Typical setup and the same issue over and over! L3 switch + Pfsense, Need help!
-
Hmm, Derelict,
I performed your steps,
You can see on the image that I tried to ping from a host in VLAN3 to the gateway of another VLAN, VLAN2 and did not succeed, I got a TTL error. I know the routing on the switch works.
Why is the host using the pfsense routers gateway to communicate with another VLAN host? That is very odd.
Also on the image regarding the modem settings, you can see the 10.218.1.88 network is set for outbound, I used that to temporarely access the internet I believe when I configured my new ADSL modem which is in bridged mode.
I do not know about the Rules list either if they are correct after reading your steps,…
-
TTL means you have a routing loop and the traffic is never reaching its destination but is bouncing back and forth usually.
Traffic between VLAN2 and VLAN3 will be handled entirely by your layer 3 switch. pfSense has nothing to do with it. Did you create SVIs for all your VLANs?
-
Hmm,…
I knew you would mention that. I do not know what happened here but I now have a ping between host on all vlans. I powered the trunked switch, telnetted from that switch to the routing switch to check the vlans and now it works. That is odd!
Derelict, did you see my images?
I successfully pinged the PFsense box from a host on VLAN 3 and I can access the webserver right now.
However I cannot still access the internet from the host, I have set the DNS ip of the host to 10.218.1.90, thus the ip of Pfsense,...Did you see my images?
Can you see what is obsolete/wrong in the Rules list?
What regarding the screenshot about the bridged modem on the NAT rules outbound? -
You need to resolve names, route to pfSense, route out WAN and probably NAT in order to get internet from the switch VLANs. Check all that.
-
Hmm,
I tried everything you said,
Now my hosts can reach the firewall but cannot access the internet.
I tried to logically play with the rules based on the already existing one, the ones created automatically for the 10.218.1.88 /30 subnet, so when I give my PC an ip of 10.218.1.89 it is natting fine.
When I add the vlan subnets to the rules or in NAT, the hosts can not reach the internet. There must be something I overlooked,…but It very difficult to figger out what.Like I said before, the configuration of pfsense is too complex for this kind of simple and stupid setup.
I added 2 more images,...If you are willing to analyze them,...
Thank you
-
I have a question in the second picture you have the rules set to manual configuration but on the right side they say auto created? I am wondering because I am running a L3 switch behind pfsense. Mine is still set to auto.
-
Well,
I followed
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
I have a modem with a router in bridged mode. This is what I had to do for internet access.
-
Here is my first setup one evening. I don't know if is right but it works. I never got a /30 mask to work for me as I probably did something wrong.
I am running a modem in bridge mode also and I have skipped the IP network on the modem so I can pull up the stats. It is found using the default gateway.
https://forum.pfsense.org/index.php?topic=105825.msg591728#msg591728
PS
I just tried accessing my modem and it does not work. I guess it worked when I was using a router. I just noticed there is a firewall rule to block all private IP addresses. I may have to add one to allow the modem's IP out pfsense. The ISP is going to block it as private IP addresses are not routable. So I don't have a tested answer for accessing the modem.PSS
Added the rule to allow 192.168.1.100 to pass the WAN interface. The problem I have now is I cannot escalate the rule higher than the general rule blocking all private IP addresses. -
Like I said before, the configuration of pfsense is too complex for this kind of simple and stupid setup.
A two-router set up is anything but simple for those not used to it.
It is actually quite straightforward.
-
I have a question in the second picture you have the rules set to manual configuration but on the right side they say auto created? I am wondering because I am running a L3 switch behind pfsense. Mine is still set to auto.
I am not sure which version added it but some time ago pfSense got smarter about adding static routes to automatic outbound NAT in addition to LAN interface networks.
-
I added 2 more images,…If you are willing to analyze them,...
That looks good. You are going to have to provide more information than "can not reach the internet." It's impossible to tell from that if you have a routing problem, NAT problem, DNS problem, DHCP problem, Layer 2 problem, etc.
Can the hosts on the L3 switch ping 8.8.8.8? How about 10.218.1.90? How about whatever DHCP is giving them as a default gateway which should be the VIF on the L3 switch for their segment???
-
I have a question in the second picture you have the rules set to manual configuration but on the right side they say auto created? I am wondering because I am running a L3 switch behind pfsense. Mine is still set to auto.
I am not sure which version added it but some time ago pfSense got smarter about adding static routes to automatic outbound NAT in addition to LAN interface networks.
Yes my outbound NAT routes were added automatically with pfsense v 2.2.6.
-
Derelict, >:(
I think we have got winner!!! ;D
I was about to throw the Tyan GS10 through the window along withe the firewall :P
You mentioned to check other factors that might block web access.
I was thinking about a misconfigured NAT or rule, you said it could be anything, well it turned out to be the resolver ::)
I should have known that as I was a former IPCop user.
Derelict I would say BRAVO, I have learned alot about pfsense in a short time and will continue expoiting it to some degree at least.
I will move forward to the access lists, and fine tuning
Many thanks
Sincerely,
IRIXos
I HATE FreeBSD desktops
