Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Interface not receiving packets

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hanswerner
      last edited by

      Hello

      I have a VLAN Setup on my switches to separate network rights of different Groups of Hardware and Users.
      VLAN IDS are assigned through Domain Controller Radius (802.1x - PEAP)

      Now i try to integrate WLAN Connections and want to run them over an Firewall interface.

      It works like this:
      Client is Connecting to radius with cert and user/pass -> Radius gives OK an assigns VLAN ID 1012 to the Client. -> Access point is tagging all packets from that client with the VLAN ID 1012 -> On the other side there is a testing notebook with same VLAN ID receiving the packets
      I have tested with ICMP and everything works fine in both directions.

      pfsense setup:
      Version 2.3.3
      VLAN interface with ID 1012 on dedicated physical NIC OPT4 that is connected to switch port.
      Firewall rule for logging all packets (allow any from any to any)

      Now i switch the network port of the notebook with pfsense and expecting packets on that interface but nothing happens.

      What am i missing?
      Do i have to setup the physical NIC in addition to the VLAN Adapters?
      –> no difference
      Do i need ip addresses for the VLAN adapters?
      --> no difference
      Is it wrong to make it on a dedicated nic instead of the normal LAN interface?

      any tips how to debug further? After setup a monitoring Port with wireshark and notebook tests with configured VLAN ID everything seems to be OK on the switching side (Tagged Ports and Uplinks) but the VLAN Interface on pfsense is just not receiving any packets...

      1 Reply Last reply Reply Quote 0
      • H
        Hanswerner
        last edited by

        OK,

        i think there is a problem with my "one subnet for all" setting on different NICS.

        im going to try a setup with bridged VLAN's

        UPDATE:

        Now i have bridged my VLAN with the LAN interface.
        setup the rules any to any on both interfaces … i think that should work

        no i get log entries that pfsense is receiving an icmp packet but i get no answer.

        Action Time Interface Source Destination Protocol
        Jun 19 11:11:11 WLANFLEXA   1.1.1.2   1.1.1.1 ICMP

        pfsense is NOT sending a tagged answer ... its sends untagged on the bridged LAN interface...

        omg ... am i missing something very basic here???
        all i want is "firewalling" between several VLAN in the same subnet... pretty basic configuration on cisco routers...

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "1.1.1.2    1.1.1.1"

          Your using public IP space in your network - that you do not own?

          Tagging works just fine in pfsense.. What hardware is this?  There was something a few days ago about sg-1000 and tags that interface had to be promiscuous mode they were looking into.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • H
            Hanswerner
            last edited by

            the ip adresses are just an example… i thought it would be easyier to read the rule
            im using 10.10.0.0 / 16 subnet

            i cant get it work properly ... i think its because of the same subnet on all interfaces ... pfsense is receiving tagged packets on the vlan interface but not answering with a tagged packet. it answers on the primary lan interface and not on the the vlan interface
            i can see incoming icmp but no outgoing... it begins with the problem assigning ip addresses in one subnet on different interfaces ...

            i still think im missing something very basic

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              You should probably look at Private VLANs in your switches instead of firewall interfaces.

              But I might be completely misunderstanding what you are trying to do. It's not very clear.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • H
                Hanswerner
                last edited by

                We already have different VLAN's for different network access policies and reducing broadcasts
                for example:
                production mashines get vlan1 to communicate with a communication server and nothing else
                stationary clients get vlan2 to communicate with dns terminal server etc.
                clients without updated OS gets vlan3 for dhcp,dns, wsus and nothing else
                registered unknown clients get vlan4 for guest access to internet
                unknown clients get no network access

                what i want is to route between some vlan with firewall rules.

                mashine 1 needs teamviewer access for maintenance. so i want to give internet access to this one mashine and not to the whole vlan
                mashine 2 needs rdp access for remote control from a pc so i want the possibility to set a rule on pfsense

                i have big hardware with 16 cores, 12GB ram, fast raid and 8 NICS so i thought i can replace an very old cisco router with my pfsense box because of much better interface, better delegation of configuration rights, better logging, url filtering etc.

                With vlan itself i can only configure whole access but not port based like: "no access but DNS"

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "reducing broadcasts"
                  "easyier to read the rule im using 10.10.0.0 / 16 subnet"

                  Clearly reducing broadcasts is your goal on a /16 ;)  You really have anything close to 65k hosts?… There is zero reason a /16 would ever be used other than a summary route or a firewall rule.

                  "i think its because of the same subnet on all interfaces"

                  Well yeah that would be BORKED!!!

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • H
                    Hanswerner
                    last edited by

                    why not a /16 subnet?
                    i dont need all the hosts but its very nice to have a separate ip range for every division connected through vpn…about 8/10 companies i know use this subnet. just because i dont need is is no argument for not using it.. are there better arguments?
                    for example:
                    every 10.10.1X.1 is a domain controller
                    every 10.10.1X.2 is backup dc
                    every 10.10.1X.3 is a printserver
                    every 10.10.2X.1 is Firewall
                    every 10.10.3x.x is a printer
                    and so on...
                    10.10.1X - X= number for division
                    and so i know just from the ip what division what client and i dont want do deal with hundreds of routing tables....
                    ---if im that wrong with configurations like this please explain. there is always room for improvement and im asking here because i want help to improve ^^

                    separate subnet vor every vlan if you have 20 dynamic vlans? have fun to maintain access policies...

                    why is it borked?
                    its standard configuration in professional firewalls like whatchguard and i have working examples with cisco hardware.
                    just pfsense is doing "strange" things there starting with the impossibility in the gui to configure two ip adresses in the same subnet also standard in professional firewalls. dont take me wrong... i like pfsense very much using it private and corporate but some things are strange

                    maybe im wrong, but your answers without much meaning arent very helpful ... i cant learn anything from it so please give more information.

                    1 Reply Last reply Reply Quote 0
                    • H
                      Hanswerner
                      last edited by

                      After some reading i understand now that this will lead to bigger problems …
                      the cisco router is routing because of fixed routing tables ... bah

                      im changing the big subnet in smaller ones on the client side

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.