Setting up a VLAN with pfSense, Ubiquiti, and ESXi

johnpoz · Dec 14, 2019, 7:16 PM

@Derelict said in Setting up a VLAN with pfSense, Ubiquiti, and ESXi:

Block the traffic you want to block then pass anything else.

While I think I am one of the ones that he is talking about disagreeing - we have had many discussions over the years about this practice ;)

While I believe you can do the ! network as an allow rule... It is more complex setup for sure, and if your unsure of everything that is going on, and understand how a vip might cause you grief here, etc. etc. It can end up being an issue.. And it is easier to make a mistake with..

So I do agree with @Derelict that explicit block(s), then allow any is the cleaner, easier to understand and less prone to issues method.. If you are having any sort of issues at all with your rules - this is the method you should utilize to get the rules working how you want..

I have removed my use of the ! rfc1918 rules and have adopted the explicit reject rfc1918 above my any as cleaner method.

Derelict · Dec 14, 2019, 7:20 PM

@johnpoz said in Setting up a VLAN with pfSense, Ubiquiti, and ESXi:

I have removed my use of the ! rfc1918 rules and have adopted the explicit reject rfc1918 above my any as cleaner method.

If it saves a single rule set it's worth it.

Derelict · Dec 14, 2019, 8:31 PM

This post is deleted!

pfSenseUser78 · Dec 14, 2019, 9:37 PM

@Derelict

I'd like to take your advice as you absolutely sound like you know what you're doing. What do I need to change (nothing has changed yet from the above screenshots)?

The DNS servers I'm attempting to use to do not have a firewall enabled that I know of. I do not know how they would have any configuration that prevents them from answering queries from the VLAN. They both work fine for any and all clients on the LAN.

Here's the output of dig:

dig @172.16.249.138 www.google.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @172.16.249.138 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5224
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		220	IN	A	172.217.11.36

;; Query time: 11 msec
;; SERVER: 172.16.249.138#53(172.16.249.138)
;; WHEN: Sat Dec 14 16:33:46 EST 2019
;; MSG SIZE  rcvd: 59

And NSLookup:

nslookup www.google.com
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find www.google.com: SERVFAIL

Devices DO get an IP address successfully in the 192.168.90.x range (which was setup for the VLAN). From the VLAN I can ping 8.8.8.8.

Please let me know any other information you need and thank you for your time and patience. Much appreciated.

johnpoz · Dec 14, 2019, 9:40 PM

Why would would nslookup be using 127.0.0.53???

pfSenseUser78 · Dec 14, 2019, 9:47 PM

@johnpoz This is from a mint laptop joined to the VLAN90. Here's the output when joined to the LAN:

 nslookup www.google.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	www.google.com
Address: 172.217.6.196
Name:	www.google.com
Address: 2607:f8b0:4006:818::2004

Derelict · Dec 15, 2019, 2:31 AM

The way you have your rules set you need to set your clients to use 172.16.249.138 and 172.16.249.139 to resolve DNS. Based on the dig output that works fine. Figure out how to make that happen and stop trying to use what looks to me like unbound on the client (just a guess) and it will work fine.

127.0.0.53 is not 172.16.249.138 and 172.16.249.139

johnpoz · Dec 15, 2019, 2:34 AM

And where exactly whatever is listening on 127.0.0.53 sending the query when the laptop asks it for something?

So this laptop is running some sort of local caching service - yeah could be dnsmasq.. Client asks itself for www.something.tld, which that service forwards to where? Is the question, you need to make sure it forwards to your NS you have allowed on the other vlan.

pfSenseUser78 · Dec 15, 2019, 2:31 AM

@Derelict

How do I get the VLAN set so that I don't have to manually assign the clients a specific DNS server? On some of these devices I can't manually set DNS.

Not using unbound at all, anywhere.

johnpoz · Dec 15, 2019, 2:33 AM

You can hand your clients whatever dns you want them to use via dhcp..

pfSenseUser78 · Dec 15, 2019, 2:34 AM

@johnpoz

I have no idea. Everything is set to "automatic" for that wifi interface on the mint laptop I'm using (and yes, for all networks and not just the one on VLAN90). When I switch back to the LAN I don't have that problem.

johnpoz · Dec 15, 2019, 2:36 AM

In your dhcp scope you set on the vlan - set the NS you want the dhcp clients to use. Or setup a reservations for specific devices to use the dns you want those client to use.

Out of the box when you enable dhcp on an interface/vlan it hands out the interface/vlan as the dns..

pfSenseUser78 · Dec 15, 2019, 2:40 AM

@johnpoz

GOT IT! IT WORKS!

Let me post my final VLAN rules to make sure there's nothing else I need to change (recommendations requested):

marvosa · Dec 15, 2019, 2:50 AM

At this point, whether you choose to use blocks before an any/any or a streamlined allow rule that leverages the implicit deny... is now moot as it appears evident that the issue is on the client-side.

Either ruleset will work as soon as the clients are configured to use the correct DNS servers.

EDIT - Just saw the "IT WORKS!" post... glad it's working!

pfSenseUser78 · Dec 15, 2019, 4:07 AM

@marvosa Now on to the next problem (which will be it's own post if I decide to continue) - HomeKit and WeMo don't talk to one another from the LAN to the VLAN. I found a few guides and attempted to open some ports but it's still not working.

At this point, I don't know if it's still worth it. I'd love to be able to have the IoT devices on their own network to avoid them compromising my LAN but it seems like a PITA to get them to talk across networks.