I need help with VLAN
-
Hi.
I need help with communication between VLAN and LAN in pfSense 2.3.4-RELEASE-p1.
I did a lot of research and did several tests, but I still haven't been able to resolve this last issue.The scenario is as follows:
1 LAN 10.0.x.y / 16
1 VLAN 10.100.100.1/16
Some AP: 10.100.50.x / 16
DHCP: 10.100.200.x ~ 10.100.202.y / 16Testing from pfSense, I can ping anything (local network, Access Points in the range 10.100.50, devices with IP by DHCP, without any problem).
But, I need a Zabbix to ping the APs, so his gateway is the LAN IP of pfSense. It can ping VLAN 10.100.100.1 and also any client that receives via DHCP, for example. But if I try to ping any device with fixed IP on the VLAN, it does not respond. I realized that if the IP is fixed, that it does not respond. If it is DHCP, it responds perfectly. I couldn't understand why.
The firewall rules are all open for testing and I still couldn't. I also tried to create in Floating and without success too.
If you can help with any ideas, I am very grateful.
Thanks! -
@snows-0
Two /16 subnets? You have quite a large network!@snows-0 said in I need help with VLAN:
It can ping VLAN 10.100.100.1 and also any client that receives via DHCP, for example. But if I try to ping any device with fixed IP on the VLAN, it does not respond.
Possibly the network mask is not set correctly on the device.
Or its firewall blocks access from out of its own subnet. -
@viragomann Thanks for answering.
The masks are correct, yes. I've checked it out several times. I also came to think of it.
As for the firewall, do you mean pfSense itself? If so, everything is free. I have also done it many times to check it out.
And if it is not there, for example, Access Points have no restrictions in this regard.It doesn't really make much sense. If pfSense can ping everything, and the LAN ping the VLAN, I don't understand the reason why I can't ping anything else on the VLAN, but the difference is that it has a fixed IP and not DHCP.
-
Yes, I was talking about the deviced firewall.
The gateway setting is another possible issue. It is set by DHCP, so check if it set correctly.
Another check you can do is to try a ping from the pfSense Diagnostic menu, then change the source to the other subnet and try again.
If the gateway is set correctly and the devices firewall allows the pings from outside, you should get responses on both attempts. -
@viragomann In this case, I need Zabbix to ping and it is not using DHCP.
He is on the 10.0.x.y network and I configured his gateway as the LAN IP of pfSense. With this, Zabbix can ping the IP of VLAN 10.100.x.y normally.
I did the test you said and really the ping only responds when I change the source to VLAN100. In other words, I would then have to change the entire structure of Zabbix to have the gateway as the one for this VLAN, correct? But then I would have other problems, because I would no longer have the connectivity that I already have today with him being able to ping the servers that are on the same network as him.
What I still can't understand is why I can ping the IP of the VLAN normally and also the IPs that pfSense provides via DHCP, which in theory, are also in the same IP range as the AP. That is, it should also respond. That which until now I have not been able to understand. Or is he not responding because he does not "know" 10.100.50.x, instead of the other IPs he provides and he is supposed to know and trust? I don't know ... bizarre.
-
@snows-0 said in I need help with VLAN:
1 VLAN 10.100.100.1/16
Some AP: 10.100.50.x / 16
DHCP: 10.100.200.x ~ 10.100.202.y / 16Those 3 are overlapping. Are they supposed to be on the same subnet?
-
@snows-0 said in I need help with VLAN:
In this case, I need Zabbix to ping and it is not using DHCP.
I was talking about the destination devices.
@snows-0 said in I need help with VLAN:
What I still can't understand is why I can ping the IP of the VLAN normally and also the IPs that pfSense provides via DHCP
As I mentioned, possibly the network settings on the destination devices are wrong. Check all settings, network mask and gateway.
Does this problem only affect the APs or also other devices which pull IPs from DHCP?
-
Most likely...one (or more) of the devices have the wrong gateway and/or mask set.
My suggestion... simplify your network:
- Leave the parent LAN interface unassigned
- Move your current LAN subnet to a VLAN
- Refine all your subnets down to /24's.
Once that's done, make the appropriate adjustments on your switch. You are using a managed switch right?
Then I'd re-verify that your access ports are configured for the appropriate VLAN(s), and re-verify the masks and gw's of all your devices.
-
@viragomann said in I need help with VLAN:
@snows-0 said in I need help with VLAN:
In this case, I need Zabbix to ping and it is not using DHCP.
I was talking about the destination devices.
In this case, Access Points are not via DHCP. They have fixed IP.
Example:
10.100.50.50/16, GW: 10.100.100.1 (VLAN IP)If I try to ping from PC that is in the VLAN, receiving IP via DHCP from pfSense, it can ping everything. But, if I try the same, from a PC with a fixed IP (Zabbix, for example, which is using the pfSense lan IP as a gateway), it can only ping the IP of VLAN 10.100.100.1 and any device that has received IP via DHCP from pfSense. If I try to ping an AP (which has a fixed IP, but is on the VLAN and with GW 10.100.100.1), there is no connectivity.
It makes no sense.
