New book: VLANS in pfSense for absolute non-technical noobs
-
It doesn't exist :-[ :-\ :'(
( ;D)
G'day all peoples lovers of the finest firewall in the universe :D
I am confused once again. Might I ask for some help?
[b]What I have
pfSense with only 2 NIC's 1LAN/1WAN (board is in my sig), currently only 1 LAN-subnet. Packages running Squid, Squidguard, Snort, Traffic Shaper (work in progress), and thanks to the great help of Nachtfalke since 2 days freeRadius with EAP-TLS to secure my wireless.Other hardware, aside from the usual HTPC's, my HP V1910 switch, my Synology NAS'ses, desktops, laptop, smartphones: two Ubiquity wireless accesspoints that form one WLAN-together (the Ubiquity software takes care of this, for 'seamless roaming'). All computers have fixed IP-adresses in the LAN.
A problem is: I use powerline (network over my power cables) to connect everything downstairs to the switch which is upstairs (as is pfSense, my Synologies, etc).
I have created a simple picture (looks horrible, horrible drawing program I used).
What I want
I would like all wireless to be separated into a different WLANThe problem
I have no clue how to do it ;DBecause
- First of all, I don't understand what 'trunking' and 'tagging' is supposed to mean. It is the same problem I had when setting up EAP-TLS (thanks again Nachtfalke for your great explanation :P); all documentation I can find is 'point and click'-documentation, which, for one reason or the other, already assumes that people know what these concepts mean.
- Secondly, I do understand that somebody, somewhere, has to tell somebody, somewhere, where the traffic has to go (to which VLAN, and this is apparently not 'tagging'), but then I am lost. Who decides what computer goes into what VLAN? pfSense? My switch? The computers themselves (meaning I have to tell for example my Windows 7 computer the VLAN-ID? That would appear not very safe to me).
- Given that there are 6 computers downstairs, connected to one single simple switch, which sends traffic through the wall via powerline, and which then arrives on 1 cat6 cable that goes into the switch, so 6 computers downstairs eventually go into one port in the master HP switch upstairs, how would which device (pfSense? Switch?) know that out of these 6 different computers downstairs 4 have to go into the 'normal VLAN', and 2 would have to go into the separate, new VLAN for wireless? I guessed this would be on MAC-address or something, but this I couldn't get confirmed.
- The two Ubiquity WAP-devices have a setting in it to assign them to a certain VLAN. Is it really that simple as to setup a VLAN20, tell the two WAP's they are in VLAN20, and then it works? Do I need to tell the switch something then? Or is this the wrong approach?
And then there is also something like 'dynamic VLAN' as opposed to 'static VLAN' :-[
As many times before, I will understand it when you all think I am vague in my questions and probably not too bright in these matters; my Wife thinks the same ;D ;D ;D
Thank you in advance once again for any helps,
Bye,
-
So before we get all bogged down into "vlans" that clearly you don't have clue one to start with.. Lets ask a simple question can you not juts add another network connection to your pfsense? Where your AP could connect – this would allow you to isolate your lan from your wireless without having to understand tagging or what a trunk is, etc.
Nics are REALLY cheap.. is there no slot in your pfsense box for another network card?
-
So before we get all bogged down into "vlans" that clearly you don't have clue one to start with.. Lets ask a simple question can you not juts add another network connection to your pfsense? Where your AP could connect – this would allow you to isolate your lan from your wireless without having to understand tagging or what a trunk is, etc.
Nics are REALLY cheap.. is there no slot in your pfsense box for another network card?
Thank you John, that is very kind of you to respond (and not the first time either ;D). I think adding extra NIC's would pose some small problems:
1. High quality Intel NICs are not that cheap, and from a very wise man I have taken to heart to stick with Intel;
2. I think it won't solve the problem of the second access point, the one that is downstairs and also travels via powerline to the switch which is upstairs; I can't plug that in a separate NIC this way (there is only 1 powerline going from downstairs to upstairs, I wouldn't see how I could make that two).So I am afraid it has to be VLAN. But, my selfconfidence has grown. I thought 'freeRadius is too difficult for me', but thanks to the great help I got that to work. So I think with a little help/suggestions I might get VLANS to work too ;D
Thank you again John,
Bye,
-
So you buy a little pocket switch for your wireless segment, now you have full physical network isolation.
so nic to pocket switch to AP, from pocket switch to powerline to other AP.
