Pfsense 2.1 lan subnets problem

cinlop

but 10.1.2.0 not include 10.1.2.0 and when i use /24, i dont see any traffic on firewal, but they working internet.and i did not use traffic shaper on 10.1.2.0 10.1.3.0 ..

johnpoz

"but 10.1.2.0 not include 10.1.2.0 and when i use /24"

What??

What are you trying to accomplish where you think /8 makes sense??

phil.davis

If all your devices on your LAN are in 10.1.1.* 10.1.2.* 10.1.3.* etc = 10.1.. then make you LAN subnet /16 and you are fine.
But if you have some separate LANs or VPN tunnels or whatever that are part of 10.1.. somewhere, then you will have to sort that out so that no subnets overlap.
Post a full list of what LANs, WANs, VPNs you have, what IP addresses and netmasks they are using, then we can help you sort out what addresses and netmasks to use to make it work.

cinlop

hi again.
i explain my problem again.
my network structure like this

vlan 1
10.1.1.0/24
vlan 2
10.1.2.0/24
vlan 3
10.1.3.0/24
.
.
.
10.1.29.0./24

my pfsense lan ip adress 10.1.1.1

when i use subnet  /24 for lan ip, i login to firewall every vlan.but if i don't make rule for allow this vlan, i only connect internet from vlan 1

when i write rule for internet connection, i only see vlan 1 ip adress on traffic graph.

if i use subnet /8 for lan ip, firewall connection lost and i must make reconfigure again old subnet(/24)

but old release(pfsense 2.0) i configured lan ip adress with subnet /8

johnpoz

I am guessing your first lang is not english?  Or maybe I just need more coffee - but still at a loss to what your actually trying to accomplish.

So you create 1 or 100 vlans - doesn't matter.  I assume these vlans are all connected to the lan interface?  Once you create the vlan you will have firewall rules for that vlan interface.

What rules do you have on them - by default there would be NO rules and all access would be blocked.

Where you seem to have an issue is you have your actual physical IP on your lan interface that overlaps with one of your vlan IPs you say your lan IP is 10.1.1.1/24 then you have vlan 1 that is 10.1.1.0/24  – what IP did you give pfsense for vlan 1?

But lets forget that one and talk about 10.1.2.0/24 vlan 2 and your physical network 10.1.1.0/24 where pfsense has an IP of 10.1.1.1

So what firewall rules do you have on lan, and what firewall rules do you have on vlan2 interface?

Now for something connected, not vlan but to the same physical network as pfsense lan - it talks to pfsense as its gateway - and says oh you want to talk to 10.1.2.?  Send you down the vlan interface.

If you change the mask on your lan to /8 and your device on lan says hey I want to talk to 10.1.2.? -- pfsense says oh that is directly connected to my lan interface and would not tag it or send it down the vlan interface.

So what is the trunking setup you have on your switch that is connected to your pfsense physical interface that all your vlans connect too?

But you would NEVER overlap networks like that with /8 if your running subnets of that network on different vlans or interfaces..  Because the interface you put that mask on now thinks that all your other segments are directly connected to it.

cinlop

firstly thank you answer to my question and sory my bad english. i added my interface screen and rule screen for orther network.

i did not use traffic shaper and traffich grap for other vlans and how can i do it.(i only created vlans on switch, not on firewall, because i dont want to use firewall for local network traffic)

phil.davis

Now I think I understand. The VLAN switch is a layer 3 device and is doing the routing between your VLANs. The switch should have the pfSense LAN IP as its upstream gateway.
You should not put the VLAN switch IP as an actual gateway on the pfSense LAN interface (doing that will make pfSense think the gateway is a possible route to the internet). Just have the gateway defined in System->Routing. Then add a Static Route to 10.1.0.0/16 through the VLAN switch IP. (It should be OK to specify 10.1.0.0/16 even though part of that is directly-connected LAN - pfSense will still deliver packets directly to the LAN subnet)
Now pfSense will know to send packets for the rest of 10.1.0.0/16 to the VLAN switch IP address, and the VLAN switch routing software will deliver them to the correct VLAN subnet.
The reverse traffic will come into pfSense from the VLAN switch routing, and you already have a pass rule on LAN to permit that.
Note: I think the Traffic Graph now displays only the IP addresses of devices on locally-connected subnets, so you might see the overall traffic, but not see all the individual IP addresses of clients in the VLANs displayed in the table.

johnpoz

OK you NEVER create a gateway on a LAN - or pfsense thinks its WAN interface and would do nat on it, etc.

So what handles your local traffic?  Your switch?  This is where the gateways are for your local traffic?  Does not seem like you have any vlans or even vlan tags running?  Since there are only 2 tabs in your firewall, if you were tagging 29 some vlans you would see those tabs for the vlan interfaces.

So this close to how your setup?

Where you have a Layer 3 switch or some other router in your lan that handles routing your local traffic?  You could then use a segment of your network that connects to pfsense.  But I really wouldn't put any other devices on this segment - and it really should be a transient sort of network and I would personally would use a network outside of your 192.168 address space so you could make your route entries simple..

