Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Once again: no internet access for VLAN

    NAT
    5
    22
    8934
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Art Mooney
      last edited by

      Hi!
      I am trying to set up a guest wifi using ubiquiti lite access point, hp 1920s switch and pfsense on an APU2C4. The VLAN is 99 and I included it on the relevant ports of the switch as "tagged". Enabled DHCP on the pfsense (192.168.99.0/24). My laptop gets an IP from the DHCP server and I am able to ping pfsense. However, I cannot access the internet.

      I read in many threads in this forum that outbound NAT rules are not generated automatically for VLANs. But obviously my pfsense did generate the same NAT rules for the VLAN as for the "native" LAN interface (see screenshot).

      0_1547329545816_screenshot.jpg

      I am running 2.4.4-RELEASE (amd64). I use a Draytek Vigor 130 modem that works fine for my LAN. Setup is:

      ubiuiti AP --> hp 1920s switch --> pfsense --> vigor 130 modem

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • GrimsonG
        Grimson Banned
        last edited by

        So what rules do you have on your VLAN interface?

        1 Reply Last reply Reply Quote 0
        • A
          Art Mooney
          last edited by

          Thanks for your question. It is part of the answer. There are no firewall rules for the VLAN. Obviously, this cannot work. The screenshot shows the rules for the "native" LAN that works. Is there an easy way to apply these three rules to the VLAN? Do I need all of them for the VLAN to get it to work?

          0_1547330247735_screenshot.jpg

          GrimsonG 1 Reply Last reply Reply Quote 0
          • GrimsonG
            Grimson Banned @Art Mooney
            last edited by Grimson

            @art-mooney said in Once again: no internet access for VLAN:

            Is there an easy way to apply these three rules to the VLAN? Do I need all of them for the VLAN to get it to work?

            You don't need the Anti-Lockout Rule, actually devices on your guest network shouldn't be able to connect to the pfSense WebUI or SSH.

            As for the other two, just add them by hand to your OPT1 interface (adjust the source accordingly) for testing. After that you should lock that network down if you want it to be a guest network.

            Also: https://www.netgate.com/docs/pfsense/book/ read it thoroughly.

            1 Reply Last reply Reply Quote 0
            • A
              Art Mooney
              last edited by

              It works. Thank you.

              1 Reply Last reply Reply Quote 0
              • A
                akuma1x
                last edited by akuma1x

                Looks like you got it working.

                For anybody that follows this thread, here's a good overview of steps for an isolated guest network setup:

                https://forum.netgate.com/topic/122067/wifi-ap-not-on-lan-guest-network-isolation/2

                Jeff

                1 Reply Last reply Reply Quote 0
                • A
                  Art Mooney
                  last edited by

                  Thank you, Jeff! Your link will be helpful for my next steps.

                  1 Reply Last reply Reply Quote 0
                  • A
                    Art Mooney
                    last edited by

                    I am just trying to follow the rules posted by @akuma1x above. It was easy to block access from OPT1 to LAN and OPT1 to the firewall. I am not sure about allowing ping and dns though.

                    For ping I allowed the ICMP echo request from OPT1 address to LAN address, and for DNS allowed UDP on port 53. Screenshot attached.

                    I am not sure why I should allow ping from OPT1 to LAN. 0_1547502258171_screenshot.jpg

                    Thanks!

                    1 Reply Last reply Reply Quote 0
                    • A
                      Art Mooney
                      last edited by

                      Forgot to mention that ping from OPT1 to LAN does not work. Do I need to allow ping?

                      A 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Your only allowing echoreq to the LAN address, not anything on the LAN net.. Also devices on the lan net might have firewalls that block ping.

                        Also what is the point of allowing dns to lan address. Why would you not just allow it to opt1 address - which is where dns should also be listening. And you should allow tcp as well as udp for dns. Since large queries can switch over to tcp.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                        1 Reply Last reply Reply Quote 0
                        • A
                          akuma1x @Art Mooney
                          last edited by

                          @art-mooney said in Once again: no internet access for VLAN:

                          Forgot to mention that ping from OPT1 to LAN does not work. Do I need to allow ping?

                          No, you don't have to. It is a good way, however, to setup a known test path (route) between 2 working networks, all without leaving the firewall itself.

                          Jeff

                          1 Reply Last reply Reply Quote 0
                          • A
                            Art Mooney
                            last edited by

                            I am confused now. I tried to follow the steps given in the link posted above. Why do I have to allow DNS to the OPT1 address in the OPT1 firewall rules? I thought the firewall would only block traffic between subnets, but OPT1 is the VLAN of the guest network. I changed this and included TCP. But please explain why this is necessary as a firewall rule.

