VLANS, ip:port not reachable
-
Ok so, first of all.
First time pfSense user, and I must say. This is effing freaking great! So easy to set up once you figured things out. Lots of great tutorials as well.
In a week time I have the following setup: isp -> crap modem -> pfsense -> managed switch with vlans untagged) -> unmanaged switches -> devices
Services: openvpn, ntp, haproxy, dhcpservers, vlan, dns, domain controller, multiple ubuntu servers, LDAP EVERYWHEREHere is a small overview of everything I have set up
INTERFACES
Pfsense setup on a seperate server. Wan interface connected to our ISP modem (doesn't support bridge). Pfsense is in the DMZ list of that router.
LAN interface to a managed switch.
All traffic passes perfectly from pfsense + clients to wan and vice versaVLANS
I have 4 VLANS
VLAN11 (management)
VLAN10 (servers)
VLAN20 (desks)
VLAN30 (VPN)
VLAN40 (WiFi)in interfaces I linked the LAN interface to VLAN11
Created new interfaces for each vlan (except 11)Setup trunking on a HP switch (tagged ports), on switch I untagged certain ports to connect to dumb switches on which our deviced our connected
FW Rules
Allowing all traffic from each port, protocol, source or client on each interface (except WAN where I only allow http, openvpn and remote desktop (untill everything is working 100%)Pfsense, ubuntu servers, windows servers, openvpn, are all using LDAP from a windows domain.
Here is where my issue lies:
I can ping from each vlan to the next, all clients can ping to each other; All clients can sshlogin or rdp login to servers on vlan 10. EVen openVPN. I was amazed to get this far, only to get stuck at such a minor stupid issue.I have a webserver running on vlan 10, HAProxy is set up and working great. I can access from the internet. Yeeeey, party. Well, I still have an issue.
I can't open a local website in this format ipaddress:port from any vlan unless I am in the actual vlan where the server resides.
Well you are probably thinking, who cares, your proxy works, you can access it over wan, well, true. Except, I have a site to configure which I can only seem to open up for remote access once it is configured.
The issue lies not with this particular site either.
When I try a for say, bamboo.foo.com I can access this fine. if I would use 192.168.10.36:8085 (default bamboo port) I don't see a thing (if I am outside VLAN10). Yet bamboo.foo.com worksI hope someone here is able to point me in the right direction.
I would virtually hug you, bake you cookies, and eat them myself.
Thanks in advance.
EDIT: All clients can ping to each other from all the VLANS. Each client on seperate vlans has internet access.
-
Sounds as if a few firewall rules would be in order at this point.
-
Read your using haproxy. Do you have 'transparent-client-ip' set on the backend configuration? It might cause such issue..
-
Sounds as if a few firewall rules would be in order at this point.
Wan is limited by only the ports I need. Http for public websites, handled with haproxy further down for the right service, and openvpn.
LAN is fully open, by design, my ceo wants this because he doesn't care what happens inside the lan.
Guest network will be selt up later on.
If there ever is a usecase where we have to block something from lan to outside, or between vlans, we will do that when the need arrises. But I highly doubt that it is a firewall issue. Wouldn't the wan access have issues as well then?Read your using haproxy. Do you have 'transparent-client-ip' set on the backend configuration? It might cause such issue..
Yes I did have that enabled, tutorial I was following enabled it, and it worked, didn't think much further. After reading the description it does make sense that this could be a culprit.
I was able to edit the router config over VPN, applied the changes, and tadaa, it works. Well it works now over vpn, so i suppose it should in the office as well.
So when would I actually enable this option?
-
You would enable that option if you 'need' the client-ip of the actual client for logging/permissions/other and cannot accomplish that by other means like x-forward-for header or proxy-protocol. Its certainly usefull, but causes some trouble as well.. (there is a warning message with it for a reason ;) )
-
You would enable that option if you 'need' the client-ip of the actual client for logging/permissions/other and cannot accomplish that by other means like x-forward-for header or proxy-protocol. Its certainly usefull, but causes some trouble as well.. (there is a warning message with it for a reason ;) )
Ok thank you. Everything is setup now the way we want it. Just a new cloud infrastructure coming as well. Then back to my usual programming day job ;)
Thanks again for your help :)