And what intel cards are you looking at.. Lets see you run your AP over powerline currently how does say this $30 intel nic not cut the mustard?
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106033
But if you want to do vlans - real simple look in your switch docs on how to create a trunk port.. So where you pfsense nic connects to your hp switch that will be a trunk (more than 1 vlan can go over it).. Then create ports that connect to your AP in a vlan number. Then on pfsense create a vlan with the same tag number. And tie it to your physical interface that is connected to your trunk – shazam your running vlans ;)
-
Your sticking point is "cheap switch" downstairs. To separate the WAP2 traffic from the other traffic downstairs you have to have a VLAN-capable switch down there. Then you can do, for example, VLAN10=general LAN, VLAN20=WiFi-devices and the switch ports between upstairs and downstairs are setup as tagged ports that pass both VLAN10 and VLAN20 packets in tagged form, so the switch at either end receiving the packets knows which VLAN they belong to.
Otherwise you need 2 real connection paths from downstairs to upstairs somehow. -
Thank you to the both of you for your help; much, much appreciated ;D ( :-*)
I have been testing, trying, and messing around, for 5 whole hours now ( >:() and I have something working, and something not. I don't have internet access, and the laptop doesn't get an IP whereas the two smartphones do.
I will ellaborate:
-
This morning, in the shower, it occurred to me: my two Ubiquity access points can do multiple SSID's, with a VLAN-tag. This might prevent me from having to buy additional hardware (nice idea, btw, John; thanks :)).
-
So, I found a very useful instruction for noobs like me, over here: http://www.iceflatline.com/2013/09/how-to-create-and-configure-vlans-in-pfsense/ , and used that as a starting point.
-
So the configuration was as follows:
(Note, before adding VLAN I just had WAN/pppoE on em0, and LAN/192.158.2.1 on em1).
Switch
-
pfSense/LAN is on port 3. Made it: trunked, VLAN40
-
WAP downstairs, via powerline, is on port 7, (as are the other downstairs computers). Made it: trunked, VLAN40
-
WAP upstairs is on port 13. Made it: trunked, VLAN40
pfSense
-
Created VLAN040 on em1, static IPv4 192.168.4.1/24, gateway none.
-
Services/DHCP-server/VLAN40: enable DHCP-server, Gatewat 192.168.4.1
-
Services/DNS-forwarder: Interfaces ALL (and manually CTRL-select all of them just to be sure).
-
Firewall/rules/VLAN40: allow all (screenshots).
-
Firewall/NAT/Outbound: manual (a post on this forum suggested that). Copied 'LAN' to VLAN40 (screenshot).
Access points:
- Setup a new SSID (berenboot, it's got to have a name ;D), tag it as VLAN40.
And then, off and on:
-
Doing it without Radius server and enabling radius server with PAEP;
-
Disabling Squid/Squidguard/Snort;
-
Adding firewall rules from VLAN40 to LAN (not that I am sure I know what I am doing, but I thought since pfSense itself is in 192.168.2.1 which is 'LAN', perhaps for some reason or the other VLAN40 had to go to 'LAN'/192.168.2.1 also, or something ???).
Now, the funny thing is, whatever I tried: laptop (Windows 7) refuses to connect at all, smartphones (HTC One SV, Android 4.2) do connect (get IP's 192.168.4.11 and 192.168.4.12, both without and with Radius), but there is no internet access (as I read probably this whole forum in the meantime ( ;D) I was looking from a a way to ping the gateway from within the smartphones but I haven't found out how to do this yet, and since the laptop refuses to connect at all I can't use that to do a simple command prompt ping 192.168.4.1).
Even the more funny is: as far as I know everything is set up exactly als 'LAN', 192.168.2.1, where all three mobile devices still connect to without any problems (Radius EAP-TLS) and do have internet access.
Meanwhile, the other PC's downstairs that also come in through powerline (like PC Wife, as in 'wife = food' :D) remain working, even with the VLAN-tagging of the ports, so something must have gone right in messing with the switch.
