Design frustrations with PFsense, VMWare, vLANs, Routing & LACP...

Grimson

@lburns said in Design frustrations with PFsense, VMWare, vLANs, Routing & LACP...:

If I can get these non-routable issues to go away (make them act like they are on the same L2 net), all while maintaining the ability to manage them as if they were segmented (like they should be), then that would be ideal.

Sounds like you need a good L3 capable managed switch. pfSense is not the right tool for this.

Derelict

You want Layer 2 port isolation, Private VLANs, etc. Your solution is at Layer 2, not in the firewall.

johnpoz

Yea as Derelict repeated what I stated - if you want to isolate devices on a specific L2 from talking to each other you do what with your L2 infrastructure.. private vlans would allow you to have control which devices could talk to which other devices that are on the same L2/L3 network..

So for example you fire up a private vlan... device on port A could talk to device on port C, but not on port B. All devices could talk to port H which is where the gateway is connected so they could get off that L3..

Your AP is connected to say port G.. You could allow those wireless device to talk to port B, but not C or A, etc. etc. etc..

All of this is outside of the scope of pfsense - since pfsense is L3 firewall. What switches do you have to work with? Do you have budget to get new ones?

lburns

@johnpoz

We have many Dell PowerConnect 8024 10G and other PowerConnect 1gb switches.

All we need in abundance

johnpoz

then yeah you should be good - I would assume they could do port isolation, ie private vlans - not sure what dell calls it.

sundarnet

Ive had a similar issue
esxi6.5 server running vms with vlan id added to the vmware NICs
6 WAN loadbalanced pfsense then to another pfsense squidguard firewall for siteblocking as squid will NOT work via a loadbalanced connection at all
my solution was to use UniFi hardware switches and AP's combined with pfsense firewall for routing.
the Unifi Controller enables the use of vLAN tagging for switch ports and separate wifi SSID's so your wifi users are vlan tagged depending on the wifi SSID they join, as well as being able to tag any port on any unifi switch among other things.
then vlan networks in pfsense with obvious firewall rules for segragating networks and allowing different devices through to whatever network you need.
then bonjour accross vlans and networks was avahi enabled and needed networks selected and select repeat mdns packets across networks 'as i needed the bonjour traffic to pass for air print capabilities and other minor bonjour services to work
just pulling my hair out over the routing for my PBX server's in/out SIP trunk and forcing it to use a single WAN connection from behind the squid pfsense vm not though squid though mind you, around it,the other strange thing about this network is I have the 6 WAN connections vLAN tagged through a different network and am wirelessly routing through a separate network over about 800-900 meters all using these sweet little UniFi switches
adding in for now I am having issues with old netbios name resolution across vlan networks

johnpoz

@sundarnet said in Design frustrations with PFsense, VMWare, vLANs, Routing & LACP...:

now I am having issues with old netbios name resolution across vlan networks

Yah think? Now sure you think that is suppose to work across subnets - ever ;) its a broadcast, why should it or how could it cross L2s?

Windows solution to this was a wins server ;)

sundarnet

Pretty sure I got it to work without a WINS server
in the DNS Resolver I selected
Register DHCP leases in the DNS Resolver and
Register DHCP static mappings in the DNS Resolver
I also created host override for the host in question
now my normal windows drive mappings work without change

johnpoz

that is not a netbios discovery, that is just dns working how it should.

Here I tried to connect to

\\testhost

It first tries dns query, with my search suffix (domain attached) to my dns. the testhost.local.lan, it gets back from dns NX.. So it then tries a NB broadcast for it..

sundarnet

@johnpoz I like the explanation on that, I needed that earlier instead of this.

Yah think? Now sure you think that is suppose to work across subnets - ever ;) its a broadcast, why should it or how could it cross L2s?

Windows solution to this was a wins server ;)
;)
thanks for the help though
I still got it to work without a WINS server ;)

Derelict

As he demonstrated, it tries DNS first. After that fails it tries NETBIOS.

DNS works just fine across subnets.

sundarnet

it still works without a WINS server and the needed info would have been better than this comment! ;)

johnpoz LAYER 8 Global Moderator 7 days ago

@sundarnet said in Design frustrations with PFsense, VMWare, vLANs, Routing & LACP...:

now I am having issues with old netbios name resolution across vlan networks

Yah think? Now sure you think that is suppose to work across subnets - ever ;) its a broadcast, why should it or how could it cross L2s?

Windows solution to this was a wins server ;)

sundarnet

and Im also using Avahi to allow bonjour traffic across vLAN's for Airprint capabilities which works very nicely

johnpoz

Yeah dns works, that is not what you asked about - you asked about netbios resolution..

Which does NOT work across subnets, because it is a broadcast discovery. Was my response a bit snarky - maybe.. It was a stupid question to be honest, you used a term "netbios" which by its very nature tells you it wouldn't work across subnet without wins ;)

Where did you come up with the term to use, if you don't understand its meaning?

Have a read
https://www.techrepublic.com/article/how-netbios-name-resolution-really-works/

sundarnet

I didn't ask a question just made a comment on what I was trying to do. I must admit my brain was fried after doing that setup in 3-4 days in 2 locations, my own/home location is a lot smaller however,
then you gave a sparky comment not a solution, after which you gave a semi solution after I found it myself and commented ;)
just pulling you up on the fact I thought you were here to help not just give cool comments and stuff ;)
and as little as I know I do try to post solutions to problems if I can

johnpoz

No I gave you a solution to your question.. How you resolve netbios over subnets is with a wins server.. Its been like that for like 30 years ;) Back in the days of when windows 3.11 was new..

Or you could setup lmhost file as well ;)

sundarnet

@sundarnet said in Design frustrations with PFsense, VMWare, vLANs, Routing & LACP...:

adding in for now I am having issues with old netbios name resolution across vlan networks

still wondering how you see this as a question ? its a statement.

adding in for now I am having issues with old netbios name resolution across vlan networks

Derelict

The solution to your problem is to install a WINS server or me sure DNS resolution is working properly.

johnpoz

If you want to resolve "netbios" names across subnets then you either run wins, or some other nbss.. wins is MS version of that... I suggest you read the old rfc 1001, and 1002 ;) From the late 80s...

Who does netbios name resolution any more.. Even MS is trying to retire it
https://docs.microsoft.com/en-us/windows-server/networking/technologies/wins/wins-top
"If you have already deployed WINS on your network, it is recommended that you deploy DNS and then decommission WINS."

Or you can do lmhost file, if windows still reads that? I would assume so..

If what your actually wanting to do is resolve the host without a fqdn, then correctly setup your search suffix on your machines so they append the correct domain to your host. So your dns query is a fqdn and not just host name.

sundarnet

now you guys are just rambling I already solved my issue myself no thanks to your sparky comments
and now you are posting the same solutions I found already
so why ?