Problem with DNS on management VLAN

thompsonm

I don't really know what topic to put this under but I am having to troubleshoot an issue with VLANs.

A few months ago I bough a TP-Link switch and an AP that support VLANs. I basically created 3 VLAN in pfSense and on the switch and ap, one for wireless clients, one for wired clients, and a management VLAN. The ap and switch and pfSense LAN interface are meant to be on the management VLAN. I had some difficulty with it and had to reset the switch multiple times but eventually I managed to get it working and created some firewall rules and I confirmed that it was all working properly.

However, the other day, due to a vulnerability in WPA2 protocol, I meant to check my ap for a firmware update, and I noticed I was locked out of both the switch and ap.

On the switch, when i put myself on the management VLAN to troubleshoot I can ping the switch and ap but not the pfSense LAN interface. I checked the system logs in pfSense and I get this obscure message in the DHCP log:

icmp_echorequest 192.168.3.12: Invalid argument

and in the DNS log:

unbound 48589:3 notice: sendto failed: Invalid argument
unbound 48589:3 notice: remote address is 192.168.3.12 port 61711

On the management VLAN, DHCP works but I have no internet connection. I don't know what to do to troubleshoot further. Any suggestions?

johnpoz

"TP-Link switch"

What specific switch?  The E line you can not remove vlan 1 from every port..  So yeah that could cause you some oddness for sure..

To be honest its CRAP switch… it can kind of be used.. But any broadcast traffic on vlan 1 is going to be seen on every port..  So pretty much any untagged broadcast traffic the switch sees is broadcast to every port. After I was done validating it was crap.. I had just got it because some many people were here asking questions about it..  And it was only $25 so figured play with it.

I replaced it with a dlink dgs-1100, which allows you to remove vlan 1 from ports you don't want it on ;)

If you could post up your switch config we can try and work through what might be the problem.  And how you have it connected to pfsense..  Just 1 uplink with tagged vlans and using vlan 1 as native? etc..

thompsonm

The specific switch I bought was the TL-SG108E.

Here's a picture of my switch configurations:
https://imgur.com/a/7zWnt

Although, I should say, I don't think it's a problem with the switch because I'm doing a packet capture on the LAN interface and I can see myself ping but there's no response. And there's also those two obscure messages I got in the DHCP and DNS logs which I was wondering about.

johnpoz

Yeah that switch blows… You can not remove vlan 1 from any port..

What interface are you sniffing on in pfsense.. The vlan interface or the naked interface?

Your using unifi AP right?  The IP on the AP can not be tagged.  So your running a untagged vlan for the AP..

So what do you have

pfsense int (IP/mask vlan tags of vlans, naked interface ip/mask) ---- tagged and untagged --- switch --- (tagged and untagged) --- AP

thompsonm

I'm doing packet capture on the naked LAN interface. Yes it's a unifi AP. For the ap, that's exactly what I want, to be on the management VLAN (untagged) and also be configured to be on a trunk port, send traffic from the other two vlans. So I have a trunk port between the ap and switch and switch and pfSense interface.

thompsonm

Yeah I actually figured out what happened. I had just set up a whole network VPN and the traffic between VLANs was being routed through the VPN link… lmao