So I have no clue. There are two things I can think of:
-
The ubiquity WAP's are static IP's from 192.168.2 (LAN), so 192.168.2.3 and 192.168.2.4. So that is how they wake up. But then they create a wireless network to serve 192.168.4. Is that possible at all, or lies the problem in here? (I am having trouble understanding why not; after all, since the WAP's can assign 4 VLANs (to 4 SSID's), and VLAN's have different subnets, this implies it shouldn't be a problem. Otherwise, what's the use of being able to assign 4 different VLAN's on 4 different SSID's if they can't work with the 4 different subnets that go with it?
-
Phil, your remark about the cheap switch downstairs seems very plausible, but my little brain is lost again (I never said I have a large brain; I have a large head, yes, but inside it is mostly air ;D). I could understand that you would say 'the WAP downstairs can tag packets with VLAN40 but the cheap switch strips that data from it, and hence it goes wrong), but taking everybody (2 smartphones + 1 laptop) upstairs, to the WAP that is directly connected to the HP Switch (which can work with the VLAN tags, being a 'smart switch' (well, I doubt, because if it really was smart it wouldn't be bothering me with telling it what to do ;D)), there still is no internet. So then my brain goes into reboot mode and stays there :-[ [/li]
I will upload a bunch of screenshots next.
-
-
The switch configuration (HP V1910-16G, smart switch)
![01 Create VLAN40.png](/public/imported_attachments/1/01 Create VLAN40.png)
![01 Create VLAN40.png_thumb](/public/imported_attachments/1/01 Create VLAN40.png_thumb)
![02 Modify Ports 03_07_13 - Link Type Trunk.png](/public/imported_attachments/1/02 Modify Ports 03_07_13 - Link Type Trunk.png)
![02 Modify Ports 03_07_13 - Link Type Trunk.png_thumb](/public/imported_attachments/1/02 Modify Ports 03_07_13 - Link Type Trunk.png_thumb)
![03 Modify Ports 03_07_13 - tagged member VLAN40.png](/public/imported_attachments/1/03 Modify Ports 03_07_13 - tagged member VLAN40.png)
![03 Modify Ports 03_07_13 - tagged member VLAN40.png_thumb](/public/imported_attachments/1/03 Modify Ports 03_07_13 - tagged member VLAN40.png_thumb)
![04 Result - Port details.png](/public/imported_attachments/1/04 Result - Port details.png)
![04 Result - Port details.png_thumb](/public/imported_attachments/1/04 Result - Port details.png_thumb)
![05 Create Interface VLAN40.png](/public/imported_attachments/1/05 Create Interface VLAN40.png)
![05 Create Interface VLAN40.png_thumb](/public/imported_attachments/1/05 Create Interface VLAN40.png_thumb)
![06 Result - VLAN40 Interface.png](/public/imported_attachments/1/06 Result - VLAN40 Interface.png)
![06 Result - VLAN40 Interface.png_thumb](/public/imported_attachments/1/06 Result - VLAN40 Interface.png_thumb)
![07 Result - VLAN Interfaces.png](/public/imported_attachments/1/07 Result - VLAN Interfaces.png)
![07 Result - VLAN Interfaces.png_thumb](/public/imported_attachments/1/07 Result - VLAN Interfaces.png_thumb) -
The wireless access points (2x), 1x UAP-PRO (dual band), 1x UAP (single band), having both my 'normal' wireless (in the 192.168.2.x - LAN-range) and the new VLAN40 as two different SSID's.
