Same firewall rules on 2 VLANs; different results (SOLVED)



  • Total newbie here..  I've got 2 VLANs set up with the exact same firewall rules in the same order; on VLAN40 I can access internet, and on VLAN50 I cannot unless I disable "Block DNS" and "Block access to LAN" rules.  See attached screenshots.  I've copied and recopied them multiple times, deleted the interface and started over, always with same disparate results.

    All the VLANs are going to a Unifi managed switch if that's relevant.

    Any help would be greatly appreciated.  Thanks!

    John
    ![Screen Shot 2018-05-13 at 6.55.11 PM.png](/public/imported_attachments/1/Screen Shot 2018-05-13 at 6.55.11 PM.png)
    ![Screen Shot 2018-05-13 at 6.55.11 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-05-13 at 6.55.11 PM.png_thumb)
    ![Screen Shot 2018-05-13 at 6.57.58 PM.png](/public/imported_attachments/1/Screen Shot 2018-05-13 at 6.57.58 PM.png)
    ![Screen Shot 2018-05-13 at 6.57.58 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-05-13 at 6.57.58 PM.png_thumb)


  • Netgate

    What DNS servers are configured on the clients of both VLANs?

    If doesn't make a lot of sense to pass vlan 40 to vlan 40 and pass vlan 50 to vlan 50. It would make more sense to just pass the DNS servers.

    Your DNS rules should be TCP/UDP port 53. DNS is not exclusively UDP.

    Else need to see a firewall log of the blocks.


  • Rebel Alliance Global Moderator

    Why would you be blocking bogon on a LAN side interface??  Do you really think someone is going to fire up a bogon IP scheme on your network?  If all your rules are limited to their source network, then doesn't matter what IP scheme they use it wouldn't get through the firewall rules.

    Pretty sure bogon include 0.0.0.0 which could cause you some grief..  I believe pfsense pulls out the rfc1918 that is normally in there as well.  There is zero reason to use bogon on a lan side interface connected to a network you control, and where your rules are limited to the source network of that interface as well ;)




  • Thanks for the advice.  I have changed DNS rules to include TCP/UDP.  Have deleted Bogon networks rule but still can't access internet on just one VLAN50.  My DHCP Services are identical on both VLANs (see attached).  I'm trying to sort through firewall logs but it seems there are no entries associated with VLAN50.  I'm total Newbie so may not be doing this correctly but I entered name VLAN50_WIRED_PLEX under Interface section of Advanced Filter Log.  In the DHCP log I get DHCPACK and DHCPREQUEST entries for VLAN50 when I have internet access (when 'Block access to LAN' rule is disabled).  When I don't have internet access I get  'creating resolv.conf.'

    Again, so weird because exact same DHCP and Firewall settings on other VLAN work as expected.

    Any tips on what to search for in firewall or DHCP logs? Other Thoughts?  Sorry for my cluelessness :)  Thanks!

    John

    ![Screen Shot 2018-05-14 at 8.44.44 AM.png](/public/imported_attachments/1/Screen Shot 2018-05-14 at 8.44.44 AM.png)
    ![Screen Shot 2018-05-14 at 8.44.44 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-05-14 at 8.44.44 AM.png_thumb)
    ![Screen Shot 2018-05-14 at 8.44.57 AM.png](/public/imported_attachments/1/Screen Shot 2018-05-14 at 8.44.57 AM.png)
    ![Screen Shot 2018-05-14 at 8.44.57 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-05-14 at 8.44.57 AM.png_thumb)


  • Rebel Alliance Global Moderator

    Common mistake see is if you changed your outbound nat to manual, and then created a new vlan.  Pfsense would not be able to nat this network to your wan IP.  And no internet.

    While your allowing dns to pfsense on this vlan - is dns even listening on this interface.  If you had changed the default of all interfaces for say unbound to specific interfaces unbound might not be accepting connections for dns on this interface.

    Also if you had changed the automatic ACL settings for unbound, its possible no ACL to allow queries from this network even if listening on it.

    Can your client actually resolve anything on the internet.  Can you say ping www.google.com and get back an IP?  Or use your fav dns client, nslookup, dig, host, etc. to validate you can actually resolve.



  • Haven't changed the default Outbound NAT- still on Automatic.  I can not ping internet addresses if I block access to LAN (can't resolve), but can if I disable the block access to LAN rule.

    John


  • Netgate

    If there are two different results there are two different configurations.

    Please provide:

    On VLAN 40:

    From the test host:
    host address
    default gateway
    configured name servers on that host
    ping to that hosts default gateway
    ping to 8.8.8.8
    nslookup results (dig would be better) to all configured nameservers for www.google.com and xyxyx.google.com (no, not a typo)

    On VLAN 50:

    From the test host:
    host address
    default gateway
    configured name servers on that host
    ping to that hosts default gateway
    ping to 8.8.8.8
    nslookup results to all configured nameservers for www.google.com and xyxyx.google.com

    Screen shots of the rules as they existed during all of these tests

    PM a copy of the /tmp/rules.debug file.



  • Oops.  It turns out NONE of my VLANs has internet access when 'Block VLAN access to LAN' rule is enabled.  VLAN40 only had internet access because the Unifi switch port that it was plugged into was tagged incorrectly, and it was getting IP address from different subnet.  I'm so sorry.

