Inter-VLAN Routing Problems

plebOverload

Hello everybody!

I am brand new to pfSense and this forum but have some experience with networking and a few years managing vmWare environments.
What I would like to do is implement a solution that allows for isolated vlans as well as some that can share traffic and a Management VLAN that can access everything.

So far I have setup a pfSense box and managed switch and created a testing network.
After configuring the switch with VLANs I added each VLAN as a sub interface to the LAN interface and assigned them an ip address in a /24 sub net.
For troubleshooting purposes all interfaces have firewall rules that allow all traffic.

I can ping each VLAN interface and LAN interface from any interface but cannot ping the host on each VLAN…

I have been pulling my hair out all day, why can the hosts not communicate?
Any help is GREATLY appreciated!

My setup is like this.

WAN: DHCP 192.168.254.55 /24
LAN: Static 172.16.0.1 /24
Switch: Static 172.16.0.4 /24
VLAN 10: Static 172.16.10.1 /24
VLAN 104: Static 172.16.104.1 /24

Here are some screen grabs of my router and switch configuration in a google drive folder.
https://drive.google.com/folderview?id=0B5e5JSLbptE-N0JsY3lwTjFBZDA&usp=sharing


Alesk13Fr

Hello,

not sure if this only one problem, but, as far as I know from my switch, when I setup my VLAN, I'm using T as Tagged ports, so I assume your configuration for VLAN 10 and 104 should have "T" instead of "U", because PfSense receive and send Tagged packets, on your VLAN interfaces, and here, port 1 and 4 are transfering only Untagged packets, so PfSense will never received Tagged packets comming from port 16.

Hope this help !

Best regards,
Alex.

plebOverload

Thanks for the reply Alex,

I took your advice and set the ports for VLAN 10 and 104 to Tagged.
I can now communicate between the VLANS!
Thank You!

My only issue now is that I cannot seem to ping the host in VLAN 104 from VLAN 10. Other connections work fine (RDP, DHCP, DNS).

Firewall rules are still set to allow * from * to *.
I do not see anything being blocked in the firewall logs.
Firewalls on both clients are turned off.

Although setting VLAN 10 and 104 to Tagged worked , my understanding was that if the hosts on that port are VLAN unaware then the ports should be Untagged.
Both hosts are laptops with VLAN unset in the NIC settings.
I thought that the packets originating from the untagged ports would be forwarded through the Tagged ports after having the VLAN tag inserted.
I think my understanding of how Tagged ports work is wrong.

Alesk13Fr

You're welcome plebOverload, feel free to click on "applause" above my nickname ;) LOL

Seriously, I'm happy you're able to communicate between your VLANs ! About your ICMP between VLAN, from and to what are you doing it ? If you do between 2 Windows Computer, take care of Firewall issue, by default Windows drop ping from another Subnet, in this case, disable temporarily your Firewall and try again.

If you do from Linux, check around iptables, here too, firewall is propbably the clue !

DNS is bind from all interface by default so it will be accessible without problem.

I suggest you to remove your rules IPv4+IPv6 *** because it's a very big firewall hole …
For each interface add a rule like this one

Interface LAN -- > If you need access to VLAN104VMNET so :
IPv4 - any - LAN Net - VLAN104VMNET Net - *
Best method : IPv4 - any - LAN Address - VLAN104VMNET Address - *

Interface VLAN104VMNET --> If you need access to LAN, so :
IPv4 - any - VLAN104VMNET Net - LAN Net - *

It's a big hole too, but not as far as IPv4+IPv6 * * * * !

About VLAN Tagged and Untaged ports,

at my understanding, when something is really plugged at switch port, it's a Untagged port because this device (the majority) don't know what a VLAN is, so same if the device is in one VLAN, connected port must be as Untagged.

When you plug something who use a VLAN (computer, switch, etc), connected port must be at least Tagged, but be tagged for each VLAN who will be used by this device ! If this device are sending and receiving frames from 2 or more VLAN, his port must be tagged in each of this VLAN, and the priority VLAN will be the one defined via PVID of this same port.

If the device use both (VLAN and Real interface), you will need to Untagged the port from the real interface and tagged the same port into the other VLAN.

If the master port (the one who redirect all frames transitting into the VLAN or the real interface) is on the real interface then they must be Untagged. If the master port must le transitting frames from VLAN, they must be tagged into each VLAN transiting by this master port.

Keep in mind, when your DHCP is discovering a device, (DHCPDISCOVER) and reply to the device with DHCPINFORM, normally if your VLAN settings are correct the next stage is DHCPACK, the device aknowledge offered IP, and all is fine, but, if you mismatch something on VLAN settings, as wrong PVID, no master ports Tagged into the VLAN, you will not see DHCPACK, because, same if PfSense discover the device, device will not been able to send back the frames, so your DHCP Log will loop in DHCPDISCOVER xx:xx:xx:xx:xx, DHCPINFOM xx:xx:xx:xx:xx, DHCPDISCOVER xx:xx:xx:xx:xx, DHCPINFOM xx:xx:xx:xx:xx, DHCPDISCOVER xx:xx:xx:xx:xx, DHCPINFOM xx:xx:xx:xx:xx, etc., you'll never see DHCPACK, so check all port where VLAN is incomming and distributing frame!

I'm not sure if you'll understand everything (my bad english is a royal pain !), but I've give a way for it :)

You can find a lot of tutorial about Tagging and Untagging port !

Best regards !
Alex.