So in this setup where 192.168.1.0/24 is the leg to your pfsense.
Pfsense would have rules on its lan to allow 192.168.0.0/16 to the internet, etc.
It would then have it its route table entries for all the different 192.168.? networks your using to talk to your other routing device say a L3 Switch, which would have interfaces in all your different segments.

This is how you would do it!!  Or atleast a common way to skin the cat..  I don't see anywhere what you have posted any sort of vlan tagging at all.

If you draw out your network - I am sure we an fix it up for you ;)

edit:  Seems I used 192.168 in my example - my bad..  I could redraw with your 10 address space, but should be simple enough to get the layout no matter what rfc1918 space being used on the local network.

cinlop

yes this example draw like a my network sistem.

i said already, i only created vlans on switch and i connect to internet pfsense 2.0; but client don't connect with pfsense 2.1.

when i configured firewall local leg 10.1.1.1/16 i only connect internet on vlan 1.

johnpoz

I don't know how else to explain it to you dude..  Your NOT using vlans - are you tagging traffic??  I don't see it in pfsense, where do you have these tags setup in pfsense for it to understand?

You don't seem to grasp basic routing??  Or maybe its something in translation?

In my drawing if the route to 192.168.2.0/24 which is IP 192.168.1.1 on the L3 switch from pfsense 192.168.1.0/24 network with ip of 192.168.1.254, I can not tell pfsense that he is locally connected to 192.168.0.0/16 on his lan interface and expect him to send traffic to the switch to get to 192.168.2.0/24

iamkinghenry

I tested out VLANs with pfsense  2.1 and am getting weird things with my VLANs.

http://forum.pfsense.org/index.php/topic,70222.0.html

I'm not a network guru but have Vyatta working right now with my setup.  Tested VLANs with isc-dhcp-server with Centos, Debian, and Ubuntu  with success. Got packetfence VLAN management working.

Something doesn't seem right with the VLANs with pfsense.

johnpoz

You didn't setup any vlans in pfsense from what I can tell - that is what is wrong with it ;)

Draw your network out - since clearly we are loosing something in translation..

There is a difference between a network segment and vlan..  You only have 1 interface on pfsense - where are these vlans??

And no shit you would have to do manual NAT, since you only have 1 segment connected that pfsense knows about..  So why would it know how to nat other network segments unless you TELL IT!!

If you created the vlans or network on pfsense and it knew about these networks, then automatic nat would work.

Draw your network!  And we can work through fixing it - from what I can tell its must be a complete cluster, unless we are just not connecting because of translation??

cinlop

Hi again;
you asked me' where is the vlan on pfsense?'. but i said to you. i had already use pfsense without vlan previous version and i did not changed anything on pfsense, when i upgraded it.but this version not working. i have used  pfsense in 6 location for 3 years.

phil.davis

I have a network just like this - a Firebox (happens to be running pfSense) doing layer 3 routing internally. My ordinary LAN (called ICO in the screenshots) does not have a gateway set on the Interfaces screen. The gateway is just defined in System->Gateways and used as the target of a static route to the 10.99.0.0/16 network, which is split up in various pieces on LANs behind that Firebox. There are rule/s on LAN (ICO) that permit traffic from 10.99.0.0/16.
See the screenshots, ask more questions and, if you still have problems, describe how things are setup now and exactly what does not work.

johnpoz

^ exactly!!!

Which is what I showed in my drawing with 191.168 address space..

Not sure what part you don't get about stepping on routes with local masks..

Can you post up your route table.. How do you get to these other network segments of yours?  You DON'T put gateways on the pfsense interfaces unless it is a WAN interface..

cinlop

hi again.i added another location firewall lan and routing config.this firewall version is pfsense 2.0. this location network map same to pfsense 2.1 location.the pfsense working good here.but i know when i upgrade the pfsense, this config will not working

phil.davis

Your screenshots are not the way it was intended to be done. Maybe 2.0 allowed this and somehow it worked, I don't know, it has been so long since I used 2.0. I assume in this example:
a) The local LAN is not really "/8" - maybe the local LAN subnet is just "10.2.1.254/24"
b) There are other subnets available behind the router at 10.2.1.2 - that router might be a VLAN switch with L3 routing software also and lots of VLANs, or an ordinary router with lots of NICs or… The router hardware/firmware does not matter.

For 2.1 (and it should work like this in 2.0 also):

1. Change the "Gateway" setting on Interfaces->LAN to none.
2. Leave LANGW defined in System->Routing (and make sure that WANGW is marked as the default)
3. Add Static Routes to the networks behind 10.2.1.2, with gateway=LANGW.

Make sure that Firewall-Rules-LAN has rules to permit traffic from (source) the subnets behind 10.2.1.2.

If you get it working like this on 2.0 then it should upgrade to 2.1 with no trouble.