Access from Vlan to main Lan Devices
-
Im in need of access from Wifi Vlan to access Hosts on main Lan. Example 200.xxx to 1.xxx. All switches reside on 1.xxx which are located in office buildings 100 yards away. Only access from 2nd location is Wifi 200.xxx. How do I make this happen.
Thanks for any help.
-
@BigA I assume you have an interface in pfSense for the VLAN, and it is the gateway for the devices in that VLAN. Create firewall rules on that interface to allow the traffic you want to allow.
-
@SteveITS Yes all interfaces are created
I want to be able to get to all Switches that have static ips and are all on the LAN 1.xxx from the
admin_200.xxx subnets.Firewall rules for LAN
Maybe this helps.
BigA
-
@BigA Your admin rule there is allow all and has 47 open states/connections.
Do the switches have their gateway set to pfSense?
-
@SteveITS yes sir
-
@BigA why do you have vlan 1 with a tag created? Your interface is just native (untagged) in your assignments. Tagging vlan 1 is not something you do..
Common problem do you have gateway set on your switches, or just an IP? If they do not point back to pfsense as their gateway, they would never be able to answer someone from another network, ie your vlan 200 network.
-
@BigA why do you have vlan 1 with a tag created? That was an experiment Has been deleted.....Your interface is just native (untagged) in your assignments. Tagging vlan 1 is not something you do..
Common problem do you have gateway set on your switches, or just an IP? Just IP port 1>>TL_SG3428. If they do not point back to pfsense as their gateway, they would never be able to answer someone from another network, ie your vlan 200 network.
Ok Now I need understanding has to how to Point back to Pfsense as
gateway in the Switch -
@BigA what is the switch make/model..
For example.. Here is one of my switch, how it looks in the gui, and how it looks from cli and the config
192.168.9.253 is pfsense IP on this network.
Vlan 9 is just the default vlan for this switch, changed it from vlan 1
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz Ok i see what needs to happen, let me dig into to switch be back shortly.
Ok I forgot I have 2 switches in Play here SG 3428 main Switch and added this SG 2428P- POE for 14 cameras on main Building.
Port 1 main switch is tied to Pfsense LAN(ProtectLI 4 Port Firewall box) Untagged port ON MAIN SWITCH. Port 24 tagged to Port 24 Sg2428P (Trunk) Port 23 untagged SG2428P Vlan 200 adminwifi
Hope that sounds right.Sending Pics of Each Switch setup shortly.
-
-
@johnpoz Please forgive me Im learning here so lets just start with how to get main switch pointed back at PFsense
This look right
-
@BigA well what is pfsense IP on this network.. Their default gateway should point to pfsense.. Are there multiple switches, daisy chained?
But their management interface I take it 192.168.1.x and pfsense is what 192.168.1.1?
If pfsense is 1.1 and that switch is 1.2 then yeah that should work and you should be able to get to it from remote network now.. can you ping the IP? from your 200 vlan?
its also possible there is some security setup, to only allow access to the management gui from local network? I don't have a tplink like that.. Only a cheap l2 smart vlan model, which has not as feature rich as that one.
I am accessing that switches gui from my 192.168.9 network, you can see its on a 192.168.7 network
-
@johnpoz said in Access from Vlan to main Lan Devices:
well what is pfsense IP on this network.. Their default gateway should point to pfsense.. Are there multiple switches, daisy chained? YES
But their management interface I take it 192.168.1.x <<YES and pfsense is what 192.168.1.1<<YES
If pfsense is 1.1 and that switch is 1.2 then yeah that should work and you should be able to get to it from remote network now.. can you ping the IP? from your 200 vlan? The Only IP that I can Ping is the IP 200.1 Pfsense. 100.1 Pfsense 1.1 Pfsense. Cannot ping anything esle Thats when I on the VLAN 200 network
its also possible there is some security setup, to only allow access to the management gui from local network? I don't have a tplink like that.. Only a cheap l2 smart vlan model, which has not as feature rich as that one.
-
@BigA so you can not ping pfsense IP 192.168.1.1 address from your 200.x device?
Oh you can ping pfsense IP 1.1, well not being able to ping something on say the 192.168.1.0/24 network but can ping pfsense 192.168.1.1 points to that device your trying to ping firewall or wrong gateway setup.
Sniff on the pfsense 1.1 interface, while you ping say 192.168.1.x from your 200 network, do you see pfsense send the pings on?
edit example... Here I know my work laptop security will not answer ping.. So pinging from my 192.168.9 network to its address 192.168.6.101, sniffing on pfsense 192.168.6 interface I can see pfsense send the pings, just no answers.
