. Nor any ports on vlan 20 that are the uplink through your dumb switch back to your netgear switch, etc.

pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP