New book: VLANS in pfSense for absolute non-technical noobs
-
Glad it's working. Sounded like you were still having issues.
-
I finally got the second VLAN to work also. The workaround I had to apply was to tell WIFE I wouldn't be eating her food anymore if she didn't fix the tagging of the port in the HP switch ;D ;D ;D
Looking at the firewall log I just noticed something I don't understand (as with many things in life :P). Per the attached screenshot: why, if it the default deny rule, does the log say src = VLAN? I would have expected this rule to block anything coming from WAN as a 'default deny', so src = WAN, dst = VLAN, not the other way around as it shows now ???
That VLAN-IP by the way is an Asus Android tablet, and looking at the dst-ip it was busy phoning home to Google that I was doing something that absolutely needs to be stored in Google's big nsa-database for future usage ;D
-
:( :o ??? :-[ :-\ :'(
( ;D).
I am lost. Having finally gotten the VLANs to work, it appears I can not go from VLAN to LAN. I have the pfSense book but it also doesn't tell me :'(
What I am trying to accomplish:
1. I have a HTPC (XBMC) in LAN (192.168.2.x)
2. I have a tablet in VLAN50 and a HTC phone in VLAN40, both running android 4.2.
3. I want to use the app 'Yatse' (very nice app by the way) to use my tablet/smartphone to start/stop music (so I don't need to turn on the TV to play music).For the life of it, I can not get it to work. It appears Squidguard is messing around, and so is Snort. Disabling them gives me a 504 error in Android (kind of cryptic, but [s]NSA Google told me this is a 'gateway time out'.
Both the tablet and the smartphone can happily go on the internet, by the way.
I think I have the VLAN, the DHCP-server on each VLAN, and the firewall rules setup correctly. I attached screenshots.
Something weird did happen before: while setting up VLAN50, for some reason in the status dashboard another gateway turned up for VLAN50 (in the dashboard widget for the gateway). However, that did not turn up when I configured VLAN40.
To be honest, I have no clue about gateways, other that, per the wiki, 'they are used to transfer traffic from one network to the other'.
At the same time, while searching for a solution, I found this comment of Jimp:
Is pfSense actually the current default gateway for all of the devices in those networks?
If you interfaces are set right (correct IP, correct subnet mask), the rules are right, and the firewall is actually the default gateway for everything, then traffic will flow through.
I am not completely sure that I understand what Jimps writes, but in System/Routing my WAN is the default gateway, so I assume that is not pfSense in the way Jimp is talking about this. This also is how the installer did it, I didn't change it (I don't dare to ;D).
Also, in here:
http://forum.pfsense.org/index.php?topic=68043.0
Podilarius writes:
Few things just to check:
Is firewalling turned off (as in it is working in routing mode)? This option is in the advanced section.
Did you create a new allow all rule on the VLAN tab?
Did you switch to manual outbound nat BEFORE setting up the VLAN? (in which case you would need to add the NAT).
If in router mode, did you allow traffic from that VLAN in on the LAN on the WRAP?Which makes me wonder if I need to add 'something' in System/routing for each VLAN, and if so: what?
(Sorry, I know I ask stupid questions, but I am not an IT-specialist but only a rather stupid accountant, and I do try very hard to find my own answers on the internet and in books :'().
Would anybody be willing to help me out of my suffering?
Thank you very much in advance for help ;D
Bye,
http://forum.pfsense.org/index.php?topic=63397.0
-
More pictures:
-
More pictures:
-
More pictures:
-
More pictures:
-
More pictures:
-
More pictures:
-
And to think that the day after tomorrow my second ISP-line (cable) will arrive which I will have to configure for dual WAN with failover. I am sure that means new stress ;D
-
192.168.5.0 as your address? .0 is the wire not really a valid address.
Also your rules only allow specific host to specific host - but not able to talk to the pfsense interface on that vlan. So there is no way for dns queries for one.
-
192.168.5.0 as your address? .0 is the wire not really a valid address.
Also your rules only allow specific host to specific host - but not able to talk to the pfsense interface on that vlan. So there is no way for dns queries for one.
Thank you John ;D
I have to admit, I still don't know the difference between 5.0 and 5.1. You can google until you've grown a beard (stupid Dutch saying ;D) and still don't know it. I find 10001 sites with 'how to subnet', but nobody who explains these basic things. The same is 'gateway'. I now know it is the 'traffic point' where traffic goes from one network (I think defined as subnet/VLAN/WAN) to the other, but what does it do? Does it simply do NAT and nothing more, or firewall rules/loadbalancing/etc also, or…?
