Need help with access across VLANS

pV5 · Aug 7, 2023, 2:55 AM

Hi.

Router: Netgate SG-1100
Switch: Mikrotik CRS326-24G-2S+IN

(switch diagram below)
Switch Port 1 (TR) is a trunk port connected to SG-1100 and carries all of the VLANS (10, 20, 30, 40, 50, 99)
Switch Port 2 (TW) is a trunk port connected to a WiFi Access point and carries all of the VLANS (10, 20, 30, 40, 50, 99)

IP assignments:
Switch = 10.10.99.250
Wifi Access Point = 10.10.99.251

If I connect a laptop to port 3 (VLAN 99) I can access and ping both the switch (10.10.99.250) and Wifi Access Point (10.10.99.251).

If I connect a laptop to port 17-23 (VLAN 10) I can NOT ping or access the switch (10.10.99.250) and Wifi Access Point (10.10.99.251). I have a firewall rule (see below) on VLAN 10 that passes any IPV4 protocol to any desitnation, so I thought this would work. What have I done wrong or what configurations am I missing to get this to work?

Thank you.

Bob.Dig · Aug 7, 2023, 6:49 AM

@pV5 said in Need help with access across VLANS:

What have I done wrong or what configurations am I missing to get this to work?

Hard to tell because we only see one rule.

viragomann · Aug 7, 2023, 8:39 AM

@pV5
Possibly the switch blocks access from outside of the management subnet.
Another reason could be that the switch has an L2 leak.

Sniff the packets on pfSense with the Packets Capture utility on VLAN 10 and 99 interfaces to see if packets are sent to the gateway properly and if they are forwarded on 99.

pV5 · Aug 7, 2023, 4:23 PM

I used Packet Capture and could see the request going to the AP and switch but nothing was coming back. I could see PFSense sending them ARP too but no response. I then changed ths AP and switch to use DHCP instead of assigning them with static IP addresses. I then made static reservations in PFSense for them. Now it works. Not sure exactly why but I suspect its becuase the router wasnt recognizing thie IP address with the first config. I'm learning more and more every day. So much fun!

rcoleman-netgate · Aug 7, 2023, 4:50 PM

@pV5 said in Need help with access across VLANS:

25 minutes ago

I used Packet Capture and could see the request going to the AP and switch but nothing was coming back. I could see PFSense sending them ARP too but no response.

This means the pfSense is not getting a response to find where that IP might be so it is not passing them. Usually this is caused by

A missing device -- does not exist and thus cannot be foumd
A mis-configured VLAN -- when you know the device is there but it's not getting an ARP validation then the likelihood is a VLAN issue. Could be on the pf, could be on the switch.