Can't browse default LAN
-
Hello all,
Wasn't quite sure how to title this... New to pfSense and trying to replace a dual wan Linksys LRT224 with a Netgate SG-3100. Configured the switch and vlans same as the Linksys and have limited success.
LAN (goes to data switches)
192.168.1.32/32
No DHCP - DHCP handled by Windows Domain ServerVLAN 100 (wifi switch)
192.168.2.1/24
DHCP Server enabledVLAN 200 (phone switches)
172.16.120.254/24
DHCP Server enabledSwitch Ports
1 - LAN 1 - 100
2 - LAN 2 - 1
3 - LAN 3 - 1
4 - LAN 4 - 200
5 - LAN Uplink - 1VLAN Groups
0 - 1 - 2,3,5t
1 - 100 - 1,5t
2 - 200 - 4,5tPhysical connections
LAN 1 – WIFI Switch - public network internet access only
LAN 2 – Data Switch - corporate network
LAN 3 – Windows workstation
LAN 4 – Phone Switch - phones onlyConnected to LAN1 or LAN4 I get an ip address and can see other computers/devices. I’m able to ping 192.168.2.1, 192.168.1.32 and 172.16.120.254. And I can login to pfSense using any of those ip’s.
Connected to LAN2 or LAN3 I get an ip address, 192.168.1.77 from the domain controller, and I can see computer/devices on the data network. I’m still able to ping 192.168.2.1 and 172.16.120.254 but not 192.168.1.32. And I can’t login to pfSense using any of those ip’s.
If I disconnect the cable to the domain network and manually configure the ip address on my computer and connect to LAN2 or LAN3 I have the same problem.
Any help on pointing out what I’m missing greatly appreciated!
Thanks
Scot
-
@p912s said in Can't browse default LAN:
LAN (goes to data switches)
192.168.1.32/32
No DHCP - DHCP handled by Windows Domain ServerIf you're going to keep your current setup, then the first thing I would do is move the LAN interface to a /24. Then I would verify that your DC is configured to handout the PFsense LAN IP (192.168.1.32) as the default gateway and not itself.
From a design perspective, why not go all VLANs? If you keep the same subnets, I would leave the LAN interface unassigned and move your corporate network traffic to a VLAN (e.g. VLAN 300). Assign 192.168.1.32/24 to VLAN 300, then tag VLAN 300 on switchport 5 and move your access ports (LAN 2, LAN 3) to VLAN 300. Although, I would urge you to move away from subnets like 192.168.1.0/24 that are common on SOHO routers or it will give you VPN headaches down the road.
Lastly, I would re-verify that your firewall rules are allowing the traffic
Not that it won't work, but 192.168.1.32 is an odd choice for a physical interface on a firewall, why not go with the usual 192.168.1.1 or 192.168.1.254?
-
@p912s said in Can't browse default LAN:
LAN (goes to data switches)
192.168.1.32/32That won't be much of a LAN with only one device on it. A /32 subnet mask allows only for a single device.
-
@marvosa said in Can't browse default LAN:
Not that it won't work, but 192.168.1.32 is an odd choice for a physical interface on a firewall, why not go with the usual 192.168.1.1 or 192.168.1.254?
Yeah .32 is odd for sure... I have mine set to .253 because .1 and .254 is a common default for devices... That you might connect to the network.
Since not using common network 192.168.0 or 192.168.1 its prob not an issue any more - but just habit I guess I got staying away from the end IPs..
But yeah .32 is a bit of an odd choice ;) Anything works, other than breaking up your dhcp scope not an issue..
But as pointed out that /32 would be problematic ;)
-
@marvosa Thank you for your reply. I've done as suggested and created VLAN 300 and assigned the switch ports. And use /24 for the network mask. Unfortunately the results are the same. When on VLAN 100 or 200 everything works great, but on VLAN 300 I'm limited in what I see and I don't have internet access.
Thinking about differences between the VLANs, really it's only that 300 is using an external DHCP Server. With that in mind I disconnected the cable from LAN 2 and configured a DHCP Server for VLAN 300, And everything works!
I've browsed around the interface in pfSense trying to see what changed but can't seem to identify it.
All 3 VLANs have a "Default allow LAN to any rule" , it looks the same for each VLAN.
What is different when using the onboard DHCP Server as opposed to an external DHCP Server for that VLAN?
192.168.1.32 was just an available address outside the DHCP range on the active network so I could connect the Netgate for testing. When placed in service it will be 192.168.1.1.
Concerning moving away from 192.168.1.0/24, agreed. But that's not my call, yet... They have a crap load of static devices - printers, scanners etc so they would all need to be touched to make that change. I'm hoping they'll want to do that in the new year.
Thanks again for any direction you can provide.
Scot
-
@JKnott Thanks for the reply.
-
@johnpoz Thanks for the reply. More to think about...
-
@p912s said in Can't browse default LAN:
All 3 VLANs have a "Default allow LAN to any rule" , it looks the same for each VLAN.
Can you post the rules for each VLAN?
What is different when using the onboard DHCP Server as opposed to an external DHCP Server for that VLAN?
There's no difference. You just have to make sure the 3rd party DHCP server is assigning the correct scope options.... and you can only have one DHCP server running per broadcast domain, so you have to disable one or the other. What external DHCP server are you using? What is the external server assigning for the router, DNS and domain?
-
@marvosa Thanks for the follow-up. Not sure what changed, or if I'm just impatient... Before I posted that last comment I had enabled dhcp for VLAN 300 and everything worked. Then I disabled dhcp and reconnected the external dhcp server and it didn't work. So I posted the comment and went upstairs and ate lunch.
Came back downstairs to continue troubleshooting and everything is working using the external dhcp server.
Thanks again for your help.