Vlan issue

Disthene · Jul 8, 2018, 3:40 PM

Hello everyone,

I'm coming for a basic issue I think, but I can't find the problem.
Here are my interfaces :
login-to-view
login-to-view

Here the configuration of this VLAN :
login-to-view

And here the firewall rules :
login-to-view

My LAN can access internet.

So before configuring multiple vlan I first tried with one. I plugged my computer directly on em3, which is supposed to be my vlan server. The IP address of this computer is static : 192.168.10.2/24 - GW 192.168.10.1. I can't ping anything, And I don't understand why, I'm missing something obvious...

If I create a network on em3, with exactly same parameters, it works perfectly why I can't make it work with vlan ?

Any help is welcome
Thanks !

Disthene · Jul 8, 2018, 6:23 PM

Two days lost on this...It's driving me crazy...

xciter327 · Jul 8, 2018, 6:29 PM

If You are connecting your test PC directly to the pfsense, You need to tag the traffic on the test PC, with a vlan-10 tag. If You have a switch in-between, you need to make sure your port(facing the test PC) is member of VLAN 10 and it's configured as "un-tagged", which means that all packets coming in/out will be always part of vlan 10.

That's about it.

Disthene · Jul 8, 2018, 6:55 PM

em3 ( on my pf sense) -> plugged to port 1 of the switch in trunk mode.
port 2 of the switch is plugged on the computer in access mode vlan 10.

Derelict · Jul 9, 2018, 8:48 AM

Then it would be working.

Be sure VLAN 10 is tagged on the switch port connected to pfSense em3.

Be sure the switchport connected to the PC is untagged on VLAN 10.

It's pretty much that simple.

Note the firewall rule in the image you posted has 0B received. That indicates it is receiving no traffic.

frikinet · Jul 9, 2018, 8:52 AM

I also think something could be wrong with the trunk link between your pfSense box and your switch. Try to make packet captures from pfSense (or even from the switch) to see if the traffic is reaching the firewall and if it's correctly tagged.

Disthene · Jul 9, 2018, 11:03 AM

login-to-view

This is my switch config, very basic, it should work with this ...I don't see the problem...

Derelict · Jul 9, 2018, 11:13 AM

Neither do I.

But if it was that simple it would be working. You are missing something.

Post the output of Diagnostics > Command Prompt Execute ifconfig -a

Are you 100% positive that with that switch port config it will pass all vlans?

switchport trunk allowed vlan add 10 or something?

Derelict · Jul 9, 2018, 11:08 AM

Why are you running 2.3.5 if you are amd64?

All of this works in both but why?

Disthene · Jul 9, 2018, 11:28 AM

Here the command you asked
Also I'm on this version because I'm doing shit on GNS3...preparing the job is better, especially with such kind of issue...

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:e3
	hwaddr 00:0c:29:ca:5f:e3
	inet6 fe80::20c:29ff:feca:5fe3%em0 prefixlen 64 scopeid 0x1
	inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:ed
	hwaddr 00:0c:29:ca:5f:ed
	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:f7
	hwaddr 00:0c:29:ca:5f:f7
	inet6 fe80::20c:29ff:feca:5ff7%em2 prefixlen 64 scopeid 0x3
	inet 192.168.19.1 netmask 0xffffff00 broadcast 192.168.19.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:01
	hwaddr 00:0c:29:ca:5f:01
	inet6 fe80::20c:29ff:feca:5f01%em3 prefixlen 64 scopeid 0x4
	inet 192.168.50.2 netmask 0xffffff00 broadcast 192.168.50.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
pflog0: flags=100<PROMISC> metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
	syncpeer: 224.0.0.240 maxupd: 128 defer: on
	syncok: 1
enc0: flags=0<> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em3_vlan10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:0c:29:ca:5f:01
	inet6 fe80::20c:29ff:feca:5f01%em3_vlan10 prefixlen 64 scopeid 0x9
	inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 10 vlanpcp: 0 parent interface: em3

I enabled em3 only for testing, I know I shouldn't use a logical interface here

Derelict · Jul 9, 2018, 11:25 AM

Yeah that is all kinds of hosed up.

You have two interfaces (em0 and em1) with 192.168.0.254 assigned. You have two entries for em1. em3 looks reasonable but idk wtf you have going on there.

Disthene · Jul 9, 2018, 11:26 AM

It was a mistake in my copy/paste, just refresh please

Derelict · Jul 9, 2018, 11:26 AM

Really?

Disthene · Jul 9, 2018, 11:29 AM

I don't know what the fuck happened, let me try the command again...
now up to date :

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:e3
	hwaddr 00:0c:29:ca:5f:e3
	inet6 fe80::20c:29ff:feca:5fe3%em0 prefixlen 64 scopeid 0x1
	inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:ed
	hwaddr 00:0c:29:ca:5f:ed
	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:f7
	hwaddr 00:0c:29:ca:5f:f7
	inet6 fe80::20c:29ff:feca:5ff7%em2 prefixlen 64 scopeid 0x3
	inet 192.168.19.1 netmask 0xffffff00 broadcast 192.168.19.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:ca:5f:01
	hwaddr 00:0c:29:ca:5f:01
	inet6 fe80::20c:29ff:feca:5f01%em3 prefixlen 64 scopeid 0x4
	inet 192.168.50.2 netmask 0xffffff00 broadcast 192.168.50.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
pflog0: flags=100<PROMISC> metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
	syncpeer: 224.0.0.240 maxupd: 128 defer: on
	syncok: 1
enc0: flags=0<> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em3_vlan10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:0c:29:ca:5f:01
	inet6 fe80::20c:29ff:feca:5f01%em3_vlan10 prefixlen 64 scopeid 0x9
	inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 10 vlanpcp: 0 parent interface: em3

Derelict · Jul 9, 2018, 11:31 AM

OK so any interface assigned to VLAN 10 on em3 will be tagged there.

If that is not working it is your switch. Or, in your case, maybe GNS3.

Disthene · Jul 9, 2018, 12:01 PM

If by chance I find the answer...I'll post it there, but I'll quite this shit soon I think...

Disthene · Jul 9, 2018, 3:41 PM

I confirm that it's not pfsense, but my cisco config, I need to make some research as I'm not a cisco expert but clearly pfsense is working correctly, thanks for your time guys ! :)