Printer on Separate VLAN Issue

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

Added the pass all rule as requested but still has an issue.

A pass rule for that printer IP - select the IP of the printer as the source IP.
And make the rule log.
Now, whenever the printer goes out shopping, you have a trace.

Ones the pass rule is in place, the printer can go out.
If it still can not connect, you have other issues.

As you've mentioned VLANs, no need to look very long : ditch all your VLANs, and suddenly things start to work ^^

stevencavanagh

@Popolou

Apologies, forgot to document the packages running!

Avahi, Darkstat, freeradius3, iperf, mailreport, nut, openvpn-client-export, pfBlockerNG, squid, squidGuard, Status_Traffic_Totals

Not particularly familiar with PfBlockerNG, so anything I should be looking for and where. Can't see anything obvious though.

stevencavanagh

@Gertjan

Checked the firewall logs and have nothing being blocked at all! Assume there must be other issues but God knows what!

the other

@stevencavanagh
Just guessing here...you mentioned pfblocker...any logs show anything there?
Do you use GeoIP blocking outbound?

Logs for pfblocker: Firewall > pfblocker there Logs set to ip_block.log and have a look at what's been blocked so far.

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

Checked the firewall logs and have nothing being blocked at all! Assume there must be other issues but God knows what!

With these two rules (ignore the first rule) :

pfSense can't block any traffic with these two rules.

And yeah, @stevencavanagh is right, if you use pfBlockerng you better check if that one - as per your instructions ! - block DNS requests or IPs ....

stevencavanagh

@the-other

Nothing showing in the Pfblocker logs........

Popolou

@stevencavanagh said in Printer on Separate VLAN Issue:

@Popolou

Apologies, forgot to document the packages running!

Avahi, Darkstat, freeradius3, iperf, mailreport, nut, openvpn-client-export, pfBlockerNG, squid, squidGuard, Status_Traffic_Totals

Not particularly familiar with PfBlockerNG, so anything I should be looking for and where. Can't see anything obvious though.

@stevencavanagh I'd investigate within pfB first. Depending on what blocklists you have, it could be that the aforementioned hostname is on the list. Also, investigate the "IP Interface/Rules Configuration" tab under the IP setting: it is possible you didn't set the package to monitor the IoT vlan which could indicate why the device was able to access those servers without restriction. Another test is to join that vlan and test to see if you can reach the same remote host just as the printer would.

stevencavanagh

@the-other

The pfblocker logs appear to be all empty!

stevencavanagh

@Gertjan

Implemented those 2 rules but no change!

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

The pfblocker logs appear to be all empty!

What log ?

Goto this page :

and hit Ctrl-F, type in the IP LAN of the printer, and see what pops up.

Also check the "Unified" log, look under "SRC".

@Popolou said in Printer on Separate VLAN Issue:

squid, squidGuard,

Now all bets are off .... you just opened up a whole swimming pool full of potential issues

stevencavanagh

@Gertjan

Checked logs as described and nothing at all with the printer ip address

the other

@stevencavanagh
well, tried to disable snort and co for a test to be sure THAT is not interfering?
Are (after that change from Vlan IoT to Vlan Printer) the printer's DNS settings okay? In case DNS info is not sent by dhcp...

stevencavanagh

@the-other

DNS settings seem fine.........

Popolou

@stevencavanagh If the printer is set to DHCP but it is getting those DNS, you got other more fundamental problems to investigate tbh.

stevencavanagh

@Popolou

Such as?

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

DNS settings seem fine.........

No, your handing over all DNS request to "who ever" and not to pfSense (by default 192.168.1.1 - no second DNS needed). All DNS traffic from the printer totally bypasses pfSense.

If you have to give 8.8.8.8 or 1.1.1.1 your DNS requests by contract (they pay you for that info ?) then ok, you do you.
Normally, DNS should be set up per DHCP info received, so DNS is 192.168.1.1 (pfSense LAN IP by default, or whatever you've set up)

You can leave all DNS fields empty (and not 0.0.0.0 !)

Test also with "Enable Auto IP" not checked.

stevencavanagh

@Gertjan

So had a quick look at how the DHCP server is currently set up and changed it so it uses DNS resolver and the DHCP server now shows the server options as blank (DNS Server 1 now has the gateway in automatically ie. 192.168.0.1) for the LAN. I assume this is now correct?

Gertjan

@stevencavanagh

If 192.168.0.1 is your pfSense LAN IP, then, IMHO,

stevencavanagh

@Gertjan

Yes it is, so will update the VLANs accordingly and then try the other things you suggested ie. Not auto ip etc and see what happens.

stevencavanagh

@Gertjan

Didn't seem to make any difference unticking "enable Auto IP" unfortunately.