If your 200 vlan rules allow you to ping the pfsense 192.168.1.1 address, but you get no answer pinging something else on the 192.168.1.x network - this screams something on the device your pinging, be it firewall/security on it, wrong gateway, wrong mask.. But your mask looks right /24 255.255.255.0 if you had say a /16 on the switch, then yeah you would have problems talking to it from some other network that was anything 192.168
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz PING 192.168.1.3 from 192.168.200.7
17:19:50.094967 40:5b:d8:67:6c:6f > ff:ff:ff:ff:ff:ff Null Unnumbered, xid, Flags [Response], length 6: 01 02
17:19:50.642949 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2908, length 40
17:19:51.114469 IP 192.168.1.231.34245 > 255.255.255.255.29810: UDP, length 736
17:19:55.656519 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2909, length 40
17:20:00.657121 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2910, length 40
17:20:01.244502 IP 192.168.1.231.34245 > 255.255.255.255.29810: UDP, length 733
17:20:05.646976 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2911, length 40
17:20:05.772095 IP 192.168.200.7.58089 > 142.250.113.188.5228: tcp 1
17:20:05.791538 IP 142.250.113.188.5228 > 192.168.200.7.58089: tcp 0
17:20:10.651272 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2912, length 40
17:20:11.374594 IP 192.168.1.231.34245 > 255.255.255.255.29810: UDP, length 732
17:20:15.639489 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2913, length 40REQUEST TIMED OUT
Ping from 192.168.200.7 to 192.168.1.1 below
17:24:30.628467 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2939, length 40
17:24:30.628499 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2939, length 40
17:24:31.635356 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2940, length 40
17:24:31.635383 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2940, length 40
17:24:32.642625 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2941, length 40
17:24:32.642652 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2941, length 40
17:24:33.663030 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2942, length 40
17:24:33.663059 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2942, length 40
17:24:34.671315 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2943, length 40
17:24:34.671345 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2943, length 40
17:24:34.917036 IP 192.168.1.231.41524 > 255.255.255.255.29810: UDP, length 734
17:24:35.690687 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2944, length 40
17:24:35.690720 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2944, length 40
17:24:35.942488 IP 192.168.200.7.58089 > 142.250.113.188.5228: tcp 1
17:24:35.962570 IP 142.250.113.188.5228 > 192.168.200.7.58089: tcp 0
17:24:36.699664 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2945, length 40
17:24:36.699694 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2945, length 40
17:24:37.706244 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2946, length 40
17:24:37.706272 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2946, length 40
17:24:38.724182 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2947, length 40
17:24:38.724210 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2947, length 40
17:24:39.741978 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2948, length 40
17:24:39.742003 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2948, length 40
17:24:40.749483 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2949, length 40
17:24:40.749511 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2949, length 40
17:24:41.767260 IP 192.168.200.7 > 192.168.1.1: ICMP echo request, id 1, seq 2950, length 40
17:24:41.767284 IP 192.168.1.1 > 192.168.200.7: ICMP echo reply, id 1, seq 2950, length 40 -
@johnpoz
Ok this is interesting
All the switches are not visible in the scan. i can ping all ips here with no issues
[Ip scan form 200.xxx](Invalid file type. Allowed types are: .png, .jpg, .bmp, .txt, .gif, .xls, .gz, .zip, .pcap, .pcapng, .7z, .xml, .jpeg, .diff, .patch, .tgz, .tar, .0, .cap) -
@BigA said in Access from Vlan to main Lan Devices:
17:19:50.642949 IP 192.168.200.7 > 192.168.1.3: ICMP echo request, id 1, seq 2908, length 40
Well clearly sent it on.. so you not getting an answer is not pfsense.. I would validate in the arp table of pfsense that the mac address you show for 192.168.1.3 is valid for your 192.168.1.3 device.
But clearly pfsense sent on the traffic, it has no control if the device actually got it, or that it answers back to pfsense.
edit: how are you seeing mac address from device on another network.. Mac are only viable on the same L2 network.. There really should be no way to get a mac address for some device on another network.. the only mac you would send traffic to get off your network would be your gateways mac..
-
@johnpoz said in Access from Vlan to main Lan Devices:
how are you seeing mac address from device on another network.. Mac are only viable on the same L2 network.. There really should be no way to get a mac address for some device on another network.. the only mac you would send traffic to get off your network would be your gateways mac..
Brother I have no idea !!!
Arp Table
LAN 192.168.1.3 d2:d2:c3 Expires in 1109 seconds ethernet
LAN 192.168.1.2 76:75:b2 Expires in 1087 seconds ethernet
LAN 192.168.1.5 de:85:36 Expires in 373 seconds ethernet
LAN 192.168.1.4 4d:18:99 Expires in 1091 seconds ethernet
LAN 192.168.1.7 :03:f1:36 Expires in 806 seconds ethernetOh and these are All Switches at Each Location 4 locations
-
@BigA so is that correct mac for 1.3?
As to your scan.. Showing that mac address for devices on another network points to lack of isolation between your networks..
Here so scanning from my pc with that same scanner - notice no mac addresses for anything on 192.168.2, but shows mac for everything on the same network 192.168.9
You got something else going on - pfsense clearly sent on the ping from your 200.x address to the mac it knows for 192.168.3 - if that device does not answer there is nothing pfsense can do about it.
-
@johnpoz
Looking at the Ip Scanner those MAC adresses are for HP printers tied to the network in other building.I believe there must be some security feature in the switches that is stopping access.
