VLAN Help
-
Would you mind explaining that procedure?
-
click on diag in pfsense and do a packet capture.. Do you see the echo request, the replies? do sniff on your actual interface in pfsense your lan, and then do on your vlan interface.. Where are you seeing the pings if at all?
Could be firewall on client not sending them?
-
Here is a packet capture. i captured ping traffic from 10.10.10.100 to the vlan 10 interface
10:11:02.198128 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8799, length 64
10:11:03.199463 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8800, length 64
10:11:04.200840 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8801, length 64
10:11:05.201992 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8802, length 64
10:11:06.203285 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8803, length 64
10:11:07.203872 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8804, length 64
10:11:08.204284 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8805, length 64
10:11:09.205265 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8806, length 64
10:11:10.206324 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8807, length 64
10:11:11.207325 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8808, length 64
10:11:12.208180 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8809, length 64
10:11:13.208670 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8810, length 64
10:11:14.209595 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8811, length 64
10:11:15.210582 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8812, length 64
10:11:16.211597 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8813, length 64
10:11:17.212543 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8814, length 64
10:11:18.213504 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8815, length 64
10:11:19.214646 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8816, length 64
10:11:20.215250 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8817, length 64
10:11:21.215954 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8818, length 64
10:11:22.217061 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8819, length 64
10:11:23.217931 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8820, length 64
10:11:24.219165 IP 10.10.10.100 > 10.10.10.1: ICMP echo request, id 45428, seq 8821, length 64So I told 10.10.10.100 to go to www.google.com. Here is the results of the packet capture
10:15:05.969468 IP 10.10.10.100.56174 > 192.168.2.182.80: tcp 0
10:15:20.102280 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:21.168320 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:22.075780 IP 10.10.10.100.56174 > 192.168.2.182.80: tcp 0
10:15:22.175972 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:22.176013 IP 10.10.10.100.56134 > 192.168.2.182.80: tcp 0
10:15:23.186322 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:24.195843 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:25.203940 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:27.220898 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0
10:15:31.279850 IP 10.10.10.100.56212 > 192.168.2.182.80: tcp 0So 192.168.2.182 is the Dlink Switch that the VLAN is running through.
-
Then it's your firewall rules on the pfSense interface. What are those?
-
Here are screen shots of the WAN, LAN and VLAN 10 (aka Perk)
Do you think it is defaulting to the switch since it can not ping 10.10.10.1 (default gateway)
![LAN Firewall Rules.PNG](/public/imported_attachments/1/LAN Firewall Rules.PNG)
![LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/LAN Firewall Rules.PNG_thumb)
![VLAN 10 Firewall Rules.PNG](/public/imported_attachments/1/VLAN 10 Firewall Rules.PNG)
![VLAN 10 Firewall Rules.PNG_thumb](/public/imported_attachments/1/VLAN 10 Firewall Rules.PNG_thumb)
![WAN Firewall Rules.PNG](/public/imported_attachments/1/WAN Firewall Rules.PNG)
![WAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/WAN Firewall Rules.PNG_thumb) -
So, to you, google is 192.168.2.182? WTF?
-
Agreed
-
I don't see any response Is your response going out different interface?
And yeah why would you be going to 192.168.2?? Your switch? So you have it doing L3 routing?? Makes no sense what so ever… Even if you doing that - why would pfsense see that??
Please draw up your network and connections.. And exactly is this switch? You have it in layer 3 or layer 2 mode? What are you using for name resolution.. So from your laptop you ping www.google.com what does it resolver to be it you get an answer or not?
example
C:>ping www.google.comPinging www.google.com [173.194.219.104] with 32 bytes of data:
Reply from 173.194.219.104: bytes=32 time=37ms TTL=43
Reply from 173.194.219.104: bytes=32 time=31ms TTL=43See how it resolves to public IP.. How is google resolving and going to a 192.168 address.. So when you sniff that traffic you see it going to the PUBLIC IP not the layer 2 mac address of your gateway..
Why are you blocking out stuff on your wan rules?? So why would it matter what 192.168 your forwarding too? Or what port you have open on a public IP we don't even know.. etc.. Here are my wan rules.. What in there is of any use to you? There is nothing there that could tell you what my public IP is.. And so what if you know I forward ntp to 192.168.9.40 etc. etc..
