VLAN Help
-
Yeah and those are not correct.. So you have your port connected to port connected to esxi no tagged at all.. And in a native vlan 1.. Not sure what hybrid vlan is? So if that packet leaves the port going to the vswitch without a tag how would pfsense know to pick it up on its vlan interface ?? Would have to look up the manual for that switch..
And then your port on your laptop is native vlan 10, but there is no tagging.. So where does it get tagged 10 so that switch sends it down port to esxi tagged? You could prob tag it on the interface in your laptop.
-
To tell you the truth I am not sure what the Dlink "Hybrid" vlan is. Their documentation is pretty sparse. I did look at other mode but they did not work. They also offer access mode and trunk mode. Access mode seemed to offer either tagged or untagged (not both). Trunk mode (in Dlink) terminology is not the same meaning as Cisco. From what I read I should "tag" a port when another switch/router is connected to the port. When a laptop/device is connected to a port then it needs to be untagged. This setup was the only way I could get a DHCP address in vlan 10.
Let me clarify:
Doesn't traffic get tagged on Port 1? Port 1 is tagged in vlan 10. Due to different manufacturers using terms that mean different things this can get confusing. Don't you think the traffic going to PFSense from vlan 10 is being scene as "tagged" in vlan 10 since I get a dhcp address in the range defined for vlan 10. My laptop receives a dhcp address of 10.10.10.100.
Here is a screen shot of my vswitches in esxi
So I can ping 10.10.10.1 when I am connected to the 192.168.2.0/24 network.
but
When I am connected to and receive the vlan 10 dhcp address of 10.10.10.100. I cannot ping 10.10.10.1 The default gateway.
-
So you get a dhcp address in vlan 10?? Well what are you rules on your vlan interface? When you create new interfaces there are NO rules created.. Other than when you enable dhcp it creates some hidden rules that allow access to the dhcp server.. But until you create rules your not doing anything else
So example I allow anything on ps3 network to talk to any port on pfsense ps3 address. So ping, UPnP, dns, etc.. And as long as not trying to talk to other local networks it can go there..
but your eth 1 setup is native 1 and untagged 1.. Why do you have it in there if you want it to tag 10 for traffic it sees? Should that be native 10 and tagged 10 so that traffic it sees that is untagged will get tagged as 10 that is the way I read the hypbrid setup from dlink I just looked at. Not sure why you have 1 listed in there at all if this is a access port you want in vlan 10??
I agree other makers call things different.. I have an older netgear in the living room. So the uplink to my cisco is on port 4.. So that is tagged 1 and 20.. Then ports are in untagged 1 and untagged 10.. So traffic it sees from untagged ports in the vlans with the pvid being set to the ports as 1 or 20.. Yeah yeah I know bad idea to use vlan 1… But this is home setup and not real worried about it - makes it easier for setup.
Normally vlan 1 should not be used and all ports should be removed from it, etc. Use some other vlan as your native vlan, etc.
-
I posted a screenshot of the firewall rule in the first post called "Firewall rule.png". I was trying to be as thorough as possible when explaining what I have done and what the problem is.
I have also added a rule similar to your first rule with no change. I still could not ping 10.10.10.1 nor access the internet.
Bill
-
So I change Port 1 to be native to vlan 10.
Same results. I get DHCP from vlan 10 but cannot ping 10.10.10.1 nor can I access the internet.
-
Well what I would suggest then is sniff on psense for these pings.. So you see them?
-
Would you mind explaining that procedure?
-
click on diag in pfsense and do a packet capture.. Do you see the echo request, the replies? do sniff on your actual interface in pfsense your lan, and then do on your vlan interface.. Where are you seeing the pings if at all?
Could be firewall on client not sending them?
-
Here is a packet capture. i captured ping traffic from 10.10.10.100 to the vlan 10 interface
10:11:02.198128 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8799, length 64
10:11:03.199463 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8800, length 64
10:11:04.200840 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8801, length 64
10:11:05.201992 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8802, length 64
10:11:06.203285 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8803, length 64
10:11:07.203872 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8804, length 64
10:11:08.204284 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8805, length 64
10:11:09.205265 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8806, length 64
10:11:10.206324 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8807, length 64
10:11:11.207325 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8808, length 64
10:11:12.208180 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8809, length 64
10:11:13.208670 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8810, length 64
10:11:14.209595 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8811, length 64
10:11:15.210582 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8812, length 64
10:11:16.211597 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8813, length 64
10:11:17.212543 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8814, length 64
10:11:18.213504 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8815, length 64
10:11:19.214646 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8816, length 64
10:11:20.215250 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8817, length 64
10:11:21.215954 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8818, length 64
10:11:22.217061 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8819, length 64
10:11:23.217931 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8820, length 64
10:11:24.219165 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8821, length 64So I told 10.10.10.100 to go to www.google.com. Here is the results of the packet capture
10:15:05.969468 IP 10.10.10.100.56174 > 192.168.2.182.80: tcp 0
10:15:20.102280 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:21.168320 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:22.075780 IP 10.10.10.100.56174 > 192.168.2.182.80: tcp 0
10:15:22.175972 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:22.176013 IP 10.10.10.100.56134 > 192.168.2.182.80: tcp 0
10:15:23.186322 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:24.195843 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:25.203940 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:27.220898 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:31.279850 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0So 192.168.2.182 is the Dlink Switch that the VLAN is running through.
-
Then it's your firewall rules on the pfSense interface. What are those?