-
pfSense configuration:
![01 pfSense_create VLAN.jpg](/public/imported_attachments/1/01 pfSense_create VLAN.jpg)
![01 pfSense_create VLAN.jpg_thumb](/public/imported_attachments/1/01 pfSense_create VLAN.jpg_thumb)
![02 pfSense_assign_VLAN.jpg](/public/imported_attachments/1/02 pfSense_assign_VLAN.jpg)
![02 pfSense_assign_VLAN.jpg_thumb](/public/imported_attachments/1/02 pfSense_assign_VLAN.jpg_thumb) -
Continued:
![03 pfSense_DHCP.jpg](/public/imported_attachments/1/03 pfSense_DHCP.jpg)
![03 pfSense_DHCP.jpg_thumb](/public/imported_attachments/1/03 pfSense_DHCP.jpg_thumb)
![04 pfSense_firewall.jpg](/public/imported_attachments/1/04 pfSense_firewall.jpg)
![04 pfSense_firewall.jpg_thumb](/public/imported_attachments/1/04 pfSense_firewall.jpg_thumb) -
Final:
![05 pfSense_DNS-forwarder.jpg](/public/imported_attachments/1/05 pfSense_DNS-forwarder.jpg)
![05 pfSense_DNS-forwarder.jpg_thumb](/public/imported_attachments/1/05 pfSense_DNS-forwarder.jpg_thumb)
![06 pfSense_NAT-OUTBOUND.jpg](/public/imported_attachments/1/06 pfSense_NAT-OUTBOUND.jpg)
![06 pfSense_NAT-OUTBOUND.jpg_thumb](/public/imported_attachments/1/06 pfSense_NAT-OUTBOUND.jpg_thumb) -
This concludes me fotographing my screen ;D ;D ;D
Once again, thank you very much for your help; it is extremely appreciated. I will gladly buy you a coffee once I get this to work. Then I have it all: a great firewall, Squid, Squidguard, Snort, FreeRadius EAP-TLS, and VLAN's to further secure my network. Then I can die a happy man. Once I have saved enough money to ensure I have a second pfSense as a fallback machine ;D
Thank you very much,
Bye,
-
Something I want to throw in here was when I was trying to use powerline to move a noisy server into my garage while I configured it, I came to the conclusion that my powerline adapters (Belkin F5D4076-S v2) didn't properly pass VLAN tags. I ended up replacing the powerline adapters with a 50-foot cable and it all fired right up. IIRC, I went from powerline back to the cable a couple times to verify. I have not put them on the bench to see exactly what was happening.
Another opinion: If your prem is wired for Cable TV, MoCA blows powerline away. And VLAN tags pass just fine.
-
Also, if your LAN is untagged and your VLAN40 is tagged and they're on the same interface/port, you might have to do something special in the switch. Some "Trunk" ports will discard untagged traffic. It might have to be configured as a "general" (cisco small business) or "dual-mode" (brocade) port. In these instances you tell the switch on which VLAN you want untagged traffic placed.
I would just not have a pfSense LAN interface assigned to the main hardware (untagged) interface. Create VLAN tags for all networks and tag/trunk everything. I find it more straightforward.
-
Thank you all very much for replying ;D
I have good news. It is working, but I have no clue why :-[
I found the remark about cheap hardware which couldn't transfer the VLAN-tag very plausible, but: it still works :o
I had to ask WIFE if she understood the HP manual, which it appears she did (and she can cook too :-X). So she messed around in the switch, 'oh, easy, I'll just tagg these ports' (duh), and next I told the Ubiquity WAP that the WLAN was to be have the tag 'VLAN70'. This ubiquity is connected wired to a cheap unmanaged switch downstairs, which in turn is connected to the power circuit to send the signal upstairs to the managed switch, so 2 devices that can not transfer VLAN70 with it.
But still it works ???
The smartphones and the laptop are sent to VLAN70, getting an IP from that range (192.168.7.x) whenever they connect wireless, and are sent to LAN, getting the default 192.168.2.x IP, when they connect wired.
No clue why it works, but it does.
And it doesn't.
( ;D)
Because: doing exactly the same for a second VLAN, VLAN60, with pre-ci-se-ly the same settings? Does not work. Neither smartphones nor laptop get an IP in 192.168.6.x, and they also don't get any in 192.168.2.x. They 'can't connect'.
Shoot me ???
Anyway, thank you all for your kind replies, new years eve for now :(
( >:( = parents in law. Like WIFE, don't like parents in law ;D).
-
You can't plug the Ubiquity into an unmanaged switch and expect VLAN tags from the access point to be maintained.
You don't have to spend a lot to get a VLAN-capable, managed switch:
http://www.amazon.com/D-Link-EasySmart-Managed-Gigabit-DGS-1100-08/dp/B008ABLU2I
It's quite possible that the one VLAN that's working is actually functioning as untagged on the default VLAN after going through the unmanaged switch (and possibly the powerline adapters, as I mentioned earlier.)
-
You can't plug the Ubiquity into an unmanaged switch and expect VLAN tags from the access point to be maintained.
