VLAN Interface not receiving packets
-
Hello
I have a VLAN Setup on my switches to separate network rights of different Groups of Hardware and Users.
VLAN IDS are assigned through Domain Controller Radius (802.1x - PEAP)Now i try to integrate WLAN Connections and want to run them over an Firewall interface.
It works like this:
Client is Connecting to radius with cert and user/pass -> Radius gives OK an assigns VLAN ID 1012 to the Client. -> Access point is tagging all packets from that client with the VLAN ID 1012 -> On the other side there is a testing notebook with same VLAN ID receiving the packets
I have tested with ICMP and everything works fine in both directions.pfsense setup:
Version 2.3.3
VLAN interface with ID 1012 on dedicated physical NIC OPT4 that is connected to switch port.
Firewall rule for logging all packets (allow any from any to any)Now i switch the network port of the notebook with pfsense and expecting packets on that interface but nothing happens.
What am i missing?
Do i have to setup the physical NIC in addition to the VLAN Adapters?
–> no difference
Do i need ip addresses for the VLAN adapters?
--> no difference
Is it wrong to make it on a dedicated nic instead of the normal LAN interface?any tips how to debug further? After setup a monitoring Port with wireshark and notebook tests with configured VLAN ID everything seems to be OK on the switching side (Tagged Ports and Uplinks) but the VLAN Interface on pfsense is just not receiving any packets...
-
OK,
i think there is a problem with my "one subnet for all" setting on different NICS.
im going to try a setup with bridged VLAN's
UPDATE:
Now i have bridged my VLAN with the LAN interface.
setup the rules any to any on both interfaces … i think that should workno i get log entries that pfsense is receiving an icmp packet but i get no answer.
Action Time Interface Source Destination Protocol
Jun 19 11:11:11 WLANFLEXA 1.1.1.2 1.1.1.1 ICMPpfsense is NOT sending a tagged answer ... its sends untagged on the bridged LAN interface...
omg ... am i missing something very basic here???
all i want is "firewalling" between several VLAN in the same subnet... pretty basic configuration on cisco routers... -
"1.1.1.2 1.1.1.1"
Your using public IP space in your network - that you do not own?
Tagging works just fine in pfsense.. What hardware is this? There was something a few days ago about sg-1000 and tags that interface had to be promiscuous mode they were looking into.
-
the ip adresses are just an example… i thought it would be easyier to read the rule
im using 10.10.0.0 / 16 subneti cant get it work properly ... i think its because of the same subnet on all interfaces ... pfsense is receiving tagged packets on the vlan interface but not answering with a tagged packet. it answers on the primary lan interface and not on the the vlan interface
i can see incoming icmp but no outgoing... it begins with the problem assigning ip addresses in one subnet on different interfaces ...i still think im missing something very basic
-
You should probably look at Private VLANs in your switches instead of firewall interfaces.
But I might be completely misunderstanding what you are trying to do. It's not very clear.
-
We already have different VLAN's for different network access policies and reducing broadcasts
for example:
production mashines get vlan1 to communicate with a communication server and nothing else
stationary clients get vlan2 to communicate with dns terminal server etc.
clients without updated OS gets vlan3 for dhcp,dns, wsus and nothing else
registered unknown clients get vlan4 for guest access to internet
unknown clients get no network accesswhat i want is to route between some vlan with firewall rules.
mashine 1 needs teamviewer access for maintenance. so i want to give internet access to this one mashine and not to the whole vlan
mashine 2 needs rdp access for remote control from a pc so i want the possibility to set a rule on pfsensei have big hardware with 16 cores, 12GB ram, fast raid and 8 NICS so i thought i can replace an very old cisco router with my pfsense box because of much better interface, better delegation of configuration rights, better logging, url filtering etc.
With vlan itself i can only configure whole access but not port based like: "no access but DNS"
-
"reducing broadcasts"
"easyier to read the rule im using 10.10.0.0 / 16 subnet"Clearly reducing broadcasts is your goal on a /16 ;) You really have anything close to 65k hosts?… There is zero reason a /16 would ever be used other than a summary route or a firewall rule.
"i think its because of the same subnet on all interfaces"
Well yeah that would be BORKED!!!
-
why not a /16 subnet?
i dont need all the hosts but its very nice to have a separate ip range for every division connected through vpn…about 8/10 companies i know use this subnet. just because i dont need is is no argument for not using it.. are there better arguments?
for example:
every 10.10.1X.1 is a domain controller
every 10.10.1X.2 is backup dc
every 10.10.1X.3 is a printserver
every 10.10.2X.1 is Firewall
every 10.10.3x.x is a printer
and so on...
10.10.1X - X= number for division
and so i know just from the ip what division what client and i dont want do deal with hundreds of routing tables....
---if im that wrong with configurations like this please explain. there is always room for improvement and im asking here because i want help to improve ^^separate subnet vor every vlan if you have 20 dynamic vlans? have fun to maintain access policies...
why is it borked?
its standard configuration in professional firewalls like whatchguard and i have working examples with cisco hardware.
just pfsense is doing "strange" things there starting with the impossibility in the gui to configure two ip adresses in the same subnet also standard in professional firewalls. dont take me wrong... i like pfsense very much using it private and corporate but some things are strangemaybe im wrong, but your answers without much meaning arent very helpful ... i cant learn anything from it so please give more information.
-
After some reading i understand now that this will lead to bigger problems …
the cisco router is routing because of fixed routing tables ... bahim changing the big subnet in smaller ones on the client side