Why don't i have any connection to PfSense interface/internet
-
Our current firwall is deprecated and we decided to exchange it with an PfSense server. In my test setup i configured the interfaces as follows:
- igb0 = WAN
- enabled
- igb1 = LAN (should be VLAN trunk port in future)
- enabled
- Interface ip: 192.168.1.1
- VLAN 104
- enabled
- parent interface: igb1
- VLAN Tag: 104
After this i assinged the VLAN 104 on igb1 0 lan interface via "interface assignments" and gave the vlan the ip: 192.168.104.1/24
I configured our (Lancom ES-2126) switch like:
- Tag-based Group -> VID = 104
- members -> port 1, port 2
- untagged -> port 2
- Port 1 (should be VLAN trunk port)
- Connected to PfSense LAN
- PVID: 104
- Port 2
- Connected to desktop
- PVID: 104
I configured the vlan firewall rule(s) like this (allow all for test purposes)
and the lan like this:
When i connect my desktop directly to the PfSense LAN port and give an static 192.168.1.x/24 ip, i can perfectly surf and access the PfSense interface. When i connect my pc via the switch to PfSense (as previously described) and change my static ip to 192.168.104.x/24 (or leave it in 192.168.1.x/24), i cannot access the web interface nor internet.
What do i do wrong? I have the idea that PfSense does nothing with the vlan at all?
Maybe this helps by answering the question, a (stripped) config.xml export:
<pfsense> <version>19.1</version> <lastchange></lastchange> <system> <optimization>normal</optimization> <hostname>bm_pfsense_axxwall01</hostname> <domain>localdomain</domain> <dnsserver>8.8.8.8</dnsserver> <dnsserver>8.8.4.4</dnsserver> <dnsallowoverride>on</dnsallowoverride> <group> <name>all</name> <description><![CDATA[All Users]]></description> <scope>system</scope> <gid>1998</gid> <member>0</member> </group> <group> <name>admins</name> <description><![CDATA[System Administrators]]></description> <scope>system</scope> <gid>1999</gid> <member>0</member> <priv>page-all</priv> </group> <user> <name>admin</name> <descr><![CDATA[System Administrator]]></descr> <scope>system</scope> <groupname>admins</groupname> <bcrypt-hash>$2y$10$jQvXNFjlnw3xT3g3MCQP3uBqSIHeu8sTiG1F5H1hk/M.qTM72S1A2</bcrypt-hash> <uid>0</uid> <priv>user-shell-access</priv> </user> <nextuid>2000</nextuid> <nextgid>2000</nextgid> <timeservers>2.pfsense.pool.ntp.org</timeservers> <webgui> <protocol>https</protocol> <loginautocomplete></loginautocomplete> <ssl-certref>5ea6ebc012194</ssl-certref> <dashboardcolumns>2</dashboardcolumns> <port></port> <max_procs>2</max_procs> </webgui> <disablenatreflection>yes</disablenatreflection> <disablesegmentationoffloading></disablesegmentationoffloading> <disablelargereceiveoffloading></disablelargereceiveoffloading> <ipv6allow></ipv6allow> <maximumtableentries>400000</maximumtableentries> <powerd_ac_mode>hadp</powerd_ac_mode> <powerd_battery_mode>hadp</powerd_battery_mode> <powerd_normal_mode>hadp</powerd_normal_mode> <bogons> <interval>monthly</interval> </bogons> <already_run_config_upgrade></already_run_config_upgrade> <timezone>Europe/Amsterdam</timezone> <ssh> <enable>enabled</enable> </ssh> <serialspeed>115200</serialspeed> <primaryconsole>serial</primaryconsole> <sshguard_threshold></sshguard_threshold> <sshguard_blocktime></sshguard_blocktime> <sshguard_detection_time></sshguard_detection_time> <sshguard_whitelist></sshguard_whitelist> </system> <interfaces> <wan> <enable></enable> <if>igb0</if> <blockpriv></blockpriv> <blockbogons></blockbogons> <descr><![CDATA[WAN1]]></descr> <ipaddr>dhcp</ipaddr> <dhcphostname>bm_pfsense_axxwall01</dhcphostname> <alias-address></alias-address> <alias-subnet>32</alias-subnet> <dhcprejectfrom></dhcprejectfrom> <adv_dhcp_pt_timeout></adv_dhcp_pt_timeout> <adv_dhcp_pt_retry></adv