2 identical VLAN's not working the same

geronimobb

Hy all,

I made 2 similar VLANS:
tag 56 (192.168.6.0/24 netw)
tag 57 (192.168.7.0/24 netw)
Next to that i have:
WAN
LAN (192.168.5.0/24 netw)
2 VPN clients

Both have the same rules (simply allow to all for debugging), DHCP server, dns resolver active, ...
It's a mistery for me why the 56 vlan got WAN(internet) access, and the other not. This happens for physical clients and proxmox containers in the vlans.
Maybe i'm overlooking something...?

Second problem is it seems impossible to route the vlan networks trough the VPN clients to the outside world (via firewall rule). I read it is not so simple, but the solutions don't seem clear to me or i just don't understand them.
Somebody would please care to explain and describe the solution?

Kind regards.

johnpoz

@geronimobb said in 2 identical VLAN's not working the same:

I read it is not so simple

Simplicity would be related to skill level sure, but its not all that difficult.

If I had to guess to your issue is whatever BS guide you followed on the internet had you switch your outbound rules to manual vs just using hybrid. So you only have outbound nat for 1 of your vlans vs the other.

Switch your outbound nat to hybrid and add the outbound nats you want for your vpn connections as hybrid.

JKnott

@geronimobb said in 2 identical VLAN's not working the same:

Second problem is it seems impossible to route the vlan networks trough the VPN clients to the outside world (via firewall rule). I read it is not so simple, but the solutions don't seem clear to me or i just don't understand them.

Well, the way you worded the question is a bit vague. Are you trying to route the VLAN, tags and all? If so that won't work.

geronimobb

@johnpoz Thanks for the reply.
This time i didn't follow any guide, but just repeated what i had done in my previous pfsense setup (which was probably a guide..)
I did switch to manual indeed, but i made sure there is an exit for the lan and the 2 vlan's to all the possible exits (wan and 2 vpn's). The 2 vpn's are in 1 gateway group.
So i think i can rule the natting out... Unfortunately (then it would be solved)..

geronimobb

@JKnott Thanks for the reply!
I just made a rule under firewall->rules->VLAN57 (for the 2 vlan's)
IPv4 * VLAN57 net * * * VPN_GR none Default allow VLAN57 rule
I made sure there are nat lines for VLAN57 to WAN, VPN1 and VPN2. VPN1 and VPN2 are in 1 gateway group VPN_GR.
So i do think this is trying to route the VLAN, tags and all..?
As i understand, VLAN57 (layer2) over VPN (layer 3) is not possible this way. How should this be done properly? And maybe more important, i'd like more to understand how and why, than just how..

Kind regards.

johnpoz

Well without you actually showing us your setup, its impossible to help you figure out where you went wrong.

Can your vlan talk to the internet? Just not through your vpn?

Maybe when you created the rules on 1 vlan you set only tcp vs any, so your clients can not do dns? There are many a typo that can cause issues. Can your clients on the vlan ping the other vlans pfsense IP? Can they ping the pfsense wan IP.

What IPs are you getting from your vpn services, maybe it overlaps the vlan that won't work, etc. etc.

JKnott

@geronimobb said in 2 identical VLAN's not working the same:

So i do think this is trying to route the VLAN, tags and all..?

I wasn't sure what you were trying to do. If it's possible to send VLANs through a VPN, it would have to be a TAP interface, nto TUN

geronimobb

@johnpoz After all, the solution was related to what you suggested. I removed the rules i added and switched back to automatic outbound rules. Then i switched back to manual and it worked... Solved.

Since you can reorder nat rules i suppose the order in which you list them matters. Why does this matter?

geronimobb

@JKnott Thanks for the suggestion. Before i implement this, i prefer to understand this setup. Would you mind explaining shortly the TAP setup?

johnpoz

@geronimobb said in 2 identical VLAN's not working the same:

Then i switched back to manual

Why? There is almost never a reason to be in manual..Unless you don't want to nat something that would be normally natted automatically.. Like say a wan interface that don't want traffic to nat through or something.

If all you doing is a vpn service - all you need is hybrid, and add your nat for that interface.

JKnott

@geronimobb said in 2 identical VLAN's not working the same:

Would you mind explaining shortly the TAP setup?

I have never used TAP. However, as I mentioned, it's essentially a bridge between the 2 networks.

JKnott

@geronimobb said in 2 identical VLAN's not working the same:

Second problem is it seems impossible to route the vlan networks trough the VPN clients to the outside world

Maybe you should be asking why you need to do that. If you have VLANs, you have multiple subnets. Why not just route them through the VPN and recreate the VLANs at the other end? That way, they don't even have to be the same VLAN number or could even be a completely different network.