I mean, I come from one simple LAN to one simple WAN and vice versa. My pfSense is 2.1, and it is 'a gateway'. I'm happy it wants to be that, and I leave it alone ( ;D). But my WAN-IP also seems to be 'a gateway, and then I am starting sweat already. In setting up VLANs I see I now also have a 3.1 gateway, a 4.1 and a 5.1. What they do, what 2.1 still does: I have no clue at all :-[
This is not because I am lazy, I spend many hours a week, in weekends, on trying to understand it. I have yet to find a decent book on networking for people like me. They say I am not the most stupid person in my own field (economics, accounting, taxes), but without a proper document to understand the concepts, starting from non-technical terms and then gradually moving to the technical terms, it is difficult to understand. I guess the same would be true if I were to talk to IT-specialists about inflation accounting in a multi-currency, multi-country, multi-GAAP environment :P
( ;D)
As to the bold text in the above: I thought the hard coded rules where: by default WAN is blocked always, and LAN is allowed everything always. I further understood that the hard coded rules are there by default so you don't have to do anything for it with a custom rule, and you can override the hard coded rules by adding a custom rule yourself. But given what you write, obviously I am wrong.
If I may, John, could I ask: so suppose you setup a new (V)LAN-interface, what are the rules you have to enter manually first if you want the normal internet stuff and nothing special (so not port forwarding from WAN to inside, just simply browsing, emailing, usenetting, torrenting, youtube: just the usual stuff).
Thank you very much for your reply John ;D
-
So you don't know that every network segment has a wire or network address, and then host addresses and a broadcast address?
If you give me an address 192.168.5.0/24 that tells me that is the network not a HOST.. But say you gave me 192.168.5.0/23 – 5.0 would be host address since the beginning of your network would 192.168.4.0/23 in that network. and 192.168.5.255 would be broadcast.
To me 5.0/24 is NOT a valid host address - its the network address, so you would not use that on your interface on pfsense. The first address in 5.0/24 would be 5.1 - which is what I would put on pfsense interface be it physical or vlan.
Now can some systems use the wire or network address as a host.. Ok sure, but I have been in networking for years and years and years and doing that has never been good practice. When I saw your address on your interface, with that mask - to me that is not best practice and would change your interface address to 192.168.5.1 if your wanting to use the 192.168.5.0/24 network.
As to what rules you would put on network segement be it physical or vlan would depend on what you want to allow. So for example I run my wireless on its own segment. And I use this as my simple rule
So from the attached you see I let my wlan network (192.168.2.0/24) talk to my ntp server at 192.168.1.40 udp 123
Then the main rule I let wlan talk to anything it wants, ie my dmz or the internet - just not my lan network (192.168.1.0/24), which is what the !lan net in dest means.
So I can not really say what rules you should put in, since that would depend on what you want to accomplish. but if your going to get specific and only allow specific source to specific dest IP.. Keep in mind that clients on that segment if they want to use the internet will need a rule to allow access to the internet, and will also most likely need a rule to talk to something for dns which in a common setup pfsense would be the dns server. So so rule would need to allow access to pfsense IPs for dns, etc.
So for example, see 2nd attachment this is my dmz. So I created a alias that says hey you can talk to anything you want as long as its not in my locals alias ! locals.
My aliases of my locals is
locals 192.168.1.0/24, 192.168.2.0/24, 10.0.8.0/24, 10.0.200.0/24So this is my lan and wlan and my openvpn segments. So as long as its not on one of those networks dmz machines can talk to it - this would include anything on the internet. And the actual dmz segment which in my case is 192.168.3.0/24 -- so client on that network say 192.168.3.14 points to pfsense IP on that segment which is 192.168.3.253 in my case ( I don't like .1 and .254 since lots of devices default to those.. And with my lan network being 192.168.1.0/24 if bring up something that defaulted to 192.168.1.1 or .254 I didn't want it stepping on pfsense address so I used .253 - and just used that for my other segments for consistency.
So these dmz clients can ask pfsense for dns for example since my rules do not block access to the pfsense IP address in that network segment.