It's quite possible that the one VLAN that's working is actually functioning as untagged on the default VLAN after going through the unmanaged switch (and possibly the powerline adapters, as I mentioned earlier.)
Thank you for your reply ;D
Yes, I found it very plausible that it isn't possible, I agree with you.
Is there a way for me to find out if it is currently doing what you say it is doing? What should I look for in the HP Switch configuration screens? (I know it sounds dumb, but I am rather very dumb when it comes to this subject :-[).
Thank you ;D
EDIT: forgot: I have no problem buying a new managed switch for downstairs, but that will still not solve the fact that the switch then travels via powerline.
-
The powerline is nothing else but a network cable in another form… It shouldnt alter the traffic unless routing or otherwise is a part of the equation.
To get VLAN's working you need to set the same VLAN's on the switch with the same tags as the ones on your Pfsense. Simples.
Then it transfers the tagging and traffic across with no issues. I have about 600 VLAN's running here on 2 physical HP switches configured for failover.
-
The powerline is nothing else but a network cable in another form… It shouldnt alter the traffic unless routing or otherwise is a part of the equation.
To get VLAN's working you need to set the same VLAN's on the switch with the same tags as the ones on your Pfsense. Simples.
Then it transfers the tagging and traffic across with no issues. I have about 600 VLAN's running here on 2 physical HP switches configured for failover.
Thank you for your reply Supermule ;D
Just to be make sure I completely understand you: you are saying that only a managed switch downstairs is sufficient? So powerline is not a problem (as that was written before)?
EDIT: But still I should need to find out why it appears to working right now then, even 'though the laws of dictate it shouldn't.
Thank you ;D
-
You can't plug the Ubiquity into an unmanaged switch and expect VLAN tags from the access point to be maintained.
[snip]
It's quite possible that the one VLAN that's working is actually functioning as untagged on the default VLAN after going through the unmanaged switch (and possibly the powerline adapters, as I mentioned earlier.)
I discussed with WIFE, who is sysadmin of BRAINS, and she posed an interesting question. If what you say is true (which we interpret as 'the VLAN-tag data is 'stripped' from the packets by the unmanaged switch, so before it arrives at pfSense), then how come that they get an IP-address in the VLAN-range from pfSense, and not an IP-address in the LAN-range?
Like said:
Laptop, wireless via WAP -> 192.168.7.10
Laptop, wired via HP-switch -> 192.168.2.10 -
@Hollander:
I discussed with WIFE, who is sysadmin of BRAINS, and she posed an interesting question. If what you say is true (which we interpret as 'the VLAN-tag data is 'stripped' from the packets by the unmanaged switch, so before it arrives at pfSense), then how come that they get an IP-address in the VLAN-range from pfSense, and not an IP-address in the LAN-range?
Like said:
Laptop, wireless via WAP -> 192.168.7.10
Laptop, wired via HP-switch -> 192.168.2.10Update, just to be absolutely sure I wasn't misunderstanding what I was seeing, I tested one final thing:
- My hardware setup was this:
–- Upstairs: pfSense -> HP switch -> LAN, all wired
-------Upstairs, one Ubiquity WAP, wired to the HP switch, VLAN70.
--- Downstairs: the other Ubiquity WAP -> unmanaged cheap switch -> powerline -> to upstairs -> HP switch
-------Downstairs WAP = also VLAN70 (you tag this in the WAP).
Now, both Ubiquities do something together called 'seamless roaming', whereas when you move around between the two WAPs they will transfer you between them.
So what I could think of was that because WAP upstairs is VLAN70 and hardwired to the HP Switch (which had that port tagged as VLAN70), the 'seamless roaming' for some magically reason also made it possible that the WAP downstairs for some reason to be on VLAN70.
So I shut down WAP upstairs, and enabled only WAP downstairs. So there is no, by no means, connection from WAP downstairs to the HP switch other than where the powerline connection from downstairs enters the HP switch.
Still, WAP downstairs remains VLAN70, and so do the smartphone and the laptop, with their corresponding VLAN70 IP's (192.168.7.x, and not the LAN IP's of 192.168.2.x).
So, for whatever reason, WAP downstairs, via unmanaged switch and powerline, is capable of being in VLAN70.
