Setting up a VLAN with pfSense, Ubiquiti, and ESXi
-
@johnpoz Would it make sense to start a new post at this point?
Thank you again for all your (and everyone else's help).
-
I see no hits on your rules for dns.. see the 0/0's - so your clients never sent anything to those IPs on port 53, or you would see hits there..
Do you have anything in floating?
VLAN90 form being able to see the devices on the LAN) DNS stops working entirely.
Only way that would be is if your clients where actually asking pfsense for dns, or different IPs then what you have listed.. Yes your rfc1918 rule is getting hits. And so is your this firewall rule.
-
Is the goal for this to be an internet-only VLAN? Building on that question, is this for your own internal equipment or is this going to be a "guest" VLAN? In either case, many of these rules can be collapsed into a simpler ruleset, IMO:
For an internet-only Guest VLAN:
- Configure DHCP to hand out PFsense (or public DNS) for DNS. Then collapse your rules down to:
Block -> TCP/VL90 net/This firewall/port (alias for 22 and whatever port your GUI is listening on)
Allow -> VL90 net/Invert match rfc1918 aliasFor an internal, internet-only VLAN where you want your devices to use your internal DNS servers:
Allow -> (TCP/UDP)/VL90 net/Alias for DNS servers/port 53
Block -> TCP/VL90 net/This firewall/port (alias for 22 and whatever port your GUI is listening on)
Allow -> VL90 net/Invert match rfc1918 aliasand TBH, unless there is a specific need for your internet-only traffic to use your internal DNS servers (which I assume are your DC's), I'd go with the first option.
-
@marvosa The idea is an internet only VLAN (it would be nice if Airplay worked between the VLAN and LAN but not necessary) HOWEVER DNS would be pointed to my two internal DNS servers. Anything and everything else on the VLAN would not have access to the LAN.
This is my IoT VLAN; I'm looking to use my internal DNS servers for filtering purposes. For any VLAN I setup I'd want to point it to my internal DNS servers but everything else would be Internet only.
-
@pfSenseUser78 Then I'd go with the 2nd set of rules I posted. They'll be more streamlined for your use case.
-
@marvosa Ok. In the second setup you state "Alias for DNS servers"; I'm not sure what that means. Would I be putting in the 172.x.x.x addresses or am I creating something else?
Thanks!
Edit: Ok, found where to make the alias. Trying now.
-
-
@pfSenseUser78 Edited
I first said yes, but the looked at your rules again...hold on
-
@marvosa SSH is enabled. I created the port alias but I can't figure out how to apply that to the second firewall rule. It doesn't appear in the list of ports to block.
Edit: Found it here: https://docs.netgate.com/pfsense/en/latest/book/firewall/aliases.html
Testing now!
-
@pfSenseUser78 The last rule should be
Protocol = any
Source = VL90_IOT net
Destination = Invert match rfc1918 alias -
@marvosa Fixed.
When I join that network with my laptop I connect and get an IP. I cannot ping 8.8.8.8 or 1.0.0.1 nor can I ping the internal DNS servers (172.16.x.x). If I try to load a website nothing happens.
Not sure where I'm going wrong - is there anything else I can post that might help? I'll continue to google and see if I can find anything myself.
-
@pfSenseUser78 Port your new rules.
-
"InternalDNS" is the IP addresses of the two internal IP addresses (172.16.x.x) - devices on VLAN90 are assigned a 192.168.90.x IP address
"pfSenseAccess" is ports 20 and 80
"rfc1918" is 10.0.0.0/8, 172.16.0.0., 192.168.0.0/16 -
-
@pfSenseUser78 You left off the mask on the 2nd range in your alias, but I'm guessing it was just a typo... as your rfc1918 alias should have 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0.16. Can you post a screenshot of your alias?
-
You are unable to ping your DNS server's because the DNS rule is only allowing TCP/UDP traffic destined to your DNS servers on port 53.
-
After re-examining your DNS rule, the source port should be any. Remove that 53.
Things should start working after that.
-
-
@marvosa said in Setting up a VLAN with pfSense, Ubiquiti, and ESXi:
Destination = Invert match rfc1918 alias
Awesome.
Try blocking to RFC1918 and then passing to any.
-
-
Didn't work; I can't get any website to load. NSLookup returns an error.
I have several LAN firewall rules that prevent DNS from anything other than my two internal DNS servers (that, now that I know about aliases can be condensed but that's a project for another time) - could this be causing issues?
Thanks
-
@Derelict Isn't that what I'm doing in the third rule (in one rule)?
-
Do not block traffic with pass rules. Block the traffic you want to block then pass anything else. For reasons. Either take my advice or don't. Plenty of smart people disagree with me. I despise the practice.
In your configuration, however, if all of these conditions are true:
- The VL90_IOT clients have their DNS servers set to only 172.16.249.138 and 172.16.249.139
- 172.16.249.0/24 is another interface on the firewall
- The DNS servers have the pfSense address on that interface as their default gateway
- The DNS servers at 172.16.249.138 and 172.16.249.139 can resolve names from the internet
Then the DNS servers are broken. Perhaps they themselves have a firewall or DNS server policy or configuration prohibiting them from resolving names from VL90_IOT.
From a host on VL90_IOT what is the output of this command:
dig @172.16.249.138 www.google.comIf you don't have
dig, get it.Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@pfSenseUser78 Ok, so the rfc1918 alias got fixed. Although, it raises the question of how the mask was left off in the first place as the system automatically adds the mask if the type is set to Network(s).
The next issue to address is DNS. If you notice, there are no hits on your DNS rule, so we need to figure out where your queries are going.
-
Assuming there are no typos in your InternalDNS alias, re-verify your clients are using 172.16.249.138 and 172.16.249.139 for DNS.
-
On your InternalDNS alias, I would change the type to Host(s) instead of Network(s). It should work out the same, but at this point, you never know.
-
Do you have Squid or anything else configured that may be intercepting DNS queries?
-
Do your browsers have DNS-over-HTTPS enabled?
-
What firewall events are you seeing during your testing?
-
