Get internet on one LAN interface
-
@stoneedge said in Get internet on one LAN interface:
Just another update that could also be important. Inside of all my network(and switch), only the 192.168.1.x(local network) and 192.168.10.x(storage network) subnets is available and works.
In the Switch, I only use two ports where I added/trunk all the VLANs used on the pfsense, which are the ports connected to the pfsense LANs.Don't know if this is important or not.
But I added all the VLANs IP subnets to my switch.
What does this mean? If you only have 2 ports assigned to the vlans, assuming one is the trunk, how would you ever access them?
-
@jarhead said in Get internet on one LAN interface:
@stoneedge said in Get internet on one LAN interface:
Just another update that could also be important. Inside of all my network(and switch), only the 192.168.1.x(local network) and 192.168.10.x(storage network) subnets is available and works.
In the Switch, I only use two ports where I added/trunk all the VLANs used on the pfsense, which are the ports connected to the pfsense LANs.Don't know if this is important or not.
But I added all the VLANs IP subnets to my switch.
What does this mean? If you only have 2 ports assigned to the vlans, assuming one is the trunk, how would you ever access them?
Sorry I did not understand that question.
2 Ports(one for each interface in the pysical ESXI) with the VLANs trunked.
How to access them? Creating a virtual Switch on ESXi and add the VLAN that I want(one or all, depeding what network I want to create for the VMs).If I have 2 VMs on VLAN 10 I add them to that Virtual Portroup, trunk also VLAN 10 inside the VM and that is it, they will use the VLAN 10
-
@stoneedge Ok, start over.
Do you have internet on the pfSense WAN? -
@stoneedge said in Get internet on one LAN interface:
So if VMS has an IP eq: 10.0.10.100 and has the gateway 10.0.10.1 cannot reach the internet. That is my problem here.
So can the vm ping the 10.0.10.1 IP? What rules do you have on this interface in pfsense. Pfsense only creates the default rule for the lan, when you fire up either a new interface or a vlan there are no rules. You have to add rule(s) to allow the traffic you want, ie say internet.
Also keep in mind with esxi - where are you doing the tags, is the vswitch/port group passing them to pfsense? Unless you set 4095 on the vswitch/port group pretty sure the tags are stripped.
-
@johnpoz you can set for all VLANs 4095 or set for Trunking for the VLANs you want. In this case, I add all the VLANs that I created in the pfsense.
Example:
Distributed Virtual Switch have pfsense VLANs
Port group have only specific VLAN (let's say, management and other Storage). You can do both ways.Yes VMs can ping each other and also the 10.0.10.1.
If pfsense has internet. Honestly never tested, the only thing I try was the update and it says that pfsense is up to date. I think that means it has internet. But I can double check.
-
@stoneedge said in Get internet on one LAN interface:
Yes VMs can ping each other and also the 10.0.10.1.
well what are the rules on this interface then... Did you mess with outbound nat on pfsense. If client can talk to the pfsense interface, and the rules allow it - it would have internet, if pfsense has internet. Unless outbound nat was wrong.
Or your rules on the interface are not allowing for dns that the client is using? So when you do a traceroute to say 8.8.8.8 what happens? you hit 10.0.10.1 as your first hop and then nothing?
-
@johnpoz I dont any have rules created. Then that is the problem :)
-
@stoneedge said in Get internet on one LAN interface:
I dont any have rules created. Then that is the problem :)
Yes VMs can ping each other and also the 10.0.10.1.
If you had "no" rules then you wouldn't be able to ping the interface even..
-
@johnpoz inside of the same isolated network, with the same VLAN, I think we can.
Is VMs running in the same ESXi host, so packages never go outside
-
@stoneedge if you have no rules on pfsense interface you wouldn't be able to ping it from that network.. If pfsense IP is 10.0.10.1 and you have no rules on the interface.. Then no you wouldn't be even able to ping it from 10.0.10.x - either you have rules on that interface allowing ping. Or you pinging something else and not pfsense.. If there are no rules on the interface to allow ping, you wouldn't be able to ping it..
-
@johnpoz these are the settings
I have 3 VMs.
One with IP 10.0.10.3 (a DNS and DC)
Another is with DHCP 10.0.10.100 (DHCP is enabled on the LAN vmx1.15)
Another as a jump host 10.0.10.11All VMs are windows and all have in windows interface (VMware vmxnet3 virtual network) set trunk the VLAN 15.
