VLAN Issue

supermega

Hey experts ;)

Today I have done some random test in my environment. I saw that the VLAN's doesn't work correctli with IPv4 and IPv6.

Environment:

One WAN Interface IPv4 and IPV6
One LAN Interface IPv4 and IPv6
VLAN3 to VLAN5 Interfaces

LAN Range 172.16.1.0/16
VLAN Ranges 10.0.0.0/8 –> /28 subnet per VLAN

Have a look at the attachment

The problem is that from a machine in the VLAN I can reach (ping,http etc.) machines in an other vlan. To test if the VLANs are working correctly (vmware esxi + cisco switches) I replace the IP of a machine in the VLAN3 with one IP from the VLAN4 range. Neither I can reach the machine in the VLAN4 and the VLAN4 gateway (10.0.0.46). So the VLAN are working correctly.

If I do a traceroute from the machine in the VLAN4 to that one in the VLAN3 I saw that I can passtrough to the VLAN4 gateway. (picture) I tried that also with IPv6 --> same problem

Two months ago i tried that out at it was working like a charm. I updated the pfsense box to the last patch today without any success (i386)

Any idea ??

Tanks for your help ;)

regards

supermega

Interfaces.PNG_thumb

Traceroute.PNG_thumb

markuhde

Seems to be the same issue this guy found:

http://forum.pfsense.org/index.php/topic,61017.0.html

supermega

I also tried out different combinations with the rules on the interfaces without any success :(

supermega

Okay I got the right problem now.

It is exactly the same problem like the guy had in the thread posted above.

Can someone tell me the right rules for one of my vlan.

I want that a vlan can only reach the wan with ipv4 and ipv6 I don't understand exactly how to configure this rules (src, dst).

timthetortoise

Technically you should not have to configure any rules, as pf should deny implicitly. Could you post your current rules, the contents of /tmp/rules.debug, and the output of```
pfctl -sr

timthetortoise

My rules for my guest VLAN currently look like this:

Make sure that you flush your states (I prefer to do it in command line just to be safe with pfctl -F state) and verify that your pfctl -sr output is what you expect it to be.

supermega

Thank you timthetortoise :)

Its working :)

I will setup a lot of vlans and I have to do so much rules per interface.

Why something changed in the new snapshots of pfsense 2.1 ? Before everything between the interfaces was automatically blocked without any rule.

markuhde

I'm having the opposite issue, LOL! I have my setup set to allow OPT1 to any and I can't connect to IP addresses on the LAN interface. em0_vlan69 is LAN em0_vlan15 is OPT1

cmb

@supermega:

Why something changed in the new snapshots of pfsense 2.1 ? Before everything between the interfaces was automatically blocked without any rule.

Hasn't changed ever, a new interface has no rules which means no traffic allowed initiated from that interface, same as always. Initiated into that network is controlled by the source interface's rules.

markuhde

@cmb:

@supermega:

Why something changed in the new snapshots of pfsense 2.1 ? Before everything between the interfaces was automatically blocked without any rule.

Hasn't changed ever, a new interface has no rules which means no traffic allowed initiated from that interface, same as always. Initiated into that network is controlled by the source interface's rules.

No CMB, there's something seriously wrong in the latest builds. The same rules that USED to work fine don't work anymore on VLAN's to allow traffic between interfaces. I can't communicate with the LAN (which is a VLAN) from other interfaces (including the OpenVPN interface). Something's definitely seriously broken - this always used to work.

eri--

Can you post your /tmp/rules.debug and screenshots of the gui(or config.xml) to see what is happening htere?

markuhde

I got it to work by adding a new rule I don't think I needed before. I added a rule on the LAN interface to allow ANY to LAN SUBNET. I don't think I had a rule like that before but I do now realize I may have had allow any to any. I don't recall, but should a rule like that be needed on the LAN side? Thank you for your help Ermal. It definitely seems something's changed slightly.

timthetortoise

It technically shouldn't be necessary. Established connections should be allowed through. I noticed the same thing with my OpenVPN tunnel and chalked it up to a misconfiguration on my part. I'll have to try setting a rule for it today.

markuhde

@timthetortoise:

It technically shouldn't be necessary. Established connections should be allowed through. I noticed the same thing with my OpenVPN tunnel and chalked it up to a misconfiguration on my part. I'll have to try setting a rule for it today.

I wasn't just noticing it on the OpenVPN but also on another VLAN. Something seems to have changed in the default rules and it now needs explicitly stated. What would be most helpful Ermal and I will get it posted right away.

timthetortoise

I'm not noticing that, to be honest - my rules allow LAN1 to LAN2 on the LAN1 side, but not the LAN2 side, and it works correctly (can pass traffic from LAN1 to LAN2, not vice-versa). I have no rules regarding LAN1 in LAN2, except to disallow ingress traffic on LAN2 to LAN1 (again, already established connections should not be affected). These could be completely different issues, but it's very odd nonetheless.

markuhde

@timthetortoise:

I'm not noticing that, to be honest - my rules allow LAN1 to LAN2 on the LAN1 side, but not the LAN2 side, and it works correctly (can pass traffic from LAN1 to LAN2, not vice-versa). I have no rules regarding LAN1 in LAN2, except to disallow ingress traffic on LAN2 to LAN1 (again, already established connections should not be affected). These could be completely different issues, but it's very odd nonetheless.

Yes, also limiters are broken I forgot to note that I found that - with in/out limiters set up on my VLAN's (yes, in is masked by source IP and out by destination IP) no traffic passes whatsoever. Something is definitely seriously broken in recent builds, could it be something that is just one thing that relates to the parsing of firewall rules? Sadly, I have no way to tell when it broke since I hadn't upgraded in 60 days and when I did, I wiped the box and started over.

eri--

If you refuse to provide feedback i will just mark you as a troll an lock this subject.

Decide on your own if you want to continue and give feedback or just troll around.

markuhde

@ermal:

If you refuse to provide feedback i will just mark you as a troll an lock this subject.

Decide on your own if you want to continue and give feedback or just troll around.

What on earth are you talking about? I said above - given what's going on, what would be most useful? I'm happy to send you anything you need to help troubleshoot!

markuhde

I seem to have got my limiters working again, it seems that was an unrelated thing (I forgot limiters have NEEDED defined schedules for quite a long time now, forgot why they do).

What files would be useful to help determine why I'm needed extra rules to communicate between VLAN's? I'd be happy to send anything you need or provide access to the system if I'm not able to get it.

wallabybob

@markuhde:

What files would be useful to help determine why I'm needed extra rules to communicate between VLAN's? I'd be happy to send anything you need or provide access to the system if I'm not able to get it.

Have you already provided the requested information:
@ermal:

Can you post your /tmp/rules.debug and screenshots of the gui(or config.xml) to see what is happening htere?

If so, where?