PfSense & Netgear Smart Switch - VLAN Problems
-
Don't you need the pfSense connected port (trunk) to be assigned as tagged for VLAN10 in the switch?
Steve
I'll try that. Below are the screenshots of how VLAN 1 (mgmt) is, and has remained since day 1. Is it OK that on VLAN1 that every port is untagged?
Here is how I have VLAN10 setup, based on how I think you suggested. Unfortunately, no luck still :(
-
EDIT:
It looks like setting the port the pfSense router is plugged into the switch as to Trunk let it get a .10.x DHCP IP!
-
If you're still not seeing full success you may want to alter your firewall rule on OPT1 to include UDP (or all protocols) so that DNS can function.
Steve
-
OK, getting the setup now (I think ;))
You took off well (approach). To directly answer your question on vlan1: yes, it is ok to have all members untagged.
This means vlan1 will be your native vlan (the vlan without tagging (a dot1q field inserted))Port 23, where the cisco router is plugged in, should only belong untagged to vlan 10. (you should remove it from vlan1. Traffic entering this port (ingress) will be marked with the tag so it belongs to vlan 10, traffic leaving this port (egress) will get the tag removed (because your router doesn't need/understand the tag))
Port 16, connected to em0, should be configured as untagged member for vlan1, and tagged member for vlan10 (already the case). Basicly what you have done by doing so, is creating a dot1q trunk on which traffic from vlan1 will go in and out un-altered, and traffic from vlan10 will be marked with that tag.
For the config from pfSense, I could recommend you to open the proto(col) in the rules to IPv4 TCP/UDP, and allow all (*) for now. Most likely the cisco is configured for ipsec, and that requires upd (as does dhcp, what Steve already mentioned)
Once everything is working, you can narrow down the rules if needed…Hope this helps...
-
Good call, I forgot about removing port 23 from the default VLAN.
You probably want to allow only the required protocols if your purpose is to islate the Cisco device. Once you have it working you may want to tighten the firewall rules further to restrict the IPs that can connect to it.
DHCP requests are always allowed into an interface that is running a DHCP server but DNS is not.Steve
Edit: typo
-
OK, getting the setup now (I think ;))
You took off well (approach). To directly answer your question on vlan1: yes, it is ok to have all members untagged.
This means vlan1 will be your native vlan (the vlan without tagging (a dot1q field inserted))Port 23, where the cisco router is plugged in, should only belong untagged to vlan 10. (you should remove it from vlan1. Traffic entering this port (ingress) will be marked with the tag so it belongs to vlan 10, traffic leaving this port (egress) will get the tag removed (because your router doesn't need/understand the tag))
Port 16, connected to em0, should be configured as untagged member for vlan1, and tagged member for vlan10 (already the case). Basicly what you have done by doing so, is creating a dot1q trunk on which traffic from vlan1 will go in and out un-altered, and traffic from vlan10 will be marked with that tag.
For the config from pfSense, I could recommend you to open the proto(col) in the rules to IPv4 TCP/UDP, and allow all (*) for now. Most likely the cisco is configured for ipsec, and that requires upd (as does dhcp, what Steve already mentioned)
Once everything is working, you can narrow down the rules if needed…Hope this helps...
Thanks for the tips. I still have port 23 untagged on VLAN1, so I'll remove that here in a little bit and just leave the VLAN membership as untagged on VLAN10. You are spot on on the Cisco CVO router running ipsec, I think (see below). When I was in the system logs looking at the firewall, it was dropping several UDP connection attempts.
Good call, I forgot about removing port 23 from the default VLAN.
You probably want to allow only the required protocols if your purpose is to islate the Cisco device. Once you have it working you may want to tighten the firewall rules further to restrict the IPs that can connect to it.
DHCP requests are always allowed into an interface that is running a DHCP server but DNS is not.Stevee
The network admin gave me the ports as TCP 50, TCP 51, UDP 500, UDP 4500 and optionally IPSec over UDP/TCP - udp port 1000 and tcp port 10000. However, the system logs > firewall was showing ports in the range of 55xxx as being dropped, so will have to do some digging on that front.
Thanks, you two, for following up with me.
-
I must have something in the firewall rules not configured correctly. My Cisco 7965 VoIP phone keeps trying to register, an indicator that the Cisco CVO router can't talk inbound or outbound (more likely, see below). But, I plugged in one of my laptops into the VLAN10 switch port directly, got a correctly assigned DHCP lease, but no Internet connectivity.
Can anyone help with what pass/block firewall rules I need so the Cisco CVO router can't see anything on my private 192.168.1.x LAN, only its own 192.168.10.x LAN, but can also have free reign in/out on the em1 WAN interface?
EDIT:
Also tried adding a pass rule from the WAN subnet to my VLAN10 subnet, but still can't ping google.com or browse Internet from the test laptop I have plugged in. However, DNS seems to be working as nslookup google.com give non-authoritative IPs back.
EDIT #2:
I changed the default LAN rule from LAN net to * and instead * to *, but still no go.
-
Do you still have outbound NAT set to automatic? That's the default setting so it will be unless you've changed it.
You can't ping because your firewall rule on OPT1 only allows TCP/UDP and ping uses ICMP.
Steve
-
Do you still have outbound NAT set to automatic? That's the default setting so it will be unless you've changed it.
You can't ping because your firewall rule on OPT1 only allows TCP/UDP and ping uses ICMP.
Steve
Yep - AON is enabled.
I'm giving the advice here a try: https://forum.pfsense.org/index.php?topic=78533.msg428398#msg428398 to see if that gets me anywhere.
-
I have a similar setup on home box to isolate the guest wifi interface. You will need to do that if you want to isolate the Cisco VoIP device. However your existing 'allow any' rule should give you internet access on that interface especially on a laptop connected to it.
Check the firewall logs. Do you have more than one gateway listed in System: Routing:
Steve
-
I have a similar setup on home box to isolate the guest wifi interface. You will need to do that if you want to isolate the Cisco VoIP device. However your existing 'allow any' rule should give you internet access on that interface especially on a laptop connected to it.
Check the firewall logs. Do you have more than one gateway listed in System: Routing:
Steve
Hi Steve,
I think I finally got the correct firewall rules in place. At least, the laptop I had plugged into that VLAN10 port could not ping any devices on 192.168.1.x, but could browse the Internet.
I've got a higher precedence rule blocking everything on my 192.168.1.x subnet, with an allow all TCP/UDP under it. Does this look alright for a long term solution for what I want to accomplish? I can still ping the 192.168.10.x devices from my 192.168.1.x network, but I guess that's alright.
-
Yes, that should work.
You may want to lock it down further. For example devices on OPT1 will have access to the webgui (though it's password protected) and any other services running on the pfSense box.Steve