I don't know why, and you all do know 1000 times more about this than I do, I am just telling you what is happening here ;D
- My hardware setup was this:
-
Lets be sure we're talking about the same thing…
(Edit: I just dug up those powerline adapters and put them on the bench. They pass VLAN tags just fine and pass unfragmented ICMP at a full 1472 so I don't know what I was seeing before. Unmanaged switch is still not what you want.)
-
That is the diagram I imagined also. If the dumb switch and powerline devices are really good and dumb, then they can just pass ethernet frames blindly between source and destination MAC addresses and the smart AP with multi-SSID and VLAN knowledge should effectively have a pipe to the HP smart switch with the corresponding VLANs trunked. (and untagged frames from other devices downstairs would also happily arrive untagged at the HP switch and the HP switch can be configured to put them in a selected VLAN.)
But, if they are not dumb enough then they might mess with the VLAN packets.
Given all of that, if the VLAN70 configuration works, then so should VLAN60. -
But they might pass frames at 1518 (MTU 1500) and discard at 1522 (MTU 1500 + dot1q). "it depends."
Get a dot1q switch.
They're US$60.
-
Thanks Phil ;D
And thanks Derelict ;D And you I would like to ask: but what is the problem with my current setup then? I mean: it appears to be working(?)
-
Glad it's working. Sounded like you were still having issues.
-
I finally got the second VLAN to work also. The workaround I had to apply was to tell WIFE I wouldn't be eating her food anymore if she didn't fix the tagging of the port in the HP switch ;D ;D ;D
Looking at the firewall log I just noticed something I don't understand (as with many things in life :P). Per the attached screenshot: why, if it the default deny rule, does the log say src = VLAN? I would have expected this rule to block anything coming from WAN as a 'default deny', so src = WAN, dst = VLAN, not the other way around as it shows now ???
That VLAN-IP by the way is an Asus Android tablet, and looking at the dst-ip it was busy phoning home to Google that I was doing something that absolutely needs to be stored in Google's big nsa-database for future usage ;D
-
:( :o ??? :-[ :-\ :'(
( ;D).
I am lost. Having finally gotten the VLANs to work, it appears I can not go from VLAN to LAN. I have the pfSense book but it also doesn't tell me :'(
What I am trying to accomplish:
1. I have a HTPC (XBMC) in LAN (192.168.2.x)
2. I have a tablet in VLAN50 and a HTC phone in VLAN40, both running android 4.2.
3. I want to use the app 'Yatse' (very nice app by the way) to use my tablet/smartphone to start/stop music (so I don't need to turn on the TV to play music).For the life of it, I can not get it to work. It appears Squidguard is messing around, and so is Snort. Disabling them gives me a 504 error in Android (kind of cryptic, but [s]NSA Google told me this is a 'gateway time out'.
Both the tablet and the smartphone can happily go on the internet, by the way.
I think I have the VLAN, the DHCP-server on each VLAN, and the firewall rules setup correctly. I attached screenshots.
Something weird did happen before: while setting up VLAN50, for some reason in the status dashboard another gateway turned up for VLAN50 (in the dashboard widget for the gateway). However, that did not turn up when I configured VLAN40.
To be honest, I have no clue about gateways, other that, per the wiki, 'they are used to transfer traffic from one network to the other'.
At the same time, while searching for a solution, I found this comment of Jimp:
Is pfSense actually the current default gateway for all of the devices in those networks?
If you interfaces are set right (correct IP, correct subnet mask), the rules are right, and the firewall is actually the default gateway for everything, then traffic will flow through.
I am not completely sure that I understand what Jimps writes, but in System/Routing my WAN is the default gateway, so I assume that is not pfSense in the way Jimp is talking about this. This also is how the installer did it, I didn't change it (I don't dare to ;D).
Also, in here:
http://forum.pfsense.org/index.php?topic=68043.0
Podilarius writes:
Few things just to check:
Is firewalling turned off (as in it is working in routing mode)? This option is in the advanced section.
Did you create a new allow all rule on the VLAN tab?
Did you switch to manual outbound nat BEFORE setting up the VLAN? (in which case you would need to add the NAT).
If in router mode, did you allow traffic from that VLAN in on the LAN on the WRAP?Which makes me wonder if I need to add 'something' in System/routing for each VLAN, and if so: what?
