Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense managment interface

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      On your suggestion viragomann, I have attempted to use a NAT rule to pass the outbound MGMT traffic between the switch and my LAN host. Just to clarify, at the moment I have very permissive FW rules between my LAN and the MGMT VLAN on OPT1, in both directions. I have attached a screenshot of my manual NAT rule that is based on your suggestions.

      On a separate note, could I (should I) bridge my LAN interface with OPT1 and assign the NIC on my LAN host to VLAN99 so that the switch sees my NIC as part of the 99 subnet/VLAN? Are bridges generally bad practice? The LAN interface will really be dedicated to MGMT traffic, so I don't need it to be on a separate subnet.

      Thanks.

      nat-rule.png
      nat-rule.png_thumb

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        If access to the switch doesn't work with that NAT rule you either did something wrong or you won't also get no access from inside the VLAN99 or when you bridge it to LAN.

        So take a computer and put it into the MGMT_LAN and try if you can access the switch management interface.
        If you get access check if the NAT rule is working. You can use the packet capture from the Diagnostic menu.

        BTW: When you bridge the LAN interface with the OPT1, there is still no VLAN on the LAN interface. Only the MGMT_LAN is a VLAN.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Thanks viragomann. Am I missing port definitions for the NAT rule? I wasn't sure what to put in there.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            No. If the port is not specified the rule is applied to any port.
            Is the outbound NAT working in hybrid or manual mode?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Zero need for any of that if the switch has a gateway configured on its management interface network.

              Presuming it actually works as configured.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                NAT is in hybrid mode.

                The gateway for the switch is 10.3.99.1 (the interface address for the MGMT LAN).

                Interestingly, I have the same MGMT gateway setup for my UAPs and can SSH into them, adopt them etc from the LAN host (with rules of course). The switch in between the pfsense and my UAPs seems deaf to any traffic from my LAN.

                I checked my pfsense logs the other day when trying to resolve the switch web address. I noticed some sync closed entries.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Sounds like a broken or misconfigured switch then.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by

                    Thank you for all of your suggestions.

                    I figured out what was preventing my host from accessing the switch over VLAN 99. On the setup page are two parameters for management access the switch: a management VLAN and a management port. When the management port is set to anything other than none, management access becomes exclusive to that port.

                    1 Reply Last reply Reply Quote 0
                    • jahonixJ
                      jahonix
                      last edited by

                      You're talking about HPE 1820 switches?

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        Yes. It's the HP 1820-24g.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.