OPT1 no internet access
-
"from pfsense LAN it goes to a switch and on this switch i have a laptop
from OPT it also goes to a switch and i have a pc on it"So is this a vlan switch and you have your different ports in different vlans, or are you running different layer 3 on the same layer 2?
-
By default, only LAN gets a firewall rule to allow access out. For all other local interfaces, you must add the rule yourself. As you discovered, adding the rule made it work.
-
John its just a normal tlink switch nothing special, i could connect the lan directly, i just didnt.
@Kom, yeah i figured that out, i had set a rule just not the right one. finally got internet to work i just cant figure out captive portal just that is another story i need to search for but no luck yet.
-
Post your problem in the Captive Portal forum and someone will see it.
-
"John its just a normal tlink switch nothing special"
So a dumb switch that you did not setup any vlan ports on?
Well then
"from pfsense LAN it goes to a switch and on this switch i have a laptop
from OPT it also goes to a switch and i have a pc on it"is Borked setup before your even getting started… You do not run different layer 3 networks over the same layer 2..
If you want to have more than 1 network get another dumb switch and connect that and the devices you want on that network to your opt1 interface. Or get a vlan switch and setup the port connected to lan in 1 vlan, and port connected to opt2 in another vlan. And then put your different ports on that switch in the vlan/network you want them to be in. Just plugging multiple layer 3 networks into the same dumb switch is BORKED!!
-
john,
I feel we are not understanding each other, I am totally new with pfsense and I haven't read anything yet with vlan's because I thougth it was not needed right now.. the setup I have i just copied from someone that already had setup his pfsense. which is a pfsense box with 3 network cards WAN, LAN and OPT1, LAN is needed for OFFICE stuff and OPT is for GUEST in a hotel. this setup is running in that hotel for 2 years.
if this is the correct way I do not know.for testing purpose what i am doing right now I just using a vlan switch, 2 of them for each interface and everything is working at this moment I got internet on both interfaces what i needed.
I could also directly connect from LAN to laptop, just the OPT has a router behind it to test the wireless devices.
hope this is better to understand what my setup is.
-
What your not understanding is the different between layer 2 and layer 3 it seems. A dumb switch - what specific model do you have? Is only 1 layer 2 network.. So you should only run 1 layer 3 network on that.
I am not talking about vlan tagging, I am talking about just putting the specific ports into a different layer 2. Pfsense see's it as just a native network, you don't have to do anything with pfsense other then plug it into your port on your switch.
A smart or managed switch will allow for creation of multiple layer 2 networks. Be it native untagged or tagged depends on your use case, etc. But you don't just run multiple layer 3 networks (192.168.0/24, 192.168.1/24, 10.0.14/24, etc. etc.)on the same layer 2
-
Hey John,
Your right I do not have much knowledge about layer 2 and 3 at this moment, I also google to see what the difference is and trying to understand the meaning of it.
What i understand is that a managed layer 3 can have more layer 2 networks just like you said. that would mean that i just needed 1 network LAN and a layer 3 switch to do the same as 2 networks LAN and OPT1, if i got it correctly
the "dumb" switch i have is a tl-sg1005d.
-
You do not need a layer 3 switch, you just need smart switch that understands vlans and allows you to create multiple layer 2 networks. Be it native based upon ports or tagged.
So you have a tl-sg1005d, if you had a TL-SG105E then you could do vlans. I show it currently it for $30 on amazon
https://www.amazon.com/TP-LINK-Gigabit-Ethernet-Managed-TL-SG105E/dp/B00N0OHEMA
You could get the 8 port model for $5 more.
So with 2 dumb switches you could create your networks like 1st pic
With a smart switch that does vlans you could get more advanced
2nd pic would just be native port based vlans without any tagging. And you can pick witch vlan (layer2) network each port is in.
3rd pic you can do a combination where ports are native vlan without tagging or when going to another device that would have multiple devices connected in different vlans. So if you had an AP that can do vlans you could have multiple ssids and depending on which ssid connect to would put you in a different network. Lots of options in this sort of setup. Pfsense could use just 1 connection to your switch and you have the switch tag the traffic going to pfsense so it knows which vlan the traffic belongs too. Or you could use multiple connections to pfsense with no tagging like the 2nd pic and then have your AP with multiple ssids in different vlans, etc. Lots of options.But what your doing with a dumb switch is running multiple layer 3 networks (192.168.1/24, 192.168.0/24) on the same layer 2. Ie the same wire. This is a borked configuration and should be avoided. So either get a 2nd dumb switch to isolated your networks or use a smart/managed switch that allows you to create multiple layer 2 networks, ie multiple switches in the same box is all that is.
edit: Think of it this way. You own a bar and you have a keg of IPA beer and a keg of Stout beer. Do you connect both types of beer to the same tap. Or do you have tap connected to IPA and a tap connected to the Stout and you use the tap you want depending on the type of beer you want.
With tagging of a vlans your allowed to run multiple networks on the same physical wire, so the analogy breaks down a bit.. But with tagged vlans you can run both IPA and Stout over the same line, but the tap can determine if you want IPA or Stout, can even filter it so you could put 2 glasses under the tap and one would fill with ipa and the other would fill with stout - no mixing.
So while the beer would flow over the same physical line, the beer would be marked so the tap ie pfsense or the switch port can tell what type of beer it is and only send the correct beer to the correct place.
-
I haven't seen your reply on this, thanks for the explanation :) I will surely get into this in the future and try to improve the networks..
for now I will just leave it as it is.. 1 wire for 192.168.0.* that has the LAN on it and 1 for 192.168.2.* for OPT1 that does not conflict with each other.. first the pfsense and then after to improve the rest..
I will know more this weekend about the configuration switches/wifi AP's and and -
So you got another dumb switch to connect to your opt1 interface.. Or your just running both interfaces into the same dumbswitch?
If so that is BORKED!! I would suggest you fix asap..
Borked;
To have totally fucked something up. Usually by doing something stupid. Specifically used to describe technology that is broken.Something is "borked" when it doesn't work correctly or misbehaves, generally due to negligence by the person(s) that are responsible for it.
To have broken something so entirely, you break the words used to describe the item.
-
Hey john, you make me laugh :)
I have been there this weekend and what I could find was not the best :/
situation:WAN -> WAN
OPT1 -> (direct line)PoE switch -> several ProCurve M5M310 AP and Linksys (was installed years ago by a company) (IP 192.168.2.xxx)
LAN -> simple (dumb) switch, from here it goes 4 ways: (IP 192.168.0.xxx)
1: phone box (currently disabled)
2: to reception -> dumb switch -> computers, printers.
3: to office -> dumb switch -> printers, computers
4: camerathe ISP is even more horrible then i thought, they got a DSL line that has a maximum of 28Mbps and if we are lucky we get 6Mbps at night.
I have told them to change this ASAP this month, and going to change this to a 125Mbps line to start with.