Communication between LAN and VLANs, they don't talk each other
-
@mvhcr said in Communication between LAN and VLANs, they don't talk each other:
What am I missing?
Well, you showed half the configuration
You are using VLANs so the other half has been done in your VLAN capable switches. The setup in these switches should match with what has been set up in pfSense.Btw : your LAN firewall rule are fine, although rule 4 covers the traffic from rules 2 and 3.
You've set up "DHCP6" on LAN, not strictly wrong, but "never seen before".
Can you ping from LAN the VLAN3 and VLAN7 pfSense interface ?
And are you sure that devices located on VLAN3 and VLAN7 want to reply to requests coming not from their own 'LAN' ?
-
@Gertjan first thanks for the answer!!!!!
Sorry for the missing info, I have bought a mini switch Unifi, here there are the network configuration and the ports
the dhcp (I will disable IP6, I am not using it) works well, in fact the pc can ping the external hard drive on the VLAN3, so the communication "internal" of the vlan works, I can open the web ui of the hard drive too, so both ping and https are working properly between the devices of the VLAN3.
from LAN I cannot ping anything connected to VLAN3 or VLAN7, and from VLAN3 I cannot ping anything on VLAN7.
From VLAN3 or VLA7 I cannot even ping the pfsense, from LAN instead I can ping pfsense, well, I am controlling it from my own pc connected to the Port 5 that on Unifi switch is set as "default" network.
I tried also to move another external hard drive from VLAN7 to VLAN3 and it is visible to the pc on the VLAN3.
so apparently everything is working well, the separation of the VLANs works, even too much :).
I wanted to connect the IoT devices on VLAN7 keeping VLAN7 "isolated" in the meaning that IoT cannot see the rest of my LAN, but from my pc or my smartphone on VLAN3 I want to be able to see and control the IoT devices.Super thanks for your help
-
I don't know if this could help. but this is the Routes page of my pfsense (that I am too ignorant to understand, I definitely need to study more!).
-
@mvhcr I don't see a trunk port in your switch.
I assume you have the vlan parent interface as your LAN, correct?
If so, your switchport that connects to it will need to be trunked. Meaning it will have the LAN as untagged, then the other vlans have to be tagged on it. -
Many thanks @Jarhead !
Just to tell you my level, I have just studied to understand what is a trunked port! :)
In a couple of days I will try to apply what I have learned thanks to your advice.Actually I have just realized that probably I could have managed the VLANs just using pfsense, the extra switch maybe was not needed! But since I have it, I will use it. :)
I will update with the last news.
Many thanks again!
-
Well, I have understood the issue, but in the Ubiquity USW Flex Mini switch I didn't find the way to set the port 1 as trunk.
The "Default" is apparently vlan1, on internet I found that I should put something like "All", but this option is not listed.So since this configuration is a test, I installed pfsense on an old laptop having only one lan port.
My Production environment has a Netgate 2100 that has 4 ports.
Could I set directly port 3 as VLAN3 (my Internal LAN) and port 4 as VLAN4 (IoT LAN)? So all the devices attached physically to the unmanaged switch that is then attached to Netgate port 4 will be automatically on the VLAN4 IoT?
I asked because I tried and it didn't work.
I created a VLAN4, I assigned it, I also set the DHCP server for it, and I tried (NOT SURE OF THIS PART) to say it is linked to the port 4.
It's not working.
Any help is welcome!
Thanks
-
@mvhcr I have a mini sitting on my shelf if you need more help I can connect it, and walk you through it.
It use to be all I believe - but quite some time ago they changed it to just default as a trunk..
-
@johnpoz many thanks!
this is a very valuable info, but a sad one at the same time :( , because it means I am back to square 1!
So in theory the original configuration was not bad, but it is still not working! -
@mvhcr no I don't think so - from what you posted you have a network called default, which is not the same thing as default on the switch port... Let me find my switch - not sure what basket its in on the shelf ;)
edit: ok I found it - but it wasn't on my shelf, I leveraged it as a dumb go between switch between my nvr poe ports and my sg300 so I could put a leg into the cameras network off my nvr.. the poe on the nvr kept cycling my sg300 port on off..
I might have to pull it out and - since I don't seem to be able to adopt it on its current IP that is handled by my nvr.. The controller sees it.
-
@mvhcr ok, I just powered via usb and disconnected it from my nvr for now.
So running Controller 9.0.108, and you can see my flex mini is running 2.1.0 in the screenshot..
See I show allow all for tags.
Then if I wanted another port on untagged specific vlan
-
@johnpoz
THANKS!!!!!! it works!!!! THAAAAANKS!now I will start to play to let the IoT VLAN to access to internet without having access to the rest of the LAN, but I have already found a lot of documentation and examples on this, I am confident I will make it without annoying the community (I hope :D ).
Many thanks again, I was very close to throw the ubiquiti mini switch out of the window :)
-
@mvhcr its not a bad little switch for price and size.. But after playing with it couple years back I think I couldn't find a use in my network. So just threw it on the shelf and figured hey never know when a poe powered capable with vlan support switch might come in handy ;)
Then awhile back I noticed in my sg300-10 logs an interface bouncing on reg basis, it was only for a couple of seconds.. And I wasn't really noticing any issues with viewing my camera feeds directly, etc.
But then dawned on me - hey that nvr is prob doing something trying to get poe working because it really expects a poe camera to be on the port.. So I put the little mini between with it being powered by the nvr and all the resets on the interface went away on my sg300 and now sending 1000s of pings never lost one, before I was loosing a couple of pings every minute or 2, etc.
But yeah unifi has changed some things over the last couple of years on how you do a "trunk" port.. Not really a fan of how they do switching.. Which was another reason I really didn't feel a need to incorporate that flex mini into my network.
And you can't really do just specific vlans - its all or nothing. I believe on some of their higher end switches you can customize what vlans are allowed over the trunk - see that custom in my above pic - which is greyed out on the mini.
I might try and leave the mini in my controller - but have to figure out how to get it to get an IP from the vlan my controller is on vs the nvr dhcp server.. Curious if I set it to static if that will survive a power cycle - then I could remove the usb power and just leave it poe powered ;)
