Internet Not Working On VLANs
-
do you have firewall rules for each vlan interface ?
You can now have a "floating rule" that is applied to all interfaces.
For basic filtering this should be sufficient and you don't have to create rules for each (VLAN) interface. -
Work on the first VLAN 10.7.2.1. Make an untagged port on your switch and plug into it. You should get DHCP even without any pass rules on the interface.
If not, doublecheck your VLAN tagged and untagged ports.
Go to the VLAN interface's Firewall > Rules tab and put a Pass any any any rule there just like the one on LAN.
You should have internet and be able to ping 10.7.2.1.
After that, you might be able to save some time using floating rules applied to all the interfaces as suggested above.
Or you might want to get one interface how you like it and script the creation of the rule config to import into /conf/config.xml
Another shortcut is to get an interface rule how you like it, then use the
Add button on that rule's line. Change the interface and the source network and save. The same rule will now be duplicated on that interface. -
any possibility you can post a screenshot, of like what to do for the first VLAN2 for instance. That would help out so much. Thanks
-
Create the VLAN in Interfaces > (assign) > VLANs (first image)
Create an interface on Interfaces -> (assign) by pressing the Add icon
at the bottom right of the interface list.Assign the interface to the VLAN (Second image)
Edit the interface, enable it, and set the IP/netmask (eg 10.7.2.1/24) configure your DHCP server.
The switchport connected to that interface (em0 in my example) needs to have that VLAN (223 in my example) tagged. Any interface configured as untagged VLAN 223 will be on the same VLAN as that router interface, get DHCP, and be able to use that interface for DNS, default gateway, etc.
-
so i did that, for all 200, i assigned them, enabled them, gave each a 24bit subnet mask. i enabled DHCP and made VLANs 2-200 with a range of 2-100 and that was it. thats where im lost now
basically i need to know how to get the VLANs connected to the internet, seems like the firewall isnt set up so its blocking everything, but i dont know how to set up the firewall to pass things through, im doing something wrong -
Look at the default rule on LAN. Duplicate it on one of the VLANs. Are you sure your switch config is correct? Tagged to pfSense, untagged to your station nodes?
-
im going to post some screen shots as soon as it loads.
-
alright, here they are.
untitled and untitled 1 are LAN firewall default settings
untitled 2 is what i changed VLAN2 firewall settings to, i put an arrow next to what i changed
i saw in an earlier reply about changing everything to any any any, just like LAN is, problem with that, is LAN wasnt default any any any
which is my confusion.
should i change the lan to any any any and then do my vlans like that, or what should i do?
-
are you sure you switch is configured correctly?
it looks like a switch issue to me if you have interfaces assigned & allow rules on them ….-
all vlans are tagged on the trunkport 'towards" the pfsense?
-
on the client ports you have the appropriate vlan untagged and have also set the correct PVID ?
-
-
Exactly. There's really nothing else to do in pfSense. With that rule you should be able to get DHCP and ping the interface address. With automatic outbound NAT you should be avle to get at the internet.
What kind of switch are you using? It sounds like it's not configured correctly.
-
alright, well ill test this out, see what happens.
-
alright guys, new question.
hos should i go about setting up the floating rules for my VLANs?
like i know where to go to do it, im just not 100% sure on if id set it up right. -
Was the switch config wrong?
What do you want your floating rules to do?
-
the switch ended up working great, turns out it was that i the rules werent set up right for the VLAN
but my boss deleted all but 2 of the VLANs i set up, so now i gotta reset those up.
I was wondering if how to set up the floating rule for any any any?
i really dont want to set up the same rule for 200 VLANs -
don't use floating rules for that …. create an interface group for this purpose.
-
so the ones that have the rule already set,
should i exclude them from the group
or delete the rules from those and add them to the group,
or does it not really matter? -
or would the best way be to add new rule based on this rule and just change the interface each time, thus creating the same rule for a new VLAN?
-
It really depends on what you want your rules to do, which is what I asked before. What are you trying to accomplish? What do you want each vlan to have/not have access to?
-
thats a very good question, my boss only gives me little pieces as to what i need to do and thats part of the reason im on here, because ive been been working on this for over a week and im over it but, right now my boss wants to get on the internet with each one. i guess that answers my question though, thanks. im just going to add a new rule based on this rule and change the interface.
-
Alright, everyone. Thank you for your help. Got that one up and working perfectly.
But now i have an issue on a new machine, here's a link to that threadhttps://forum.pfsense.org/index.php?topic=86329.0