-
Here are screen shots of the WAN, LAN and VLAN 10 (aka Perk)
Do you think it is defaulting to the switch since it can not ping 10.10.10.1 (default gateway)
![LAN Firewall Rules.PNG](/public/imported_attachments/1/LAN Firewall Rules.PNG)
![LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/LAN Firewall Rules.PNG_thumb)
![VLAN 10 Firewall Rules.PNG](/public/imported_attachments/1/VLAN 10 Firewall Rules.PNG)
![VLAN 10 Firewall Rules.PNG_thumb](/public/imported_attachments/1/VLAN 10 Firewall Rules.PNG_thumb)
![WAN Firewall Rules.PNG](/public/imported_attachments/1/WAN Firewall Rules.PNG)
![WAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/WAN Firewall Rules.PNG_thumb) -
So, to you, google is 192.168.2.182? WTF?
-
Agreed
-
I don't see any response Is your response going out different interface?
And yeah why would you be going to 192.168.2?? Your switch? So you have it doing L3 routing?? Makes no sense what so ever… Even if you doing that - why would pfsense see that??
Please draw up your network and connections.. And exactly is this switch? You have it in layer 3 or layer 2 mode? What are you using for name resolution.. So from your laptop you ping www.google.com what does it resolver to be it you get an answer or not?
example
C:>ping www.google.comPinging www.google.com [173.194.219.104] with 32 bytes of data:
Reply from 173.194.219.104: bytes=32 time=37ms TTL=43
Reply from 173.194.219.104: bytes=32 time=31ms TTL=43See how it resolves to public IP.. How is google resolving and going to a 192.168 address.. So when you sniff that traffic you see it going to the PUBLIC IP not the layer 2 mac address of your gateway..
Why are you blocking out stuff on your wan rules?? So why would it matter what 192.168 your forwarding too? Or what port you have open on a public IP we don't even know.. etc.. Here are my wan rules.. What in there is of any use to you? There is nothing there that could tell you what my public IP is.. And so what if you know I forward ntp to 192.168.9.40 etc. etc..
-
Will do.
Not sure what it was capturing before but here is a current capture when I was trying to access Gmail and google
11:24:57.292137 IP 10.10.10.100.26355 > 10.10.10.1.53: UDP, length 32
11:24:58.610403 IP 10.10.10.100.61779 > 10.10.10.1.53: UDP, length 47
11:24:58.610480 IP 10.10.10.100.60416 > 10.10.10.1.53: UDP, length 34
11:24:58.610820 IP 10.10.10.100.53777 > 10.10.10.1.53: UDP, length 37
11:24:58.611130 IP 10.10.10.100.34032 > 10.10.10.1.53: UDP, length 33
11:24:59.467975 IP 10.10.10.100.55954 > 10.10.10.1.53: UDP, length 31
11:24:59.468723 IP 10.10.10.100.48083 > 10.10.10.1.53: UDP, length 33
11:24:59.619083 IP 10.10.10.100.12233 > 10.10.10.1.53: UDP, length 33
11:24:59.683743 IP 10.10.10.100.61779 > 10.10.10.1.53: UDP, length 47
11:24:59.683783 IP 10.10.10.100.60416 > 10.10.10.1.53: UDP, length 34
11:24:59.683790 IP 10.10.10.100.53777 > 10.10.10.1.53: UDP, length 37
11:25:00.476468 IP 10.10.10.100.16616 > 10.10.10.1.53: UDP, length 33
11:25:00.543845 IP 10.10.10.100.55954 > 10.10.10.1.53: UDP, length 31
11:25:01.634207 IP 10.10.10.100.62528 > 10.10.10.1.53: UDP, length 33 -
and that is 53.. So yeah its asking hey dns server 10.10.10.1 what is IP address of whatever it you were doing a query for.. Doesn't seem to be getting an answer. Do you have dns listening on that IP?
I don't see pfsense sending any answers not to ping or dns query.
-
So I am wondering if my issue could be linked to the following:
My network has been a flat network with unmanaged switch. Now I am implementing a managed switch with default vlan 1. My flat network is 192.168.2.0/24. It currently has internet utilizing pfsense.
Port 24 that my laptop plugs into has vlan 10 "untagged' along with vlan 1. Although the dlink allowed me to untagg both vlan's on the same port, I am wondering if this could be the source of my problem.
Here is something new that I found this morning while troubleshooting:
Earlier I reported that while my laptop was in vlan 10 w an address of 10.10.10.100 and a defult gateway of 10.10.10.1. I could not ping 10.10.10.1. When I am on the flat network 192.168.2.0/24, I can ping 10.10.10.1. This morning I created a firewall rule that allows vlan10 to the lan. I could then ping 10.10.10.1 when my laptop was in vlan10.
Thoughts?
Thanks for helping out
Bill -
if your laptop is suppose to be in 10.10.10 and this is vlan 10.. Then the only network on that switch port should be vlan 10. You should be able to ping pfsense on 10.10.10.1 from vlan you sould need in any rules to allow vlan 10 to lan.. But pretty sure your rules was any any so that automatic gives access to any other lan or segments, etc.
You should also be able to ping the 192.168.2 network from vlan 10.. Until you create such a rule to block it on the vlan 10 interface in pfsense.
-
Port 24 that my laptop plugs into has vlan 10 "untagged' along with vlan 1. Although the dlink allowed me to untagg both vlan's on the same port, I am wondering if this could be the source of my problem.
Whatever else might be going on, you cannot have two untagged VLANs on a port - trunk, access, hybrid, dual-mode, general or whatever.
Access ports to your laptop should be untagged VLAN 10.
-
So I finally just resolve the issue.
1. Mistake I made was to have 2 vlan's untagged on port 24. I changed the port to an access port untagged in vlan 10.
2. I did not have an outbound nat rule for 10.10.10.0/24 network. This was probably my fault because at one time I set it to manual, so the route did not get auto created.
3. I had to reboot PFsense for the new nat rule to take affect.
I wanted to thank you guys for helping out!
Bill