PfSense managment interface

On your suggestion viragomann, I have attempted to use a NAT rule to pass the outbound MGMT traffic between the switch and my LAN host. Just to clarify, at the moment I have very permissive FW rules between my LAN and the MGMT VLAN on OPT1, in both directions. I have attached a screenshot of my manual NAT rule that is based on your suggestions.

On a separate note, could I (should I) bridge my LAN interface with OPT1 and assign the NIC on my LAN host to VLAN99 so that the switch sees my NIC as part of the 99 subnet/VLAN? Are bridges generally bad practice? The LAN interface will really be dedicated to MGMT traffic, so I don't need it to be on a separate subnet.

Thanks.

nat-rule.png_thumb

viragomann

If access to the switch doesn't work with that NAT rule you either did something wrong or you won't also get no access from inside the VLAN99 or when you bridge it to LAN.

So take a computer and put it into the MGMT_LAN and try if you can access the switch management interface.
If you get access check if the NAT rule is working. You can use the packet capture from the Diagnostic menu.

BTW: When you bridge the LAN interface with the OPT1, there is still no VLAN on the LAN interface. Only the MGMT_LAN is a VLAN.

Thanks viragomann. Am I missing port definitions for the NAT rule? I wasn't sure what to put in there.

viragomann

No. If the port is not specified the rule is applied to any port.
Is the outbound NAT working in hybrid or manual mode?

Derelict

Zero need for any of that if the switch has a gateway configured on its management interface network.

Presuming it actually works as configured.

NAT is in hybrid mode.

The gateway for the switch is 10.3.99.1 (the interface address for the MGMT LAN).

Interestingly, I have the same MGMT gateway setup for my UAPs and can SSH into them, adopt them etc from the LAN host (with rules of course). The switch in between the pfsense and my UAPs seems deaf to any traffic from my LAN.

I checked my pfsense logs the other day when trying to resolve the switch web address. I noticed some sync closed entries.

Derelict

Sounds like a broken or misconfigured switch then.

Thank you for all of your suggestions.

I figured out what was preventing my host from accessing the switch over VLAN 99. On the setup page are two parameters for management access the switch: a management VLAN and a management port. When the management port is set to anything other than none, management access becomes exclusive to that port.

jahonix

You're talking about HPE 1820 switches?

Yes. It's the HP 1820-24g.