VLANs blocked by Firewall
-
-
Well, you'll have to do what I often recommend. Start simple and get things working, before you do anything else. Then you can see where the failure occurs. As it is, a firewall will not block a VLAN as VLANs are layer 2 and firewalls work at layer 3. The firewall rules are applied to each LAN or VLAN as required. Just get the basic networks going first and then start adding the rules.
-
@r801248
opt3 is vlan10, i don't see a screenshot for firewall rules and for the dhcp of that interface -
Sorry, here you go. I only set up the switch static address in OPT2, not in the VLAN.
-
@r801248
ok
"opt2 net * opt2 net" and "opt3 net * opt3 net", not a big deal but they are wrong rules, devices on the same subnet talk to each other without the help of pfsense. pfsense does not see traffic when the client talk to each other on the same subneti don't see anything else wrong on pfsense, i don't know how the netgear should be configured.
what i understand is that the vlan tag is not working right on g1/g2/g8
is there an option like vlan port based vs vlan 802.1q or Dot1q on the switch? it should be 802.1q or Dot1q. is the switch configured as layer 2 ? (ip routing should be disabled on the switch)
maybe you can use packet capture on the parent interface to see if traffic is passing with tag and if a dhcp DORA is passing -
@kiokoman IP Routing is disabled on the switch. These are the SWITCHING --> VLAN options available.
And this is the packet capture on the parent interface (OPT2), where 10.70.0.200 is the static IP of the switch.
-
@r801248
filter for port 67 / 68 and do a release/renew ( or remove and replug the cable) on whatever you have on g1/g2 , i don't see dhcp stuff on that packet capture
there should be something like this
where ID 30 is my vlan 30 -
So, in the Packet Capture screen, you want me to select OPT2 as the interface? I'm assuming Host Address is the Switch's ...
-
@r801248
use opt3, i don't know if youcan do that with packet capture from pfsense, i use wireshark
did you try to reboot pfsense and the switch? -
Both rebooted.
-
@r801248 What is your Port PVID Config look like? ooops that was posted earlier.
What does this look like?
That config looks correct even looking at this ...
https://kb.netgear.com/11673/How-do-I-setup-a-VLAN-trunk-link-between-two-NETGEAR-switches
Also on the switch Select Switching > VLAN > Advanced > VLAN Status. what does that look like?
-
@cburbs Hello,
This is what they look like...
-
And if you plug your laptop into ports 3-7 you mentioned you do get a dhcp from VLAN10 (10.70.10.0/24) ? Can you also get out to the internet on those ports?
Have you tried to add say Port 5 to vlan10 untagged and plug into that to see what happens?
Maybe delete that Vlan 10 from the switch and start over with it?
-
@cburbs
When I plug the laptop into g3-g7 I get a DHCP from the parent interface (10.70.0.0/24) - Yes, I get out to the internet.
Adding any other port (untagged) makes it behave like g1-g2. -
@r801248
did you check if there is a firmware update for that netgear? -
@kiokoman
There is an upgrade. I guess I'll go that route.
Thanks, -
@r801248
Upgraded. Same results. Frustrating. -
And the switch has a static IP not in any of the DHCP ranges?
You may want to set the switch back to default and start over with it again.
-
@cburbs Yes, the static address is outside the range. Resetting to default values did not change the results.
-
Normally, with these :
Traffic can enter OPT3.
Before the final, hidden "drop all" (non-vsible) there is a another hidden rule that let DHCP traffic (UDP, port 67 and ...) come in.
So, what ever happens, DHCP should work. But you can see it work.
Place an pass rule at the top with proto is UDP and port = 67.
Do not use "OPT3 net" as a source, as DHCP traffic is mostly broadcast = 0.0.0.0What you should see now is that these :
should start to count.
If not : check the NIC, cable, switch and the most obvious one : VLAN settings.
Btw : when issues, go check the real firewall.
It's here, a file : /tmp/rules.debug