    So I'm including the info that Derelict requested for VLAN50- both with all firewall rules in place (No Internet Access-see screenshot) and with 'Block VLAN access to LAN' rule disabled (Internet Access).

    I've PM'd you (Derelict) my rules.debug file.

    Really appreciate this!!

    VLAN50 (with all firewall rules active-No Internet Access-see screenshot)

    host address: 192.168.50.100
    default gateway: 192.168.50.1
    name server: left blank (at default).  See screenshot
    Ping to default gateway:  I can ping 192.168.50.1
    Ping to 8.8.8.8: I can ping 8.8.8.8
    nslookup to www.google.com:  connection timed out
    nslookup to xyxyx.google.com: connection timed out

    VLAN50 (with ‘Block DNS from VLAN50’ rule and “Block VLAN50 access to LAN” rule disabled- Has Internet Access- see 2nd screenshot)
    Ping to default gateway:  I can ping 192.168.50.1
    Ping to 8.8.8.8: I can ping 8.8.8.8
    nslookup to www.google.com:

    Server: 192.168.2.99
    Address: 192.168.2.99#53
    Non-authoritative answer:
    Name: www.google.com
    Address: 216:58:193:164

    nslookup to xyxyx.google.com:

    Server: 192.168.2.99
    Address: 192.168.2.99#53
    **server can’t find xyxyx.google.com: NXDOMAIN

    John

    ![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
    ![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
    ![VLAN50 IPV4 Config.png_thumb](/public/imported_attachments/1/VLAN50 IPV4 Config.png_thumb)
    ![VLAN50 IPV4 Config.png](/public/imported_attachments/1/VLAN50 IPV4 Config.png)
    ![VLAN50 internet access.png_thumb](/public/imported_attachments/1/VLAN50 internet access.png_thumb)
    ![VLAN50 internet access.png](/public/imported_attachments/1/VLAN50 internet access.png)
    ![VLAN50 setup.png_thumb](/public/imported_attachments/1/VLAN50 setup.png_thumb)
    ![VLAN50 rules no internet acces.png](/public/imported_attachments/1/VLAN50 rules no internet acces.png)
    ![VLAN50 setup.png](/public/imported_attachments/1/VLAN50 setup.png)
    ![VLAN50 rules no internet acces.png_thumb](/public/imported_attachments/1/VLAN50 rules no internet acces.png_thumb)


  • Netgate

    Are you saying this is solved? No offense but I really don't want to spend time on it if it is working. If something still isn't working please describe exactly what that is.



  • No not solved. Problem is can't access internet when I block access to LAN.  I originally thought it was only on one VLAN but it's true for all of them.  Thanks.
    John



  • Do you use DNS resolver or forwarder, are the interfaces for the DNS server set correctly?

    In case of the now default DNS resolver this would be:

    Network Interfaces
    Interface IPs used by the DNS Resolver for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

    Make sure it servers on your VLAN40 and VLAN50 interfaces.

    The "Outgoing Network Interfaces" is unlikely to be set incorrectly.



  • I'm using DNS Resolver, with Network Interfaces set to All.  You can see my settings for DHCP Server on VLAN50 in attachment above, named VLAN setup.png.

    Thanks!

    John


  • Netgate

    VLAN50 (with ‘Block DNS from VLAN50’ rule and “Block VLAN50 access to LAN” rule disabled- Has Internet Access- see 2nd screenshot)
    Ping to default gateway:  I can ping 192.168.50.1
    Ping to 8.8.8.8: I can ping 8.8.8.8
    nslookup to www.google.com:

    Server: 192.168.2.99
    Address: 192.168.2.99#53
    Non-authoritative answer:
    Name: www.google.com
    Address: 216:58:193:164

    nslookup to xyxyx.google.com:

    Server: 192.168.2.99
    Address: 192.168.2.99#53
    **server can’t find xyxyx.google.com: NXDOMAIN

    Your VLAN 50 host is querying Server: 192.168.2.99 for DNS. See the nslookup output above.

    You are only passing tcp/udp port 53 to 192.168.50.0/24. That rule will not match that DNS server and thus will fall through to the next rule:

    pass  in  quick  on $VLAN50_WIRED_PLEX inet proto { tcp udp }  from any to 192.168.50.0/24 port 53 tracker 1526234331 keep state  label "USER_RULE: ALLOW DNS TO VLAN50"

    When you have the block to LAN rule enabled, those DNS queries are blocked:

    block  in  quick  on $VLAN50_WIRED_PLEX inet from 192.168.50.0/24 to { 192.168.2.0/24 10.10.10.1/32 } tracker 1526234439  label "USER_RULE: Block VLAN50 access to LAN"

    When you have that rule disabled, those queries are passed:

    pass  in  quick  on $VLAN50_WIRED_PLEX inet from 192.168.50.0/24 to any tracker 1526234459 keep state  label "USER_RULE: Allow all rule"

    It really does matter what DNS servers your clients are configured to use. I don't know why the client is trying to query 192.168.2.99. You'll have to figure that out.



  • Thanks so much for all your time and help!! Got it working.

    John