Setting up a VLAN with pfSense, Ubiquiti, and ESXi

johnpoz

Why would would nslookup be using 127.0.0.53???

pfSenseUser78

@johnpoz This is from a mint laptop joined to the VLAN90. Here's the output when joined to the LAN:

 nslookup www.google.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	www.google.com
Address: 172.217.6.196
Name:	www.google.com
Address: 2607:f8b0:4006:818::2004

Derelict

The way you have your rules set you need to set your clients to use 172.16.249.138 and 172.16.249.139 to resolve DNS. Based on the dig output that works fine. Figure out how to make that happen and stop trying to use what looks to me like unbound on the client (just a guess) and it will work fine.

127.0.0.53 is not 172.16.249.138 and 172.16.249.139

johnpoz

And where exactly whatever is listening on 127.0.0.53 sending the query when the laptop asks it for something?

So this laptop is running some sort of local caching service - yeah could be dnsmasq.. Client asks itself for www.something.tld, which that service forwards to where? Is the question, you need to make sure it forwards to your NS you have allowed on the other vlan.

pfSenseUser78

@Derelict

How do I get the VLAN set so that I don't have to manually assign the clients a specific DNS server? On some of these devices I can't manually set DNS.

Not using unbound at all, anywhere.

johnpoz

You can hand your clients whatever dns you want them to use via dhcp..

pfSenseUser78

@johnpoz

I have no idea. Everything is set to "automatic" for that wifi interface on the mint laptop I'm using (and yes, for all networks and not just the one on VLAN90). When I switch back to the LAN I don't have that problem.

johnpoz

In your dhcp scope you set on the vlan - set the NS you want the dhcp clients to use. Or setup a reservations for specific devices to use the dns you want those client to use.

Out of the box when you enable dhcp on an interface/vlan it hands out the interface/vlan as the dns..

pfSenseUser78

@johnpoz

GOT IT! IT WORKS!

Let me post my final VLAN rules to make sure there's nothing else I need to change (recommendations requested):
Firewall Final.png

marvosa

At this point, whether you choose to use blocks before an any/any or a streamlined allow rule that leverages the implicit deny... is now moot as it appears evident that the issue is on the client-side.

Either ruleset will work as soon as the clients are configured to use the correct DNS servers.

EDIT - Just saw the "IT WORKS!" post... glad it's working!

pfSenseUser78

@marvosa Now on to the next problem (which will be it's own post if I decide to continue) - HomeKit and WeMo don't talk to one another from the LAN to the VLAN. I found a few guides and attempted to open some ports but it's still not working.

At this point, I don't know if it's still worth it. I'd love to be able to have the IoT devices on their own network to avoid them compromising my LAN but it seems like a PITA to get them to talk across networks.