_dhcp_pt_retry> <adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout> <adv_dhcp_pt_reboot></adv_dhcp_pt_reboot> <adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff> <adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval> <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options></adv_dhcp_send_options> <adv_dhcp_request_options></adv_dhcp_request_options> <adv_dhcp_required_options></adv_dhcp_required_options> <adv_dhcp_option_modifiers></adv_dhcp_option_modifiers> <adv_dhcp_config_advanced></adv_dhcp_config_advanced> <adv_dhcp_config_file_override></adv_dhcp_config_file_override> <adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path> <ipaddrv6>dhcp6</ipaddrv6> <dhcp6-duid></dhcp6-duid> <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len> <adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface> <spoofmac></spoofmac> </wan> <lan> <enable></enable> <if>igb1</if> <descr><![CDATA[LAN1]]></descr> <spoofmac></spoofmac> <ipaddr>192.168.1.1</ipaddr> <subnet>24</subnet> </lan> <opt1> <descr><![CDATA[WAN2]]></descr> <if>igb2</if> <blockpriv></blockpriv> <blockbogons></blockbogons> <spoofmac></spoofmac> <enable></enable> </opt1> <opt2> <descr><![CDATA[LAN2]]></descr> <if>igb3</if> <spoofmac></spoofmac> <enable></enable> <ipaddr>192.168.200.1</ipaddr> <subnet>24</subnet> </opt2> <opt3> <descr><![CDATA[VLAN_104]]></descr> <if>igb1.104</if> <enable></enable> <spoofmac></spoofmac> <ipaddr>192.168.104.1</ipaddr> <subnet>24</subnet> </opt3> </interfaces> <staticroutes></staticroutes> <dhcpd> <lan> <range> <from>192.168.1.10</from> <to>192.168.1.245</to> </range> <failover_peerip></failover_peerip> <dhcpleaseinlocaltime></dhcpleaseinlocaltime> <defaultleasetime></defaultleasetime> <maxleasetime></maxleasetime> <netmask></netmask> <gateway></gateway> <domain></domain> <domainsearchlist></domainsearchlist> <ddnsdomain></ddnsdomain> <ddnsdomainprimary></ddnsdomainprimary> <ddnsdomainkeyname></ddnsdomainkeyname> <ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm> <ddnsdomainkey></ddnsdomainkey> <mac_allow></mac_allow> <mac_deny></mac_deny> <ddnsclientupdates>allow</ddnsclientupdates> <tftp></tftp> <ldap></ldap> <nextserver></nextserver> <filename></filename> <filename32></filename32> <filename64></filename64> <rootpath></rootpath> <numberoptions></numberoptions> </lan> <opt3> <range> <from>192.168.104.10</from> <to>192.168.104.200</to> </range> <enable></enable> <failover_peerip></failover_peerip> <defaultleasetime></defaultleasetime> <maxleasetime></maxleasetime> <netmask></netmask> <gateway>192.168.104.1</gateway> <domain></domain> <domainsearchlist></domainsearchlist> <ddnsdomain></ddnsdomain> <ddnsdomainprimary></ddnsdomainprimary> <ddnsdomainkeyname></ddnsdomainkeyname> <ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm> <ddnsdomainkey></ddnsdomainkey> <mac_allow></mac_allow> <mac_deny></mac_deny> <ddnsclientupdates>allow</ddnsclientupdates> <tftp></tftp> <ldap></ldap> <nextserver></nextserver> <filename></filename> <filename32></filename32> <filename64></filename64> <rootpath></rootpath> <numberoptions></numberoptions> </opt3> </dhcpd> <nat> <outbound> <mode>advanced</mode> <rule> <source> <network>192.168.200.0/24</network> </source> <sourceport></sourceport> <descr></descr> <target></target> <targetip></targetip> <targetip_subnet></targetip_subnet> <interface>wan</interface> <poolopts></poolopts> <source_hash_key></source_hash_key> <destination> <any></any> </destination> <created> <time>1588068438</time> <username><![CDATA[admin@192.168.200.11 (Local Database)]]></username> </created> <updated> <time>1588068451</time> <username><![CDATA[admin@192.168.200.11 (Local