(Sorry, I know I ask stupid questions, but I am not an IT-specialist but only a rather stupid accountant, and I do try very hard to find my own answers on the internet and in books :'().
Would anybody be willing to help me out of my suffering?
Thank you very much in advance for help ;D
Bye,
http://forum.pfsense.org/index.php?topic=63397.0
-
More pictures:
-
More pictures:
-
More pictures:
-
More pictures:
-
More pictures:
-
More pictures:
-
And to think that the day after tomorrow my second ISP-line (cable) will arrive which I will have to configure for dual WAN with failover. I am sure that means new stress ;D
-
192.168.5.0 as your address? .0 is the wire not really a valid address.
Also your rules only allow specific host to specific host - but not able to talk to the pfsense interface on that vlan. So there is no way for dns queries for one.
-
192.168.5.0 as your address? .0 is the wire not really a valid address.
Also your rules only allow specific host to specific host - but not able to talk to the pfsense interface on that vlan. So there is no way for dns queries for one.
Thank you John ;D
I have to admit, I still don't know the difference between 5.0 and 5.1. You can google until you've grown a beard (stupid Dutch saying ;D) and still don't know it. I find 10001 sites with 'how to subnet', but nobody who explains these basic things. The same is 'gateway'. I now know it is the 'traffic point' where traffic goes from one network (I think defined as subnet/VLAN/WAN) to the other, but what does it do? Does it simply do NAT and nothing more, or firewall rules/loadbalancing/etc also, or…?
I mean, I come from one simple LAN to one simple WAN and vice versa. My pfSense is 2.1, and it is 'a gateway'. I'm happy it wants to be that, and I leave it alone ( ;D). But my WAN-IP also seems to be 'a gateway, and then I am starting sweat already. In setting up VLANs I see I now also have a 3.1 gateway, a 4.1 and a 5.1. What they do, what 2.1 still does: I have no clue at all :-[
This is not because I am lazy, I spend many hours a week, in weekends, on trying to understand it. I have yet to find a decent book on networking for people like me. They say I am not the most stupid person in my own field (economics, accounting, taxes), but without a proper document to understand the concepts, starting from non-technical terms and then gradually moving to the technical terms, it is difficult to understand. I guess the same would be true if I were to talk to IT-specialists about inflation accounting in a multi-currency, multi-country, multi-GAAP environment :P
( ;D)
As to the bold text in the above: I thought the hard coded rules where: by default WAN is blocked always, and LAN is allowed everything always. I further understood that the hard coded rules are there by default so you don't have to do anything for it with a custom rule, and you can override the hard coded rules by adding a custom rule yourself. But given what you write, obviously I am wrong.
If I may, John, could I ask: so suppose you setup a new (V)LAN-interface, what are the rules you have to enter manually first if you want the normal internet stuff and nothing special (so not port forwarding from WAN to inside, just simply browsing, emailing, usenetting, torrenting, youtube: just the usual stuff).
Thank you very much for your reply John ;D
-
So you don't know that every network segment has a wire or network address, and then host addresses and a broadcast address?
If you give me an address 192.168.5.0/24 that tells me that is the network not a HOST.. But say you gave me 192.168.5.0/23 – 5.0 would be host address since the beginning of your network would 192.168.4.0/23 in that network. and 192.168.5.255 would be broadcast.
To me 5.0/24 is NOT a valid host address - its the network address, so you would not use that on your interface on pfsense. The first address in 5.0/24 would be 5.1 - which is what I would put on pfsense interface be it physical or vlan.
Now can some systems use the wire or network address as a host.. Ok sure, but I have been in networking for years and years and years and doing that has never been good practice. When I saw your address on your interface, with that mask - to me that is not best practice and would change your interface address to 192.168.5.1 if your wanting to use the 192.168.5.0/24 network.
As to what rules you would put on network segement be it physical or vlan would depend on what you want to allow. So for example I run my wireless on its own segment. And I use this as my simple rule
So from the attached you see I let my wlan network (192.168.2.0/24) talk to my ntp server at 192.168.1.40 udp 123
Then the main rule I let wlan talk to anything it wants, ie my dmz or the internet - just not my lan network (192.168.1.0/24), which is what the !lan net in dest means.
