VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots
-
Hi everyone! Hope you find this post well. Im having difficulties setting up a 2nd wireless network on my home lab. Here's my environment.
Connected to WAN as PPPoE
Router: pfSense 2.4.4
Switch: EdgeSwitch8XP
AP: UniFi AC LR.I've already setup the basic vlan configuration on pfsense and switch but still no luck. I've opened up the firewalls just to rule out any misconfigs.
LAN is 192.168.0.1
VLAN: 30 (set up in my devices)
VLAN 30 is 192.168.30.1
DHCP is enabled on both LAN and VLAN 30
Clients on VLAN 30 somehow gets the right IP but unable to connect to the internet.Below is screenshots that I hope would help rule out any misconfigs I've done.
VLAN 30 Configuration:
pfSense Interface
VLAN 30 Interface
VLAN 30 DHCP Server settings
pfSense LAN Firewall Rules
pfSense VLAN 30 Firewall Rules
EdgeSwitch VLAN tagging
UniFi Network adding VLAN 30
Unifi Wireless Network adding VLAN 30
Client getting IP but no internet
LAN WiFi is perfectly working. I'm getting the IP range set by DHCP, but on VLAN30 Wiresless network, it's getting the IP range but no internet.
-
Your using a VPN, probably setup by following some crap guide that tells you to switch outbound NAT to manual? If yes, check your outbound NAT rules and add one for your new VLAN.
-
Hi Grimson! I did setup VPN and followed a guide. :(
Anyway, I've put a screenshot on my outbound rules. Correct me if Im wrong but it is still set on auto right? If not, should I add my VLAN 30 on Mappings?
here's a screenshot.
-
Show the actual outbound NAT rules then. Edit: also do some basic connectivity tests:
https://docs.netgate.com/pfsense/en/latest/routing/connectivity-troubleshooting.html#client-tests -
Hi Grimson, apologies if Im doing some mistake here but is this what you're asking for?
-
Outbound rules look OK. Although I'm wondering why 192.168.11.0/24 shows twice, are you using the same IP space for two different OpenVPN tunnels?
And the results of the connectivity test?
-
@grimson said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
Outbound rules look OK. Although I'm wondering why 192.168.11.0/24 shows twice, are you using the same IP space for two different OpenVPN tunnels?
And the results of the connectivity test?
Client (my iphone)
IP:192.168.30.10
Subnet mask: 255.255.255.0
Router/Gateway: 192.168.30.1
DNS: 192.168.30.1I'm only using one OpenVPN tunnel right now. It could be that when I was following a guide, I double send some data and ignored it when it worked the 2nd time. Could retrace where the mess i left. :(
Connectivty test for client's ip address to LAN, VLAN30 and WAN.
Only VLAN30 has a reply when pinged.
-
I linked you to the client tests, so test from a client on VLAN30.
-
@grimson said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
I linked you to the client tests, so test from a client on VLAN30.
My bad.
Connected my laptop on my wireless VLAN30 which provided me these credentials
IPv4 Address. . . . . . . . . . . : 192.168.30.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.30.1Pinged my LAN IP, RTO
Pinged WAN IP, RTO
Pinged WAN Gateway, RTO
Pinged 8.8.8.8, RTO
and lastly pinged www.google.com, RTO.I can only ping 192.168.30.1 which also redirects me to pfSense.
I appreciate the time and help you're doing Grimson. Thank you for the patience. :D -
Any floating rules? Any errors during the filter reload progress? Output of Diagnostics -> Routes?
-
@grimson said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
Any floating rules? Any errors during the filter reload progress? Output of Diagnostics -> Routes?
No floating rules. It's taking some time to load though.
-
Which ports on the switch are connected to what?
I expect to see two ports tagged with VLAN30 there. Packets are tagged to pfSense and tagged to the AP. I'm not really sure how DHCP is working there without that.
Steve
-
Why are you showing port 1 on your switch as T for vlan 1?
Why are things showing as grayed out on port 1?
Here is how it works.. Vlan 1 should be untagged since that is your management port for your AP right.. your LAN..
