Losing my mind routing between vlans
-
I'm losing my mind configuring our network so that we can print on a printer that's in a different VLAN than our device. I've attempted multiple times to remedy this but I've hit the limit of my expertise.
Please see the attached diagram. I tried to diagram our setup, but this isn't my day job. Apologies if it isn't exactly correct.
I have IGB0,2,3,4 mapped to bridge that is mapped to our public WANs. I have a gateway group with corresponding firewall rules, failover works as expected, and I can switch VLANs between the WANs without issue.
I have ports mapped on our switches to various VLANs with VLAN 1 as the default for untagged ports. The switches automatically tag VLAN2+ and trunk ports are tagged.
I'm not sure what to do now. I've tried creating firewall rules in various places but nothing seems to work. My intuition tells me I should create a rule on the IGB0_LAN interface allowing traffic to and from the various VLAN subnets but this isn't working or I'm doing it incorrectly.
I've dug through the archives a couple times but I haven't found anything that has worked yet. I can provide additional information if necessary.
 -
whats the point of the bridge?
-
-
I did not originally have the bridge. I had our switches bound to IGB0 and IBG0 mapped to the public WAN. While troubleshooting another unrelated issue, I set up IGB2,3,4 on the LAN as well so I could prove that our Switches were not the cause of the problem (they weren't).
Unfortunately that didn't help me fix the issue, so I opened up a ticket with Netgate. In the process of resolving the issue they recommended the bridge configuration and reconfigured the firewall for me. I still don't fully understand why the "bridged" version is better than the "non-bridged" version.
Anyway, they also told me they don't recommend this setup going forward. I have no need for it per se, but I also haven't had a need to disable it as other than the VLAN problem everything is working right now and I'd prefer to cause as little chaos as possible.
So, if removing the bridge will address the VLAN issue I'm more than willing to do it, but I'd like to understand WHY that would be necessary. Also, I've tried resolving this particular problem before they introduced the bridge and ran into the same roadblocks (that I can recall anyway).
-
well, you havent mentioned what your actual problem is with regards to the vlans.
vlans are easy but also easy to get wrong if there is a configuration issue on the switches
-
Yes I have, it's the very first sentence:
I'm losing my mind configuring our network so that we can print on a printer that's in a different VLAN than our device.
If I'm on WiFi (VLAN 2) I cannot print on the printer which is currently on VLAN 1.
-
More specifically, I cannot connect to it's web interface, I cannot ping it, I cannot do anything with it. In fact, if I'm only VLAN 2 I cannot connect to ANY device on VLAN 1. All I can do is ping the VLAN 1 gateway. Any other IP is inaccessible.
-
right. that is like saying "i'm losing my mind, because i can't change lanes on the motorway"
details are required, because "can not print" is not sufficient to even make a guess on what could be wrongprovide screenshots of configuration of both switches & pfsense & printers.
packetcaptures could be useful also.what is the about a vlan1 gateway? locallly connected subnets shouldn't have gateways specified on pfsense
-
I don't know what I don't know. Thanks for being more specific about what information you need. I can gather that and post it later.
I don't understand what you mean by this, could you clarify?
what is the about a vlan1 gateway? locallly connected subnets shouldn't have gateways specified on pfsense
-
If the network is local to pfsense, either native on an interface or a vlan on a interface parent there should be no "gateway" setup on the actual pfsense interface for the local/lan side network. To pfsense the only interfaces that have gateways set would be WAN connections.
If you need to do downstream routing you can create a gateway in pfsense, but you would not create the gateway on the actual interface.
All your devices in your different networks need to point to the pfsense IP in that network/vlan as their gateway. And you need the appropriate rules to allow them access to what you want to allow them access. Out of the box the only interface that will have any any rule would be your lan. Any new opt interfaces or vlans will need the rules on their interfaces to allow them to go where you want them to go.
So if you bring up a client on optX, and the printer is in Lan you would need the rules on optX to allow that.
Rules are always evaluated top down, first rule to fire wins - no other rules are evaluated. As the traffic enters the interface.. Unless your talking floating rules - but that is beyond this threads talking points.
You also need to be aware of any software firewalls on devices in another vlan/network is set to allow the access as well from a different network.
If your printer was on optX and pointed to pfsense ip on optX interface as its gateway - then lan would be able to print out of the box. But when its the other way around and your devices are in optX and printer is in lan you will need to setup the appropriate rules on the optX interface.
-
Thanks, that's helpful. I think I'm going to simplify as much as I can taking what you said into consideration, re-validate my assumptions and re-run my tests. I'll come back here with a better set of data (assuming I don't fix the problem). Unfortunately I am not at the office today so I won't be able to do any of this until tomorrow at earliest.
I appreciate the explanation, it does clarify a question that was nagging me about how the firewall rules related to the VLANs.
-
In the process of resolving the issue they recommended the bridge configuration and reconfigured the firewall for me.
I find it quite hard to believe that the bridge was recommended. Maybe fixed so it worked, but not recommended.
On what interface did you make the VLANs?
I do not find it hard to believe that it's that bridge getting in the way somehow. I would get rid of it. This is much easier-done from an interface that is NOT a member of the bridge as it is trivial to lock yourself out playing around with Layer 2 there.
I would:
In the Web GUI got to Interfaces > (assign), Bridges
Edit the bridge. Remove the interface corresponding to igb3 from the bridge.
Edit the igb4 interface, Enable it, set an IP address in some throwaway IP network.
Add a pass any any firewall rule there
Statically configure your management laptop on the same network and directly-connect it to igb4. Log into the web gui there.
Patch the LAN into igb2 instead
Go to Interfaces > (assign), Bridges
Edit the bridge. Remove the interface corresponding to igb1 from the bridge.
Go to Interfaces > (assign)
Change the assignment for LAN from BRIDGE0 to igb0.
Patch LAN from igb2 back to igb0. You should now be off the bridge interface. Connect back to your LAN switch and you should get DHCP, etc if configured and log into the web gui there.
Go to Interfaces > (assign), Bridges and delete the bridge and bid it a hearty good riddance.
Lots of possibilities for lockout and downtime so you probably want to do this in a maintenance window. One of several reasons bridging router interfaces like that is undesirable.