-
Will do.
Not sure what it was capturing before but here is a current capture when I was trying to access Gmail and google
11:24:57.292137 IP 10.10.10.100.26355 > 10.10.10.1.53: UDP, length 32
11:24:58.610403 IP 10.10.10.100.61779 > 10.10.10.1.53: UDP, length 47
11:24:58.610480 IP 10.10.10.100.60416 > 10.10.10.1.53: UDP, length 34
11:24:58.610820 IP 10.10.10.100.53777 > 10.10.10.1.53: UDP, length 37
11:24:58.611130 IP 10.10.10.100.34032 > 10.10.10.1.53: UDP, length 33
11:24:59.467975 IP 10.10.10.100.55954 > 10.10.10.1.53: UDP, length 31
11:24:59.468723 IP 10.10.10.100.48083 > 10.10.10.1.53: UDP, length 33
11:24:59.619083 IP 10.10.10.100.12233 > 10.10.10.1.53: UDP, length 33
11:24:59.683743 IP 10.10.10.100.61779 > 10.10.10.1.53: UDP, length 47
11:24:59.683783 IP 10.10.10.100.60416 > 10.10.10.1.53: UDP, length 34
11:24:59.683790 IP 10.10.10.100.53777 > 10.10.10.1.53: UDP, length 37
11:25:00.476468 IP 10.10.10.100.16616 > 10.10.10.1.53: UDP, length 33
11:25:00.543845 IP 10.10.10.100.55954 > 10.10.10.1.53: UDP, length 31
11:25:01.634207 IP 10.10.10.100.62528 > 10.10.10.1.53: UDP, length 33 -
and that is 53.. So yeah its asking hey dns server 10.10.10.1 what is IP address of whatever it you were doing a query for.. Doesn't seem to be getting an answer. Do you have dns listening on that IP?
I don't see pfsense sending any answers not to ping or dns query.
-
So I am wondering if my issue could be linked to the following:
My network has been a flat network with unmanaged switch. Now I am implementing a managed switch with default vlan 1. My flat network is 192.168.2.0/24. It currently has internet utilizing pfsense.
Port 24 that my laptop plugs into has vlan 10 "untagged' along with vlan 1. Although the dlink allowed me to untagg both vlan's on the same port, I am wondering if this could be the source of my problem.
Here is something new that I found this morning while troubleshooting:
Earlier I reported that while my laptop was in vlan 10 w an address of 10.10.10.100 and a defult gateway of 10.10.10.1. I could not ping 10.10.10.1. When I am on the flat network 192.168.2.0/24, I can ping 10.10.10.1. This morning I created a firewall rule that allows vlan10 to the lan. I could then ping 10.10.10.1 when my laptop was in vlan10.
Thoughts?
Thanks for helping out
Bill -
if your laptop is suppose to be in 10.10.10 and this is vlan 10.. Then the only network on that switch port should be vlan 10. You should be able to ping pfsense on 10.10.10.1 from vlan you sould need in any rules to allow vlan 10 to lan.. But pretty sure your rules was any any so that automatic gives access to any other lan or segments, etc.
You should also be able to ping the 192.168.2 network from vlan 10.. Until you create such a rule to block it on the vlan 10 interface in pfsense.
-
Port 24 that my laptop plugs into has vlan 10 "untagged' along with vlan 1. Although the dlink allowed me to untagg both vlan's on the same port, I am wondering if this could be the source of my problem.
Whatever else might be going on, you cannot have two untagged VLANs on a port - trunk, access, hybrid, dual-mode, general or whatever.
Access ports to your laptop should be untagged VLAN 10.
-
So I finally just resolve the issue.
1. Mistake I made was to have 2 vlan's untagged on port 24. I changed the port to an access port untagged in vlan 10.
2. I did not have an outbound nat rule for 10.10.10.0/24 network. This was probably my fault because at one time I set it to manual, so the route did not get auto created.
3. I had to reboot PFsense for the new nat rule to take affect.
I wanted to thank you guys for helping out!
Bill -
I had to reboot PFsense for the new nat rule to take affect.
No, you didn't but glad it's working. What's with these switches allowing multiple VLANs untagged on a port? That's twice today.