-
The all zeros value and all ones value are reserved for the network ID and broadcast address respectively.
from http://en.wikipedia.org/wiki/Subnetwork
So, 10.20.30.0/24 has addresses from 10.20.30.0-255 but
10.20.30.0 is Network ID
10.20.30.255 is broadcast address
Some software works and talks in/out of the Network ID - but it is best practice NOT to use that as a host address (as some stuff does not talk to it nicely).
Definitely will not work to set a host to the broadcast address.(That WiKi article has a lot of waffle about "Subnet zero and the all-ones subnet" - try to ignore all that when reading the article, as it is obsolete crud. It would be better if someone cleaned it out of the main article and made some sort of history reference to it.)
The idea for a router (called "gateways" at the time) initially came about through an international group of computer networking researchers called the International Network Working Group (INWG).
from http://en.wikipedia.org/wiki/Router_%28computing%29
IMHO "gateway" is still used to mean "the place where you send traffic that needs to go to a different (sub)network".
In your examples:
The gateway for a host on 192.168.2.0/24 is 192.168.2.1 - that is the way to get out of 192.168.2.0/24
The gateway for a host on 192.168.3.0/24 is 192.168.3.1 - that is the way to get out of 192.168.3.0/24
The gateway for a host on 192.168.4.0/24 is 192.168.4.1 - that is the way to get out of 192.168.4.0/24At the gateway IP address there is (hopefully!) a router (e.g. pfSense) listening. The software on the router knows how to receive traffic on each of its addresses and send it on its way out some other interface, either sending it directly to the destination host IP address or sending it onwards to another gateway, that has another router listening, that is 1 hop closer to the destination host IP address,…
So, on every LAN-style interface (LAN, VLAN, OpenVPN server...) pfSense will have an IP address that is typically the gateway that all the hosts on that LAN use to escape the LAN and get to other LAN/s and the internet.
On WAN-style interfaces, pfSense will have a gateway set. That is the IP address of some other router (usually at the ISP) that gets to the internet in general.
Clear as mud?
-
The reply of both you John and Phil is most helpful for me; thank you very, very, much ;D
( :-*)
(I suggested in the feedback forum to allow a user to hit the 'thanks' button more than once in a thread so I could it for both of you, but obviously we can't).
If I may ask one last question so I can also better understand 'the conceptual factory' that pfSense is?
So, I interpret that a gateway, 'the way to get out of a LAN', does a sort of NAT. But does it have more functions than that? With that, I mean: initially I had only WAN and LAN. I installed NTP time server, and so naturally that was on 2.1. After this, I now also have the VLANs. So I have 3.1 as gateway for VLAN30. So, is the NTP time server for VLAN30 running on 3.1 or on 2.1? The same question then goes for the DHCP-server, DNS, and even firewalling: are all these functions done by the gateway of the network segment (3.1), or by the 'main' gateway, 2.1?
So is pfSense sort of replicating the 'core functions' of the 'main' 2.1 to every new subnet, or…?
Again, thank you very much for the time you devote to helping me understand, it is appreciated ;D
-
Oh, I forgot: the !lan is a very neat trick that has solved some head pains(!), thank you for mentioning it :P
-
So, I interpret that a gateway, 'the way to get out of a LAN', does a sort of NAT.
The gateway on each LAN is just the way out for routing. It does not do any NAT. The routing software in (pfSense/FreeBSD/any router) is happy to route stuff between all the actual subnet addresses that it knows are directly connected. Then it has gateway(s) itself to use to send packets to other IP addresses that it cannot deliver directly.
For stuff from the internal LANs, that has to be sent out to another router (through a gateway that pfSense knows about - your ISP or…) NAT (a different piece of functionality) is usually needed. That happens on the way OUT to the upstream gateway/router. NAT is only needed if the upstream gateway does not know how to route back to your internal LAN/s - which is always the case when your LAN/s is in private IP space and the upstream gateway/router is your ISP on the public internet.are all these functions done by the gateway of the network segment (3.1), or by the 'main' gateway, 2.1?
Yes, by default these network services are listening on each of your LAN-style interfaces. For DHCP, you enable it on each LAN-style interface. DNS and NTP just listen on every interface when they are enabled. So, a client on the "2" network would use 2.1 as the address for all these services - DHCP, DNS, NTP… and a client on the "3" network uses 3.1 and so on.