@snows-0 said in I need help with VLAN:
What I still can't understand is why I can ping the IP of the VLAN normally and also the IPs that pfSense provides via DHCP
As I mentioned, possibly the network settings on the destination devices are wrong. Check all settings, network mask and gateway.
Does this problem only affect the APs or also other devices which pull IPs from DHCP?
It only affects those with fixed IP. If it's like DHCP, it works.
I've checked and re-checked several times and in different APs to make sure.I also checked the logs and apparently, everything is normal, see:
Zabbix > AP -
@marvosa said in I need help with VLAN:
Most likely...one (or more) of the devices have the wrong gateway and/or mask set.
My suggestion... simplify your network:
- Leave the parent LAN interface unassigned
- Move your current LAN subnet to a VLAN
- Refine all your subnets down to /24's.
Once that's done, make the appropriate adjustments on your switch. You are using a managed switch right?
Then I'd re-verify that your access ports are configured for the appropriate VLAN(s), and re-verify the masks and gw's of all your devices.
I confess that I thought of something similar, because it keeps the LAN running is strange, I don't know.. If this whole issue would not be resolved if I worked only with VLAN for VLAN. I'll try.
Tks -
It only affects those with fixed IP. If it's like DHCP, it works.
I've checked and re-checked several times and in different APs to make sure.I also checked the logs and apparently, everything is normal, see:
Zabbix > APMy first thoughts would be... do the AP's have a gateway set? If not, that's your issue. If so, please share their IP, Mask, and GW.
-
@marvosa Hi.
I was able to run new tests and I think I found the possible problem.
I created a new laboratory with 3 VLANs and everyone communicated perfectly with each other.but when I activated DHCP on the AP's VLAN, no one else can reach it. My other structure is just like that. So that was what it was causing. I use Captive Portal with DHCP for the VLAN of these APs.
Is there anything I can do to fix this?
-
@snows-0 said in I need help with VLAN:
but when I activated DHCP on the AP's VLAN
Why would you do that? Unless it's configured to hand out addresses from the same address block as your main server, it will cause problems. Multiple DHCP servers are OK, but they must provide addresses from the same subnet and the other info provided by it must match too.
-
I was able to run new tests and I think I found the possible problem.
I created a new laboratory with 3 VLANs and everyone communicated perfectly with each other.
but when I activated DHCP on the AP's VLAN, no one else can reach it. My other structure is just like that. So that was what it was causing. I use Captive Portal with DHCP for the VLAN of these APs.
Is there anything I can do to fix this?
That sounds fishy. Enabling DHCP on a VLAN shouldn't have anything to do with access to resources in that subnet. Your static devices should still be accessible regardless.
I would make sure PFsense is the only DHCP server in each VLAN... i.e. make sure your AP's are not configured to serve DHCP as well... or any other device for that matter.
-
@jknott said in I need help with VLAN:
@snows-0 said in I need help with VLAN:
but when I activated DHCP on the AP's VLAN
Why would you do that? Unless it's configured to hand out addresses from the same address block as your main server, it will cause problems. Multiple DHCP servers are OK, but they must provide addresses from the same subnet and the other info provided by it must match too.
I use Captive Portal with DHCP for WiFi clients. And this Captive is in that VLAN. The APs have a fixed IP. Clients connect to these APs and receive IP through Captive's DHCP.
What I noticed was: without activating DHCP, I can ping this AP perfectly through another different VLAN (the routing works as I would like), but when I activate DHCP, it is gone. Can you explain the reason for this? Is there anything I can do? -
@snows-0 said in I need help with VLAN:
@jknott said in I need help with VLAN:
@snows-0 said in I need help with VLAN:
but when I activated DHCP on the AP's VLAN
Why would you do that? Unless it's configured to hand out addresses from the same address block as your main server, it will cause problems. Multiple DHCP servers are OK, but they must provide addresses from the same subnet and the other info provided by it must match too.
I use Captive Portal with DHCP for WiFi clients. And this Captive is in that VLAN. The APs have a fixed IP. Clients connect to these APs and receive IP through Captive's DHCP.
What I noticed was: without activating DHCP, I can ping this AP perfectly through another different VLAN (the routing works as I would like), but when I activate DHCP, it is gone. Can you explain the reason for this? Is there anything I can do?Yes, I fully agree. But that is exactly what happens. I created a totally isolated scenario here to test. With independent VLANs, with 3 VLANs, 2 PCs and 1 AP just for this test. And that is exactly what happens. Without DHCP, I can ping any VLAN, from any VLAN. When I enabled DHCP on the AP's VLAN, it was gone. I can't ping AP anymore. I think I'll even make a video to record this better, because it's something really inexplicable for me. Unless there's something else I can do.
-
I solved the issue a while ago and forgot to answer here.
After entering the IP in Captive Portal / Allowed IP Addresses, everything was perfect.
As my CP is authenticated, so I believe that the question was precisely at that point. The other end had no way to authenticate itself to be able to pass and from the moment I released the IP there, he started to communicate. I even thought about doing a test of this type, taking the CP's authentication to see if it worked directly, but I ended up not having time.Anyway ... it's resolved.
Thanks to everyone who was willing to try to help.