[Solved] Unable to access one of two VLANs from outside
-
Hi,
after having banged my head against various surfaces over the past few hours, I am hoping to find help here... my problem is that I can connect just fine between three of my internal networks but not to or from the fourth. Specifically, in trying to limit one of the VLAN networks ("IPCAMS") to be accessible from my local networks but hosts on that network only able to access hosts on the same network, I seem to have broken things a bit. Basically, while the latter works (hosts are happily communicating within IPCAMS), I cannot access any of the hosts from my other networks.
I have a pfSense device with four physical ports: WAN, LAN, OPT1, and OPT2. OPT1 is connected to a wireless router and LAN and OPT2 are connected to a 16 port layer 2 switch at ports 15 and 16 respectively with the following VLAN configuration:
Ports 9, 10, and 16 are tagged, all others are untagged.
On the firewall, OPT2 has 2 VLAN interfaces configured: IPCAMS (40) and VOIP (50). The firewall rules for WLAN, IPCAMS, and VOIP are below:
On the pfSense device, the routing tables look like this:
Routing tables Internet: Destination Gateway Flags Netif Expire default 77.77.77.1 UGS em0 4.4.4.4 77.77.77.1 UGHS em0 8.8.8.8 77.77.77.1 UGHS em0 10.0.2.0/24 link#2 U em1 10.0.2.1 link#2 UHS lo0 10.0.3.0/24 link#3 U em2 10.0.3.1 link#3 UHS lo0 10.0.4.0/24 link#10 U em3.40 10.0.4.1 link#10 UHS lo0 10.0.5.0/24 link#11 U em3.50 10.0.5.1 link#11 UHS lo0 10.8.0.5 link#12 UH ovpnc1 10.8.0.6 link#12 UHS lo0 10.10.10.1 link#2 UHS lo0 10.10.10.1/32 link#2 U em1 55.55.55.18 77.77.77.1 UGHS em0 77.77.77.0/20 link#1 U em0 66.66.66.65 link#1 UHS lo0 127.0.0.1 link#6 UH lo0
I should add that I can also not ping the IPCAMS hosts from the pfSense device.
TL;DR: I can reach hosts from my non-VLAN networks (LAN and WLAN) on the VOIP VLAN, but not on the IPCAMS VLAN.
Any input, advice, or pointers would be greatly appreciated!
-
It's almost certainly a problem with the switch configuration. No rules should prevent pfSense being able to ping devices in the ipcams subnet.
I assume you're using static IPs in the IPCAMS subnet? If not are those clients pulling an IP via DHCP correctly? From pfSense?Best guess would be you don't have the PVID set to 40 on ports 1-6.
Steve
-
@stephenw10 PVID of 1 through 6 was already set to 40... couldn't really have them be only on VLAN 40 without that.
The cams on ports 1-6 pull their IP (10.0.4.10x) from the DHCP server on the pfSense IPCAMS' address (10.0.4.1). There is also an ESXi-hosted NVR VM behind ports 9 & 10 (trunked, PVID set to 1) that has a static IP (10.0.4.2) on a secondary virtual NIC. I cannot ping anything outside the 10.0.4.1/24 network from that NIC, as expected and desired.
Previously, I only tried
ping 10.0.4.100
(for example) from the firewall, but digging deeper, I also cannot ping when specifying the source IP:[2.4.4-RELEASE][root@firewall]/root: ping -S 10.0.4.1 10.0.4.100 PING 10.0.4.100 (10.0.4.100) from 10.0.4.1: 56 data bytes ping: sendto: Invalid argument
One of my ill-advised attempts at getting this all to work was to give IPCAMS its own gateway, which messed up everything (this was before I tested access to VOIP, which is working fine). Could be, I didn't properly clean up that mess!?
-
Try using * as destination in your IPCAMS rule and disable the block * at bottom - see if this works. Once it is then add rules to determine where the problem is.
I have also found that sometimes pfsense doesn't recognize rules that are changed lots when experimenting with different rules, and solution is to delete and recreate them again and it works. Maybe reloading filters also would fix this but I am sure I had that problem on more than one occasion where a rule gets messed up and not interpreted correctly.
-
@brians I had tried that before but just tried again. I disabled all rules and added a new rule to allow everything from everywhere. I reloaded the filters and tried pinging from outside in, but still no luck. Since I also could not ping from IPCAMS to the outside, I suspect you are on to something here!
-
What are your LAN rules?
-
@brians I didn't post those because they are a bit more complex. I was doing all the trouble shooting from a WLAN client.
That said, I nuked the IPCAMS VLAN and interface, re-added both as well as the DHCP server and now everything works.
-
@helgew said in [Solved] Unable to access one of two VLANs from outside:
@brians I didn't post those because they are a bit more complex. I was doing all the trouble shooting from a WLAN client.
That said, I nuked the IPCAMS VLAN and interface, re-added both as well as the DHCP server and now everything works.
Good that you got it working.