So pfsense -- 1U,30T -- switch -- 1U,30T -- AP
You would have 2 trunked ports here.. 1 that goes to pfsense, and another that goes to AP.. Per thread on unifi.. Might be old but setting trunked allows all vlans and vlan 1 would be untagged. etc
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.01 | Lab VMs CE 2.6, 2.7 -
@johnpoz said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
Why are you showing port 1 on your switch as T for vlan 1?
Why are things showing as grayed out on port 1?
He has set port 1 as a trunk port with native VLAN on ID 1, so that should be OK.
Port 8 has VLAN ID 1 as untagged and 30 as tagged, so as long as he has pfSense and the AP each on one of these two ports it should work.
Though I haven't worked much with Unifi switches, so I could be wrong there.
But as he can ping from his VLAN to pfSense and back, and can reach the WebUI from a client on that VLAN it looks good to me.
Sadly he hasn't really answered two of the three questions I asked him last.
-
Yeah but sure looks like it shows T on the vlan 1... And U for 30 on port 1.. Which sure wouldn't be right.. If that is where pfsense or AP is connected too.. We just had this discussion - not very normal to tag vlan 1.
Once you click trunked maybe doesn't matter - but its kind of BS info its giving you then.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.01 | Lab VMs CE 2.6, 2.7 -
@johnpoz said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
Once you click trunked maybe doesn't matter - but its kind of BS info its giving you then.
Guess why I keep away from Unifi switches
-
@sethelyon said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
@grimson said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
Any floating rules? Any errors during the filter reload progress? Output of Diagnostics -> Routes?
No floating rules. It's taking some time to load though.
Port 1 is the trunk port and is grayed out so no matter what the letter stands for as long as it is on trunk port it doesnt matter. But beats the purpose of changing it. Very confusing.
@Grimson I appreciate the help sir. Here's the screenshot of Diagnostics > Route. I blacked out my public IP.
@johnpoz I though that putting Untagged on port 8 VLAN ID 1 and tagging VLAN ID 30 on port 8 should do the trick, it does. It gives the correct IP but no internet connection. Yeah, confusing about the grayed port when it is enabled as a trunk port. Changes are not valid if it is grayed. i tried doing it away (even the grayed tagging) still doesnt work.
Im so lost why it is not working. :(
I am so sorry for the late reply because I had to deal with some medical issues. I appreciate everyone for taking in the time for helping.
-
Here's some graph that happening now.
my iPhone is currently connect to VLAN 30 and has the right IP but no internet.
laptop is connected to LAN WIFI which is working as expected.Created a new vlan with a different AP (old dlink ap) and it worked. But is it on a different vlan and untagging that port works.
So the issue may come to when I have 2 vlans on a single port (port 8). Which I dont know if the switch is to blame which gave the right IP.
-
So do your non vlan have internet? And its just the vlan that doesnt?
-
@sethelyon said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
I can only ping 192.168.30.1 which also redirects me to pfSense.
What does this mean exactly - redirects you to pfsense?
Are you running proxy? Any other packages?
-
@johnpoz said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
So do your non vlan have internet? And its just the vlan that doesnt?
Non VLAN has internet, just that this VLAN 30 doesn't have internet.
Made a new test where I created a new vlan with a different AP (old dlink ap) and it worked. But is it on a different vlan and untagging that port (different port) works.
So the issue may come to when I have 2 vlans on a single port (port 8). Which I dont know if the switch is to blame which gave the right IP anyway.
-
I don't have unifi switch... But I have their AP and been using them for long time...
Simple enough test to check on pfsense via tcpdump if your seeing the tags or not.. If you can say you can ping the vlan IP of pfsense then it should be working.
And you say you can not even ping teh lan IP? You sure there is not something stepping on your vlan IP? 30.1
-
@johnpoz said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
I don't have unifi switch... But I have their AP and been using them for long time...
Simple enough test to check on pfsense via tcpdump if your seeing the tags or not.. If you can say you can ping the vlan IP of pfsense then it should be working.
