VLAN Help
-
Then it's your firewall rules on the pfSense interface. What are those?
-
Here are screen shots of the WAN, LAN and VLAN 10 (aka Perk)
Do you think it is defaulting to the switch since it can not ping 10.10.10.1 (default gateway)
![LAN Firewall Rules.PNG](/public/imported_attachments/1/LAN Firewall Rules.PNG)
![LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/LAN Firewall Rules.PNG_thumb)
![VLAN 10 Firewall Rules.PNG](/public/imported_attachments/1/VLAN 10 Firewall Rules.PNG)
![VLAN 10 Firewall Rules.PNG_thumb](/public/imported_attachments/1/VLAN 10 Firewall Rules.PNG_thumb)
![WAN Firewall Rules.PNG](/public/imported_attachments/1/WAN Firewall Rules.PNG)
![WAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/WAN Firewall Rules.PNG_thumb) -
So, to you, google is 192.168.2.182? WTF?
-
Agreed
-
I don't see any response Is your response going out different interface?
And yeah why would you be going to 192.168.2?? Your switch? So you have it doing L3 routing?? Makes no sense what so ever… Even if you doing that - why would pfsense see that??
Please draw up your network and connections.. And exactly is this switch? You have it in layer 3 or layer 2 mode? What are you using for name resolution.. So from your laptop you ping www.google.com what does it resolver to be it you get an answer or not?
example
C:>ping www.google.comPinging www.google.com [173.194.219.104] with 32 bytes of data:
Reply from 173.194.219.104: bytes=32 time=37ms TTL=43
Reply from 173.194.219.104: bytes=32 time=31ms TTL=43See how it resolves to public IP.. How is google resolving and going to a 192.168 address.. So when you sniff that traffic you see it going to the PUBLIC IP not the layer 2 mac address of your gateway..
Why are you blocking out stuff on your wan rules?? So why would it matter what 192.168 your forwarding too? Or what port you have open on a public IP we don't even know.. etc.. Here are my wan rules.. What in there is of any use to you? There is nothing there that could tell you what my public IP is.. And so what if you know I forward ntp to 192.168.9.40 etc. etc..
-
Will do.
Not sure what it was capturing before but here is a current capture when I was trying to access Gmail and google
11:24:57.292137 IP 10.10.10.100.26355 > 10.10.10.1.53: UDP, length 32
11:24:58.610403 IP 10.10.10.100.61779 > 10.10.10.1.53: UDP, length 47
11:24:58.610480 IP 10.10.10.100.60416 > 10.10.10.1.53: UDP, length 34
11:24:58.610820 IP 10.10.10.100.53777 > 10.10.10.1.53: UDP, length 37
11:24:58.611130 IP 10.10.10.100.34032 > 10.10.10.1.53: UDP, length 33
11:24:59.467975 IP 10.10.10.100.55954 > 10.10.10.1.53: UDP, length 31
11:24:59.468723 IP 10.10.10.100.48083 > 10.10.10.1.53: UDP, length 33
11:24:59.619083 IP 10.10.10.100.12233 > 10.10.10.1.53: UDP, length 33
11:24:59.683743 IP 10.10.10.100.61779 > 10.10.10.1.53: UDP, length 47
11:24:59.683783 IP 10.10.10.100.60416 > 10.10.10.1.53: UDP, length 34
11:24:59.683790 IP 10.10.10.100.53777 > 10.10.10.1.53: UDP, length 37
11:25:00.476468 IP 10.10.10.100.16616 > 10.10.10.1.53: UDP, length 33
11:25:00.543845 IP 10.10.10.100.55954 > 10.10.10.1.53: UDP, length 31
11:25:01.634207 IP 10.10.10.100.62528 > 10.10.10.1.53: UDP, length 33 -
and that is 53.. So yeah its asking hey dns server 10.10.10.1 what is IP address of whatever it you were doing a query for.. Doesn't seem to be getting an answer. Do you have dns listening on that IP?
I don't see pfsense sending any answers not to ping or dns query.
-
So I am wondering if my issue could be linked to the following:
My network has been a flat network with unmanaged switch. Now I am implementing a managed switch with default vlan 1. My flat network is 192.168.2.0/24. It currently has internet utilizing pfsense.
Port 24 that my laptop plugs into has vlan 10 "untagged' along with vlan 1. Although the dlink allowed me to untagg both vlan's on the same port, I am wondering if this could be the source of my problem.
Here is something new that I found this morning while troubleshooting:
Earlier I reported that while my laptop was in vlan 10 w an address of 10.10.10.100 and a defult gateway of 10.10.10.1. I could not ping 10.10.10.1. When I am on the flat network 192.168.2.0/24, I can ping 10.10.10.1. This morning I created a firewall rule that allows vlan10 to the lan. I could then ping 10.10.10.1 when my laptop was in vlan10.
Thoughts?
Thanks for helping out
Bill -
if your laptop is suppose to be in 10.10.10 and this is vlan 10.. Then the only network on that switch port should be vlan 10. You should be able to ping pfsense on 10.10.10.1 from vlan you sould need in any rules to allow vlan 10 to lan.. But pretty sure your rules was any any so that automatic gives access to any other lan or segments, etc.
You should also be able to ping the 192.168.2 network from vlan 10.. Until you create such a rule to block it on the vlan 10 interface in pfsense.
-
Port 24 that my laptop plugs into has vlan 10 "untagged' along with vlan 1. Although the dlink allowed me to untagg both vlan's on the same port, I am wondering if this could be the source of my problem.
Whatever else might be going on, you cannot have two untagged VLANs on a port - trunk, access, hybrid, dual-mode, general or whatever.
Access ports to your laptop should be untagged VLAN 10.
-
So I finally just resolve the issue.
1. Mistake I made was to have 2 vlan's untagged on port 24. I changed the port to an access port untagged in vlan 10.
2. I did not have an outbound nat rule for 10.10.10.0/24 network. This was probably my fault because at one time I set it to manual, so the route did not get auto created.
3. I had to reboot PFsense for the new nat rule to take affect.
I wanted to thank you guys for helping out!
Bill -
I had to reboot PFsense for the new nat rule to take affect.
No, you didn't but glad it's working. What's with these switches allowing multiple VLANs untagged on a port? That's twice today.