[Solved] Unable to access one of two VLANs from outside

helgew

Hi,

after having banged my head against various surfaces over the past few hours, I am hoping to find help here... my problem is that I can connect just fine between three of my internal networks but not to or from the fourth. Specifically, in trying to limit one of the VLAN networks ("IPCAMS") to be accessible from my local networks but hosts on that network only able to access hosts on the same network, I seem to have broken things a bit. Basically, while the latter works (hosts are happily communicating within IPCAMS), I cannot access any of the hosts from my other networks.

I have a pfSense device with four physical ports: WAN, LAN, OPT1, and OPT2. OPT1 is connected to a wireless router and LAN and OPT2 are connected to a 16 port layer 2 switch at ports 15 and 16 respectively with the following VLAN configuration:

Ports 9, 10, and 16 are tagged, all others are untagged.

On the firewall, OPT2 has 2 VLAN interfaces configured: IPCAMS (40) and VOIP (50). The firewall rules for WLAN, IPCAMS, and VOIP are below:

On the pfSense device, the routing tables look like this:

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            77.77.77.1         UGS         em0
4.4.4.4            77.77.77.1         UGHS        em0
8.8.8.8            77.77.77.1         UGHS        em0
10.0.2.0/24        link#2             U           em1
10.0.2.1           link#2             UHS         lo0
10.0.3.0/24        link#3             U           em2
10.0.3.1           link#3             UHS         lo0
10.0.4.0/24        link#10            U        em3.40
10.0.4.1           link#10            UHS         lo0
10.0.5.0/24        link#11            U        em3.50
10.0.5.1           link#11            UHS         lo0
10.8.0.5           link#12            UH       ovpnc1
10.8.0.6           link#12            UHS         lo0
10.10.10.1         link#2             UHS         lo0
10.10.10.1/32      link#2             U           em1
55.55.55.18        77.77.77.1         UGHS        em0
77.77.77.0/20      link#1             U           em0
66.66.66.65        link#1             UHS         lo0
127.0.0.1          link#6             UH          lo0

I should add that I can also not ping the IPCAMS hosts from the pfSense device.

TL;DR: I can reach hosts from my non-VLAN networks (LAN and WLAN) on the VOIP VLAN, but not on the IPCAMS VLAN.

Any input, advice, or pointers would be greatly appreciated!

stephenw10

It's almost certainly a problem with the switch configuration. No rules should prevent pfSense being able to ping devices in the ipcams subnet.
I assume you're using static IPs in the IPCAMS subnet? If not are those clients pulling an IP via DHCP correctly? From pfSense?

Best guess would be you don't have the PVID set to 40 on ports 1-6.

Steve

helgew

@stephenw10 PVID of 1 through 6 was already set to 40... couldn't really have them be only on VLAN 40 without that.

The cams on ports 1-6 pull their IP (10.0.4.10x) from the DHCP server on the pfSense IPCAMS' address (10.0.4.1). There is also an ESXi-hosted NVR VM behind ports 9 & 10 (trunked, PVID set to 1) that has a static IP (10.0.4.2) on a secondary virtual NIC. I cannot ping anything outside the 10.0.4.1/24 network from that NIC, as expected and desired.

Previously, I only tried ping 10.0.4.100 (for example) from the firewall, but digging deeper, I also cannot ping when specifying the source IP:

[2.4.4-RELEASE][root@firewall]/root: ping -S 10.0.4.1 10.0.4.100
PING 10.0.4.100 (10.0.4.100) from 10.0.4.1: 56 data bytes
ping: sendto: Invalid argument

One of my ill-advised attempts at getting this all to work was to give IPCAMS its own gateway, which messed up everything (this was before I tested access to VOIP, which is working fine). Could be, I didn't properly clean up that mess!?

brians

Try using * as destination in your IPCAMS rule and disable the block * at bottom - see if this works. Once it is then add rules to determine where the problem is.

I have also found that sometimes pfsense doesn't recognize rules that are changed lots when experimenting with different rules, and solution is to delete and recreate them again and it works. Maybe reloading filters also would fix this but I am sure I had that problem on more than one occasion where a rule gets messed up and not interpreted correctly.

helgew

@brians I had tried that before but just tried again. I disabled all rules and added a new rule to allow everything from everywhere. I reloaded the filters and tried pinging from outside in, but still no luck. Since I also could not ping from IPCAMS to the outside, I suspect you are on to something here!

brians

What are your LAN rules?

helgew

@brians I didn't post those because they are a bit more complex. I was doing all the trouble shooting from a WLAN client.

That said, I nuked the IPCAMS VLAN and interface, re-added both as well as the DHCP server and now everything works.

brians

@helgew said in [Solved] Unable to access one of two VLANs from outside:

@brians I didn't post those because they are a bit more complex. I was doing all the trouble shooting from a WLAN client.

That said, I nuked the IPCAMS VLAN and interface, re-added both as well as the DHCP server and now everything works.

Good that you got it working.