[Solved] One-way traffic?
-
I currently have a situation which I don't fully understand - it's my first VLAN setup so I may well have done something wrong...
My setup is what I assume to be a pretty simple VLAN trunk - I have LAN (10.1.1.0/24) and VLAN (10.2.1.0/24) interfaces set up in pfSense and with LAN (carrying the VLAN) going to a Zyxel gs1200 web managed switch - that detags the VLAN and pushes that to an unmanaged switch for the clients.
VLAN Clients get their DHCP assignments correctly but can only ping other clients on the VLAN. Not pfSense, or anything outside the VLAN.
LAN clients can ping the VLAN, and access HTTP and SSH servers on that side.
pfSense can also ping the VLAN quite happily.I'm just about to go grab some network traces to see if they will shed any more light on it.
Is trying to mix the tagged & untagged traffic going to be what's causing me strife?
-
Well what rules did you put on the vlan you created... New interfaces created in pfsense will have zero rules on them, so no you wouldn't even be able to ping pfsense IP in that vlan..
But sure clients would get dhcp just fine, when you enable a dhcp server on an interface - hidden rules get created to allow for dhcp to work on that network.
Lan would be able to start conversations into that vlan because lan rules allow it, and the answer is allowed back via the state that is created even when your vlan has zero rules.
-
Have you add a firewall rule the the VLAN interface to allow traffic to or accross pfSense?
-
I did create rules allowing VLAN-LAN access - but I did notice something when I went to screenshot them to share them...
What protocols have I been testing? ICMP/UDP
What is the default protocol for new rules? TCPI've set the protocol to Any and I'm just about to test it now - I have a feeling it is going to work. If it does I'm off to redmine to see if there's a request to change to the defaults there to NONE with an error on save, or All. It's bound to trip someone else up at some point!
-
There is little use to putting in a redmine for default protocol on rule.. Its always going to be the admins responsibility to set the correct protocol for their rules... What it defaults to means nothing, the the VAST majority of time the rule would be for tcp, so it makes most sense to have it default to the protocol that is going to be most of the rules created.
-
@motific said in One-way traffic?:
Is trying to mix the tagged & untagged traffic going to be what's causing me strife?
No. That is quite common. Your problem is either routing or filters. Do the packet captures and see what they say.
One thing to remember about VLANs, the only significant difference between tagged and untagged frames is the contents of the Ethertype/Length field. There is nothing magic about VLANs that causes problems.
-
It was just the rules that were wrong - all sorted now.
Thanks everyone for the quick responses!