So I can not really say what rules you should put in, since that would depend on what you want to accomplish. but if your going to get specific and only allow specific source to specific dest IP.. Keep in mind that clients on that segment if they want to use the internet will need a rule to allow access to the internet, and will also most likely need a rule to talk to something for dns which in a common setup pfsense would be the dns server. So so rule would need to allow access to pfsense IPs for dns, etc.
So for example, see 2nd attachment this is my dmz. So I created a alias that says hey you can talk to anything you want as long as its not in my locals alias ! locals.
My aliases of my locals is
locals 192.168.1.0/24, 192.168.2.0/24, 10.0.8.0/24, 10.0.200.0/24So this is my lan and wlan and my openvpn segments. So as long as its not on one of those networks dmz machines can talk to it - this would include anything on the internet. And the actual dmz segment which in my case is 192.168.3.0/24 -- so client on that network say 192.168.3.14 points to pfsense IP on that segment which is 192.168.3.253 in my case ( I don't like .1 and .254 since lots of devices default to those.. And with my lan network being 192.168.1.0/24 if bring up something that defaulted to 192.168.1.1 or .254 I didn't want it stepping on pfsense address so I used .253 - and just used that for my other segments for consistency.
So these dmz clients can ask pfsense for dns for example since my rules do not block access to the pfsense IP address in that network segment.
-
The all zeros value and all ones value are reserved for the network ID and broadcast address respectively.
from http://en.wikipedia.org/wiki/Subnetwork
So, 10.20.30.0/24 has addresses from 10.20.30.0-255 but
10.20.30.0 is Network ID
10.20.30.255 is broadcast address
Some software works and talks in/out of the Network ID - but it is best practice NOT to use that as a host address (as some stuff does not talk to it nicely).
Definitely will not work to set a host to the broadcast address.(That WiKi article has a lot of waffle about "Subnet zero and the all-ones subnet" - try to ignore all that when reading the article, as it is obsolete crud. It would be better if someone cleaned it out of the main article and made some sort of history reference to it.)
The idea for a router (called "gateways" at the time) initially came about through an international group of computer networking researchers called the International Network Working Group (INWG).
from http://en.wikipedia.org/wiki/Router_%28computing%29
IMHO "gateway" is still used to mean "the place where you send traffic that needs to go to a different (sub)network".
In your examples:
The gateway for a host on 192.168.2.0/24 is 192.168.2.1 - that is the way to get out of 192.168.2.0/24
The gateway for a host on 192.168.3.0/24 is 192.168.3.1 - that is the way to get out of 192.168.3.0/24
The gateway for a host on 192.168.4.0/24 is 192.168.4.1 - that is the way to get out of 192.168.4.0/24At the gateway IP address there is (hopefully!) a router (e.g. pfSense) listening. The software on the router knows how to receive traffic on each of its addresses and send it on its way out some other interface, either sending it directly to the destination host IP address or sending it onwards to another gateway, that has another router listening, that is 1 hop closer to the destination host IP address,…
So, on every LAN-style interface (LAN, VLAN, OpenVPN server...) pfSense will have an IP address that is typically the gateway that all the hosts on that LAN use to escape the LAN and get to other LAN/s and the internet.
On WAN-style interfaces, pfSense will have a gateway set. That is the IP address of some other router (usually at the ISP) that gets to the internet in general.
Clear as mud?
-
The reply of both you John and Phil is most helpful for me; thank you very, very, much ;D
( :-*)
(I suggested in the feedback forum to allow a user to hit the 'thanks' button more than once in a thread so I could it for both of you, but obviously we can't).
If I may ask one last question so I can also better understand 'the conceptual factory' that pfSense is?
So, I interpret that a gateway, 'the way to get out of a LAN', does a sort of NAT. But does it have more functions than that? With that, I mean: initially I had only WAN and LAN. I installed NTP time server, and so naturally that was on 2.1. After this, I now also have the VLANs. So I have 3.1 as gateway for VLAN30. So, is the NTP time server for VLAN30 running on 3.1 or on 2.1? The same question then goes for the DHCP-server, DNS, and even firewalling: are all these functions done by the gateway of the network segment (3.1), or by the 'main' gateway, 2.1?
So is pfSense sort of replicating the 'core functions' of the 'main' 2.1 to every new subnet, or…?
Again, thank you very much for the time you devote to helping me understand, it is appreciated ;D