Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Unable to access one of two VLANs from outside

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 925 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      helgew
      last edited by helgew

      Hi,

      after having banged my head against various surfaces over the past few hours, I am hoping to find help here... my problem is that I can connect just fine between three of my internal networks but not to or from the fourth. Specifically, in trying to limit one of the VLAN networks ("IPCAMS") to be accessible from my local networks but hosts on that network only able to access hosts on the same network, I seem to have broken things a bit. Basically, while the latter works (hosts are happily communicating within IPCAMS), I cannot access any of the hosts from my other networks.

      I have a pfSense device with four physical ports: WAN, LAN, OPT1, and OPT2. OPT1 is connected to a wireless router and LAN and OPT2 are connected to a 16 port layer 2 switch at ports 15 and 16 respectively with the following VLAN configuration:

      alt text

      Ports 9, 10, and 16 are tagged, all others are untagged.

      On the firewall, OPT2 has 2 VLAN interfaces configured: IPCAMS (40) and VOIP (50). The firewall rules for WLAN, IPCAMS, and VOIP are below:

      WLAN rules
      IPCAMS rules
      VOIP rules

      On the pfSense device, the routing tables look like this:

      Routing tables
      
      Internet:
      Destination        Gateway            Flags     Netif Expire
      default            77.77.77.1         UGS         em0
      4.4.4.4            77.77.77.1         UGHS        em0
      8.8.8.8            77.77.77.1         UGHS        em0
      10.0.2.0/24        link#2             U           em1
      10.0.2.1           link#2             UHS         lo0
      10.0.3.0/24        link#3             U           em2
      10.0.3.1           link#3             UHS         lo0
      10.0.4.0/24        link#10            U        em3.40
      10.0.4.1           link#10            UHS         lo0
      10.0.5.0/24        link#11            U        em3.50
      10.0.5.1           link#11            UHS         lo0
      10.8.0.5           link#12            UH       ovpnc1
      10.8.0.6           link#12            UHS         lo0
      10.10.10.1         link#2             UHS         lo0
      10.10.10.1/32      link#2             U           em1
      55.55.55.18        77.77.77.1         UGHS        em0
      77.77.77.0/20      link#1             U           em0
      66.66.66.65        link#1             UHS         lo0
      127.0.0.1          link#6             UH          lo0
      

      I should add that I can also not ping the IPCAMS hosts from the pfSense device.

      TL;DR: I can reach hosts from my non-VLAN networks (LAN and WLAN) on the VOIP VLAN, but not on the IPCAMS VLAN.

      Any input, advice, or pointers would be greatly appreciated!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It's almost certainly a problem with the switch configuration. No rules should prevent pfSense being able to ping devices in the ipcams subnet.
        I assume you're using static IPs in the IPCAMS subnet? If not are those clients pulling an IP via DHCP correctly? From pfSense?

        Best guess would be you don't have the PVID set to 40 on ports 1-6.

        Steve

        H 1 Reply Last reply Reply Quote 0
        • H
          helgew @stephenw10
          last edited by helgew

          @stephenw10 PVID of 1 through 6 was already set to 40... couldn't really have them be only on VLAN 40 without that.

          The cams on ports 1-6 pull their IP (10.0.4.10x) from the DHCP server on the pfSense IPCAMS' address (10.0.4.1). There is also an ESXi-hosted NVR VM behind ports 9 & 10 (trunked, PVID set to 1) that has a static IP (10.0.4.2) on a secondary virtual NIC. I cannot ping anything outside the 10.0.4.1/24 network from that NIC, as expected and desired.

          Previously, I only tried ping 10.0.4.100 (for example) from the firewall, but digging deeper, I also cannot ping when specifying the source IP:

          [2.4.4-RELEASE][root@firewall]/root: ping -S 10.0.4.1 10.0.4.100
          PING 10.0.4.100 (10.0.4.100) from 10.0.4.1: 56 data bytes
          ping: sendto: Invalid argument
          

          One of my ill-advised attempts at getting this all to work was to give IPCAMS its own gateway, which messed up everything (this was before I tested access to VOIP, which is working fine). Could be, I didn't properly clean up that mess!?

          1 Reply Last reply Reply Quote 0
          • B
            brians
            last edited by brians

            Try using * as destination in your IPCAMS rule and disable the block * at bottom - see if this works. Once it is then add rules to determine where the problem is.

            I have also found that sometimes pfsense doesn't recognize rules that are changed lots when experimenting with different rules, and solution is to delete and recreate them again and it works. Maybe reloading filters also would fix this but I am sure I had that problem on more than one occasion where a rule gets messed up and not interpreted correctly.

            H 1 Reply Last reply Reply Quote 1
            • H
              helgew @brians
              last edited by helgew

              @brians I had tried that before but just tried again. I disabled all rules and added a new rule to allow everything from everywhere. I reloaded the filters and tried pinging from outside in, but still no luck. Since I also could not ping from IPCAMS to the outside, I suspect you are on to something here!

              1 Reply Last reply Reply Quote 0
              • B
                brians
                last edited by

                What are your LAN rules?

                H 1 Reply Last reply Reply Quote 0
                • H
                  helgew @brians
                  last edited by

                  @brians I didn't post those because they are a bit more complex. I was doing all the trouble shooting from a WLAN client.

                  That said, I nuked the IPCAMS VLAN and interface, re-added both as well as the DHCP server and now everything works. 😵

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    brians @helgew
                    last edited by

                    @helgew said in [Solved] Unable to access one of two VLANs from outside:

                    @brians I didn't post those because they are a bit more complex. I was doing all the trouble shooting from a WLAN client.

                    That said, I nuked the IPCAMS VLAN and interface, re-added both as well as the DHCP server and now everything works. 😵

                    Good that you got it working.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.