                            Also, it seems that I misread the instructions in the link above. The allow ping rule was supposed to be to the OPT1 address as well. But then I have the same question, why do I have to allow traffic within OPT1 in the firewall rules. Sorry if these are dumb questions, I am just getting started with my network.

                            1 Reply Last reply Reply Quote 0
                            • A
                              Art Mooney
                              last edited by

                              new screenshot of OPT1 firewall rules attached.0_1547672199916_screenshot.jpg

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                @art-mooney said in Once again: no internet access for VLAN:

                                I thought the firewall would only block traffic between subnets

                                Where did you get that misinformation from? And if you thought you can talk to opt1, why would you need to allow dns to lan address.. Just ask opt1 address, which is what gets handed out by default by dhcp

                                Without rules the firewall blocks EVERYTHING... The only thing that gets allowed when you create a new interface is if you enable dhcp.. That gets allowed via hidden rules - because if it didn't users wouldn't have a cow, etc. ;)

                                edit: those rules look sane. But your icmp rule desc is wrong.. That rule doesn't allow ping to lan

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Art Mooney
                                  last edited by

                                  Thanks for your help. Don't know where the information came from. I think I read that one benefit of having VLANs with different subnets is that you can have a firewall in between to block traffic from guest to regular LAN.

                                  If I understood you correctly, it is possible to block traffic between hosts of the same subnet with a firewall. But it is probably easier to configure, if guest and regular LAN are on different VLANs/subnets?

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    No you can not block traffic between clients on the same network..

                                    Yes a benefit of firewall is firewall between vlans, but the firewall CAN block all traffic that goes to its interface... Even if going to its own address, any traffic that hits or goes through the interface can blocked or allowed.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      Art Mooney
                                      last edited by

                                      got it. Thank you!

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        Art Mooney
                                        last edited by

                                        I just checked the guest network again and realized that internet access does not work properly. At first I was able to open some websites, but now my PC tells me that there is no internet on the respective wifi. I cannot ping the interface address, but I do get an IP from DHCP.

                                        I use the same access point for my private network which works fine. Connection to pfsense seems to work (DHCP).

                                        Any ideas?

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          @art-mooney said in Once again: no internet access for VLAN:

                                          I use the same access point for my private network which works fine.

                                          Well can your wireless client ping the opt1 IP? Can did do dns? it is using pfsense opt1 IP for dns?

                                          Your not using a proxy are you? Because your blocking opt1 from talking to pfsense for everything other than dns, so proxy would not work with your current rules.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            Art Mooney
                                            last edited by

                                            I just looked at my rules again and realized that ping and dns were allowed only from OPT1 address to OPT1 address. Changed it to source OPT1 network. Now it works. Does that make sense?

                                            GertjanG 1 Reply Last reply Reply Quote 0
                                            • GertjanG
                                              Gertjan @Art Mooney
                                              last edited by Gertjan

                                              @art-mooney said in Once again: no internet access for VLAN:

                                              Does that make sense?

                                              Yep.

                                              Have a look at this : Docs » pfSense » Firewall » Firewall Rule Basics
                                              Read the definition of "LAN address".
                                              I'll make you a special version :

                                              The IP address configured on the OPT1 interface under Interfaces > OPT1

                                              Ok, so now you know what "OPT1 Address" means.
                                              Did you get that strange feeling ?

                                              Now, let throttle up that feeling : have a look at this :

                                              0_1547717694680_d4318e0c-477d-4eca-88f8-d62d012a5bd9-image.png

                                              W'll be looking else where while you slap yourself in the face.

                                              Btw : the counter in front of the rule, the green 0/0 indicate that the rule never applies. That is a big hint !!! 0/0 means : this rule does nothing. Use this info to test ! (always test !) : it should go up when you ping from the OPT1 LAN to somewhere outside OPT1 -> the rule was hit and/or 'used' (and passed the ICMP paquet).

                                              No "help me" PM's please. Use the forum, thanks.

                                              1 Reply Last reply Reply Quote 0
                                              • johnpozJ
                                                johnpoz LAYER 8 Global Moderator
                                                last edited by johnpoz

                                                Your right about the source being only opt1 good catch, I didn't catch that - sorry.

                                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                If you get confused: Listen to the Music Play
                                                Please don't Chat/PM me for help, unless mod related
                                                SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                                                1 Reply Last reply Reply Quote 0
                                                • First post
                                                  Last post