Can't access VLAN20 from VLAN60 - Interface bound state help

runevn

Hi

I have a Netgate 7100 on which I have a VLAN 20 (storage LAN) and VLAN 60 for different devices and desktop computers. Both VLANs are on same network interface (ix0)

After the upgrade to 24.03 I can't access my SMB NAS share on VLAN 20 due to the default changes to Interface bound states. When I revert the settings back to floating state policy, everything works fine just as before the upgrade.

However, I would like to know how to do the correct setup with the state policy set to Interface Bound States.

I'm not an firewall or networking expert and would appreciate some help to understand what I have to do to make it work.

I have read the netgate blog post on state policy and the manual but I still don't get what I do wrong.

I did some searching on the topic and found this topic on state policy but I don't know if that even relates to my issue and if so I can't find the setting for enable multi gateways.

As mentioned, I'm no expert but I would like to learn so any help is highly appreciated.

Please let me know I you need additional information.

Thanks in advance.

johnpoz

@runevn I don't see how that state change would effect you unless you were having some sort of asymmetrical flow.

When 60.x goes to talk to 20.x a state would be create on the 60.x interface and would allow traffic to flow back from the 20.x to pfsense. That return traffic shouldn't be coming in any other interface.

Does what your talking to on this 20.x have multiple gateways?

runevn

@johnpoz said in Can't access VLAN20 from VLAN60 - Interface bound state help:

Does what your talking to on this 20.x have multiple gateways?

No, only one WAN gateway (WAN_DHCP (default)). If that is what you are asking about?

Edit: On another thought, each interface has a DHCP server attached and under "Other DHCP Options" Gateway is set to 192.168.60.1 for vlan 60 and 192.168.20.1 for vlan 20. Is that wrong?

johnpoz

@runevn no that would be correct.. 20 gateway should be pfsense IP in that 20 vlan, and 60s devices gateway should be pfsense IP in the 60 network.. I assume those are both .1 ?

runevn

@johnpoz said in Can't access VLAN20 from VLAN60 - Interface bound state help:

@runevn no that would be correct.. I assume those are both .1 ?

Yes, thet are both .1

johnpoz

@runevn I haven't moved to 24.03 yet.. But the change in state behavior should not have any thing to do with typical network talking to another network using pfsense as its gateway with only 1 path to talk back and forth.

Your not doing any policy routing are you - on the 60 and 20 interfaces do you have gateway called out in the rules, or just * where pfsense uses it normal routing table.

In your rules for these interfaces you didn't call out wan_dhcp as the gateway?

pst

@runevn You didn't specify what NAS equipment you are using, but I experienced exactly the same issue in my setup when I switched to 24.03. I run a Synology NAS, so it might be applicable to you, and for this setup to work you need to set "Enable Multiple Gateways" in Control Panel / Network / General / Advanced Settings. If that is not set you end up with assymetric routing just like @johnpoz said, as everything goes through your default gateway on the NAS.

pst

@runevn said in Can't access VLAN20 from VLAN60 - Interface bound state help:

I did some searching on the topic and found this topic on state policy but I don't know if that even relates to my issue and if so I can't find the setting for enable multi gateways

Ah, I see you found my thread from earlier. Yes it might apply, and if you run Synology then the specific setting is as I specified in my previous post.

runevn

@pst said in Can't access VLAN20 from VLAN60 - Interface bound state help:

@runevn I run a Synology NAS, so it might be applicable to you, and for this setup to work you need to set "Enable Multiple Gateways" in Control Panel / Network / General / Advanced Settings.

I don't know why but can't find the setting where I can enable multiple gateways. Could you be more specific where I can find it? Am I on the wrong setting section?

BTW - I'm using Trueness Scale Dragonfish-24.04.0

pst

@runevn said in Can't access VLAN20 from VLAN60 - Interface bound state help:

Could you be more specific where I can find it? Am I on the wrong setting section?

The change you need to do is not in pfSense, it is on the NAS.

pst

@runevn said in Can't access VLAN20 from VLAN60 - Interface bound state help:

I'm using Trueness Scale Dragonfish-24.04.0

I'm not familiar with that NAS, but I'll take a quick look if there a similar gateway option there.

pst

@runevn I can't see any setting for multiple gateways in the TrueNAS Scale documentation. From what I gather it should work if everything is set up "normally", confirm:

• your NAS interfaces are configured using DHCP
• pfSense provides the correct gateway address (check DHCP server setup)
• you don't have default gateway specified in NAS Global Configuration / Default Gateway Settings, as that overrides the one given in DHCP (according to https://www.truenas.com/docs/scale/24.04/scaleuireference/network/globalconfigurationscreens/)

johnpoz

@runevn does your nas have more than 1 interface?

runevn

@johnpoz Yes, three different:

• One management interface (GUI)
• NFS share
• SMB share

runevn

@pst said in Can't access VLAN20 from VLAN60 - Interface bound state help:

@runevn I can't see any setting for multiple gateways in the TrueNAS Scale documentation. From what I gather it should work if everything is set up "normally", confirm:

• your NAS interfaces are configured using DHCP
• pfSense provides the correct gateway address (check DHCP server setup)
• you don't have default gateway specified in NAS Global Configuration / Default Gateway Settings, as that overrides the one given in DHCP (according to https://www.truenas.com/docs/scale/24.04/scaleuireference/network/globalconfigurationscreens/)

Thanks a million! You were right.

I had defined a default gateway and had a static IP address for the vlan 20 interface. I removed the default gateway and then set the storage vlan20 to get the IP from the DHCP server (I couldn't find a way to manually add a gateway per interface when using static IP.

But now it works.

Thanks for all the help @johnpoz and @pst.

pst

@runevn glad we could help :)

johnpoz

@runevn said in Can't access VLAN20 from VLAN60 - Interface bound state help:

You were right.

This brought to mind a line from Grateful Dead song ;)

"Well, I ain't always right, but I've never been wrong"

You get a cookie if you know what song, without having to look it up ;)

Dead on the Brain - My Dave's Pick 50 came in the mail today.. Always a good day when they come..

https://store.dead.net/en/grateful-dead/special-collections/daves-picks/daves-picks-vol.-50-palladium-new-york-city-ny-5377/081227817466.html

I always have subscription, so 4 times a year is like xmas ;)

Glad you got it sorted.

edit: soon to be 52, as soon as get it ripped and on plex ;)

edit2: make that 53, this shipment had the bonus disc.. Sweet! And hint that above line is from a song on the bonus disc ;)