PfSense managment interface
-
-
Is a dedicated port on my pfSense for managment traffic reasonable?
-
Is my current attempt to pass traffic between two broadcast domains advisable
-
Can i use a virtual IP to trick the switch into thinking that my host is in the same broadcast domain?
-
-
@SR190:
I believe that this is because my management host sits in a separate broadcast domain (LAN - 10.3.1.1), and not in (MGMT - 10.3.99.1) - even though my rules pass traffic, the switch is likely expecting to be accessed through VLAN 99.
To enable communication between two network devices which are homed in different subnets it's required to configure the network settings correctly on both devices, including the gateways. Have you set the gateway correctly on the switch?
@SR190:
- Can i use a virtual IP to trick the switch into thinking that my host is in the same broadcast domain?
If your switch do not respond to communication requests from outside its subnet by internal restriction, that's an option (but I don't think so). You can do this by an outbound NAT rule for the switch on pfSense.
-
Thanks viragomann.
The MGMT host is 10.3.1.99/24 with a gateway of 10.3.1.1
The HPE switch is 10.3.99.11/24 with a gateway of 10.3.99.1Can you explain how I would setup an outbound NAT rule in a bit more detail?
Thanks. -
Firewall > NAT > Outbound
By default the outbound NAT is working in automatic mode, so pfSense sets rule automatically for upstream interfaces.
If you add extra rules, set it into the hybrid mode first.Then add a new rule like this:
interface: OPT1
source: Network 10.3.1.99/24 (or only the MGM PC 10.3.1.99/32)
destination: 10.3.99.11
translation: interface addressThat translates the source address in packets destined for the switch into the pfSense OPT1 address and the switch should response to it, since now the request come from inside its subnet.
-
@SR190:
Can i use a virtual IP to trick the switch into thinking that my host is in the same broadcast domain?
Why do you think that's necessary? If the switch has a gateway configured it should work routed, shouldn't it?
edit: err, just read your first post. A dedicated mgmt interface is unlikely to be reachable from the rest of the switch. It's separated for security purposes and usually can only be reached connected directly, no matter how you try to fool it.
-
On your suggestion viragomann, I have attempted to use a NAT rule to pass the outbound MGMT traffic between the switch and my LAN host. Just to clarify, at the moment I have very permissive FW rules between my LAN and the MGMT VLAN on OPT1, in both directions. I have attached a screenshot of my manual NAT rule that is based on your suggestions.
On a separate note, could I (should I) bridge my LAN interface with OPT1 and assign the NIC on my LAN host to VLAN99 so that the switch sees my NIC as part of the 99 subnet/VLAN? Are bridges generally bad practice? The LAN interface will really be dedicated to MGMT traffic, so I don't need it to be on a separate subnet.
Thanks.
-
If access to the switch doesn't work with that NAT rule you either did something wrong or you won't also get no access from inside the VLAN99 or when you bridge it to LAN.
So take a computer and put it into the MGMT_LAN and try if you can access the switch management interface.
If you get access check if the NAT rule is working. You can use the packet capture from the Diagnostic menu.BTW: When you bridge the LAN interface with the OPT1, there is still no VLAN on the LAN interface. Only the MGMT_LAN is a VLAN.
-
Thanks viragomann. Am I missing port definitions for the NAT rule? I wasn't sure what to put in there.
-
No. If the port is not specified the rule is applied to any port.
Is the outbound NAT working in hybrid or manual mode? -
Zero need for any of that if the switch has a gateway configured on its management interface network.
Presuming it actually works as configured.
-
NAT is in hybrid mode.
The gateway for the switch is 10.3.99.1 (the interface address for the MGMT LAN).
Interestingly, I have the same MGMT gateway setup for my UAPs and can SSH into them, adopt them etc from the LAN host (with rules of course). The switch in between the pfsense and my UAPs seems deaf to any traffic from my LAN.
I checked my pfsense logs the other day when trying to resolve the switch web address. I noticed some sync closed entries.
-
Sounds like a broken or misconfigured switch then.
-
Thank you for all of your suggestions.
I figured out what was preventing my host from accessing the switch over VLAN 99. On the setup page are two parameters for management access the switch: a management VLAN and a management port. When the management port is set to anything other than none, management access becomes exclusive to that port.
-
You're talking about HPE 1820 switches?
-
Yes. It's the HP 1820-24g.