And you say you can not even ping teh lan IP? You sure there is not something stepping on your vlan IP? 30.1
can't ping the IP LAN. I'm on the investigation to check if there's any installed packages that is stepping on my VLAN 30. Because there's a few like avahi, suricata, squid which I didn't put in the first place. (home lab with some guys testing it as well).
-
@sethelyon said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
suricata, squid
Dude!! You need to mention this from the get go... Turn these off!! For troubleshooting.
You should be able to ping the lan IP.. Your saying you can access pfsense web gui from the vlan?
-
Yeah that is very confusing having those ports still marked tagged and untagged but not applying that setting. Weird. Guess I learned something today.
Anyway the fact you are getting an IP in the correct subnet and can ping the pfSense interface tells me the VLAN is configured correctly.Can you ping 192.168.0.1 from a client on the guest VLAN?
Steve
-
@johnpoz said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
@sethelyon said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
suricata, squid
Dude!! You need to mention this from the get go... Turn these off!! For troubleshooting.
You should be able to ping the lan IP.. Your saying you can access pfsense web gui from the vlan?
I am so sorry I didn't mention that, extended apologies to everyone who's still on board.
Yes, I can access pfsense web gui on from the VLAN but no pings elsewhere.
@stephenw10, got the wrong switch apparently :(
VLAN30 guest cant ping LAN IP. so frustrating. -
@sethelyon said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
VLAN30 guest cant ping LAN IP
You made this vlan a GUEST in unifi?
-
@johnpoz said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
@sethelyon said in VLAN getting IP but no internet (pfSense, EdgeSwitch8XP, UniFi AC LR) with screenshots:
VLAN30 guest cant ping LAN IP
You made this vlan a GUEST in unifi?
Heavens no, I was planning to but no it is not that's why @stephenw10 mentioned that if it was a guest vlan and I was subconsciously thought that it's supposed to be a guest vlan.
but for this issue, no it is not a guest vlan. I have opened the firewall rules to see any-any.
-
Well then you should be able to ping the lan IP of pfsense..
Do a sniff on pfsense interface.. Do you see the tag when you ping?
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump -i igb2 -e
09:49:25.972570 00:08:a2:0c:e6:20 (oui Unknown) > 68:54:fd:47:87:32 (oui Unknown), ethertype 802.1Q (0x8100), length 99: vlan 4, p 0, ethertype IPv4, 52.46.136.77.https > Alexa.local.lan.47812: Flags [P.], seq 1:42, ack 41, win 1076, length 41 09:49:25.977447 68:54:fd:47:87:32 (oui Unknown) > 00:08:a2:0c:e6:20 (oui Unknown), ethertype 802.1Q (0x8100), length 60: vlan 4, p 0, ethertype IPv4, Alexa.local.lan.47812 > 52.46.136.77.https: Flags [.], ack 42, win 1734, length 0 09:49:26.581007 68:54:fd:47:87:32 (oui Unknown) > 00:08:a2:0c:e6:20 (oui Unknown), ethertype 802.1Q (0x8100), length 103: vlan 4, p 0, ethertype IPv4, Alexa.local.lan.39887 > ec2-34-200-196-96.compute-1.amazonaws.com.https: Flags [P.], seq 2206533354:2206533387, ack 2533339789, win 1686, options [nop,nop,TS val 153474635 ecr 1486154430], length 33Where igb2 is my physical interface that vlans are sitting on... See the traffic marked with vlan 4
You sure your rule on vlan 30 is any any, its not say set to TCP? Yeah just looked back and looks fine... Please disable your IPS and proxy to test..
Your not seeing anything blocked in the firewall? Enable logging on your allow rule on vlan 30
-
Do you see blocked traffic in the pfSense firewall log?
It seems like your client has the wrong default route or no default route. It looks to have the right gateway though. Hmm...
-
@sethelyon
I just worked through something similar--the tutorial I was following forgot to add the DNS on the new VLAN interface, which resulted in clients showing no internet. I got clued (after a solid 2 hrs of peaking through settings in unifi and pfsense) in when I typed 1.1.1.1 into my browser to stimulate traffic to sniff and it worked. I felt super smart.
If you can't laugh at yourself...J