And again, I can ping all IPs on the subnet 10.0.10.x(except the 10.0.10.2) from any of those VMs.Regarding the rules, sorry my previous statement was wrong. I have the default rules.
-
@stoneedge what rules do you have on the vlan interfaces? When you create a new interface/vlan there will be no rules. Are you saying you have a any any rule with the vlan as the source net for ipv4 any?
Also generally speaking a any rule on your wan like that is a really bad idea!!
Is anything even talking to pfsense? your rules on your lan all show zero evaluations - those 0/0 under the states table mean none of those rules have ever triggered.
-
@johnpoz honestly do not know what is impacting the configuration here.
But one thing is for sure, I am pinging this 10.0.10.1. Because if I disable it, ping doesn't work anymore.
Regarding the WAN, that is no problem here. This is my homelab, so firewall rules and security is not something that is to worry about much :)
So let us start over.
I need these 7 VLANs for my testing. What do you propose the configuration should be?
What should I change, and what rules should I create?
I think it is easier to start from scratch than try to do this.
And thanks again for the support.
-
@stoneedge First thing to do is get that /32 off your LAN interface.
-
@jarhead done already, changed for 192.168.0.1, since my WAN is 192.168.1.0x
-
@stoneedge said in Get internet on one LAN interface:
know what is impacting the configuration here.
what are the rules on the interface, you have only shown your lan... What is your outbound nat? Do you have any rules in floating.
You say you can ping - so what exact rules do you have on this interface?
your lan and management overlap - pfsense should of never let you even set that..
And yes that /32 is wrong..
If you say you can ping 10.0.10.1 from some device on this network 10.0.10.x then can this device do dns? Use nslookup, dig, host do you get an answer? Where are the clients pointing to for dns, again what are the rules on interface on pfsense?
When you do a traceroute to 8.8.8.8 what do you get back, etc..
-
@stoneedge said in Get internet on one LAN interface:
@jarhead done already, changed for 192.168.0.1, since my WAN is 192.168.1.0x
Not what I meant, just set it to none. You aren't using the LAN so no need to address it.
Without an address it basically becomes a "trunk" port which is how you're using it anyway. -
@johnpoz said in Get internet on one LAN interface:
@stoneedge said in Get internet on one LAN interface:
know what is impacting the configuration here.
what are the rules on the interface, you have only shown your lan... What is your outbound nat? Do you have any rules in floating.
I have no more rules in the other LANs.
You say you can ping - so what exact rules do you have on this interface?
your lan and management overlap - pfsense should of never let you even set that..
And yes that /32 is wrong..
Yes, but it did allow me to do it. But after I change the IP on the LAN 15 to 10.0.100.1 to test the pings, when I try to change back to 10.0.10.1 then I get an overlap with 10.0.10.2
If you say you can ping 10.0.10.1 from some device on this network 10.0.10.x then can this device do dns? Use nslookup, dig, host do you get an answer? Where are the clients pointing to for dns, again what are the rules on interface on pfsense?
DNS inside that network 10.0.10.x is done be a Windows VM that I created. But as I said in the beginning none have internet. That was my initial problem. To add internet to the LAN 15 10.0.10.x
-
@stoneedge said in Get internet on one LAN interface:
I have no more rules in the other LANs.
Let me say this yet again - if you have no rules on the interface.. Then your not pinging that IP on that interface, not from that network.. your just not..
If you want network X to be able to do anything, then you have to have rules on network X interface..
To add internet to the LAN 15 10.0.10.x
You need rules to allow that on the lan 15 interface
Do you have rules in the floating tab?
-
@johnpoz Yes but I was able to ping. That is 100% for sure. Because after I remove the 10.0.10.2 I cannot ping 10.0.10.1 anymore. And like I said when I change from 10.0.10.1 to 10.0.100.1 I was also not able to ping. Only when I change back to 10.0.10.1 it was pinging. So I was pinging that IP for sure. Directly, or by routing I don't know.
So since I change and remove the 10.0.10.2 now(and set the IPv4 Configuration Type to none) I cannot ping again.
Could it be the rule that I have in the LAN when all IPV4 is none/none?
But as I said, we can forget all about the previous configuration and start fresh.
I already remove the 10.0.10.2 from LAN and now on LAN 15 what rules do I need to create to route this network?