VLANs blocked by Firewall
-
@kiokoman IP Routing is disabled on the switch. These are the SWITCHING --> VLAN options available.
And this is the packet capture on the parent interface (OPT2), where 10.70.0.200 is the static IP of the switch.
-
@r801248
filter for port 67 / 68 and do a release/renew ( or remove and replug the cable) on whatever you have on g1/g2 , i don't see dhcp stuff on that packet capture
there should be something like this
where ID 30 is my vlan 30 -
So, in the Packet Capture screen, you want me to select OPT2 as the interface? I'm assuming Host Address is the Switch's ...
-
@r801248
use opt3, i don't know if youcan do that with packet capture from pfsense, i use wireshark
did you try to reboot pfsense and the switch? -
Both rebooted.
-
@r801248 What is your Port PVID Config look like? ooops that was posted earlier.
What does this look like?
That config looks correct even looking at this ...
https://kb.netgear.com/11673/How-do-I-setup-a-VLAN-trunk-link-between-two-NETGEAR-switches
Also on the switch Select Switching > VLAN > Advanced > VLAN Status. what does that look like?
-
@cburbs Hello,
This is what they look like...
-
And if you plug your laptop into ports 3-7 you mentioned you do get a dhcp from VLAN10 (10.70.10.0/24) ? Can you also get out to the internet on those ports?
Have you tried to add say Port 5 to vlan10 untagged and plug into that to see what happens?
Maybe delete that Vlan 10 from the switch and start over with it?
-
@cburbs
When I plug the laptop into g3-g7 I get a DHCP from the parent interface (10.70.0.0/24) - Yes, I get out to the internet.
Adding any other port (untagged) makes it behave like g1-g2. -
@r801248
did you check if there is a firmware update for that netgear? -
@kiokoman
There is an upgrade. I guess I'll go that route.
Thanks, -
@r801248
Upgraded. Same results. Frustrating. -
And the switch has a static IP not in any of the DHCP ranges?
You may want to set the switch back to default and start over with it again.
-
@cburbs Yes, the static address is outside the range. Resetting to default values did not change the results.
-
Normally, with these :
Traffic can enter OPT3.
Before the final, hidden "drop all" (non-vsible) there is a another hidden rule that let DHCP traffic (UDP, port 67 and ...) come in.
So, what ever happens, DHCP should work. But you can see it work.
Place an pass rule at the top with proto is UDP and port = 67.
Do not use "OPT3 net" as a source, as DHCP traffic is mostly broadcast = 0.0.0.0What you should see now is that these :
should start to count.
If not : check the NIC, cable, switch and the most obvious one : VLAN settings.
Btw : when issues, go check the real firewall.
It's here, a file : /tmp/rules.debug -
Some of this stuff has already been mentioned, but the rules on OPT3 have zero hits. So there are multiple areas to look at.
My suggestion:
- Put an any/any rule at the top of OPT3 and disable everything else until basic IP communication is established.
- Remove VLAN1 from g8 on the switch
- Remove the 10.70.0.0/24 subnet from OPT2 and leave it undefined
- Bounce the DHCP server on OPT3
- Reboot the PC connected to g1 or g2
After the above, provided the switch is configured properly... everything should be passed and working as expected.
A cleanup item once you get everything working... remove that OPT3 net/OPT3 net rule... it's doing absolutely nothing.
-
@marvosa
Hi,
The switch loses connectivity when VLAN1 is removed from g8, tried it before.
Also, upon rebooting the router, there is a brief connection through VLAN10. Only lasts a couple of seconds though. Logs below -DHCP Leases
DHCP Log
Then it drops,
Firewall log
-
Also, upon rebooting the router, there is a brief connection through VLAN10. Only lasts a couple of seconds though. Logs below -
Sounds like traffic may be passing until the rules get loaded. Did you add the any/any rule?
-
@marvosa
I did. That's the only rule in OPT3
-
This setup is on igb3 correct?
Have you tried to get a vlan going correctly on igb0 instead - maybe something flaky going on with igb3.
I just came across this so maybe look into this - https://community.netgear.com/t5/Managed-Switches/GS110TP-won-t-retain-VLAN-membership-on-port-8/td-p/1446089
See if that is set for port mirroring.
Or I guess just try port 7 as your trunk/tagged port and see what happens as well.