Database)]]></username> </updated> </rule> <rule> <interface>wan</interface> <source> <network>127.0.0.0/8</network> </source> <dstport>500</dstport> <target></target> <destination> <any></any> </destination> <staticnatport></staticnatport> <descr><![CDATA[Auto created rule for ISAKMP - localhost to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>127.0.0.0/8</network> </source> <sourceport></sourceport> <target></target> <destination> <any></any> </destination> <natport></natport> <descr><![CDATA[Auto created rule - localhost to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>::1/128</network> </source> <dstport>500</dstport> <target></target> <destination> <any></any> </destination> <staticnatport></staticnatport> <descr><![CDATA[Auto created rule for ISAKMP - localhost to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>::1/128</network> </source> <sourceport></sourceport> <target></target> <destination> <any></any> </destination> <natport></natport> <descr><![CDATA[Auto created rule - localhost to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>192.168.1.0/24</network> </source> <dstport>500</dstport> <target></target> <destination> <any></any> </destination> <staticnatport></staticnatport> <descr><![CDATA[Auto created rule for ISAKMP - LAN1 to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>192.168.1.0/24</network> </source> <sourceport></sourceport> <target></target> <destination> <any></any> </destination> <natport></natport> <descr><![CDATA[Auto created rule - LAN1 to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>192.168.104.0/24</network> </source> <dstport>500</dstport> <target></target> <destination> <any></any> </destination> <staticnatport></staticnatport> <descr><![CDATA[Auto created rule for ISAKMP - VLAN_104 to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> <rule> <interface>wan</interface> <source> <network>192.168.104.0/24</network> </source> <sourceport></sourceport> <target></target> <destination> <any></any> </destination> <natport></natport> <descr><![CDATA[Auto created rule - VLAN_104 to WAN1]]></descr> <created> <time>1588064403</time> <username><![CDATA[Manual Outbound NAT Switch]]></username> </created> </rule> </outbound> </nat> <filter> <rule> <id></id> <tracker>1588067865</tracker> <type>pass</type> <interface>lan</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <source> <address>192.168.104.0/24</address> </source> <destination> <any></any> </destination> <descr></descr> <updated> <time>1588067865</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </updated> <created> <time>1588067865</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </created> <disabled></disabled> </rule> <rule> <type>pass</type> <ipprotocol>inet</ipprotocol> <descr><![CDATA[Default allow LAN to any rule]]></descr> <interface>lan</interface> <tracker>0100000101</tracker> <source> <network>lan</network> </source> <destination> <any></any> </destination> </rule> <rule> <type>pass</type> <ipprotocol>inet6</ipprotocol> <descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr> <interface>lan</interface> <tracker>0100000102</tracker> <source> <network>lan</network> </source> <destination> <any></any> </destination> </rule> <rule> <id></id> <tracker>1588069360</tracker> <type>pass</type> <interface>lan_interfaces</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <source> <any></any> </source> <destination> <any></any> </destination> <descr></descr> <updated> <time>1588069360</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </updated> <created> <time>1588069360</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </created> </rule> <rule> <id></id> <tracker>1588065927</tracker> <type>pass</type> <interface>opt2</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <source> <network>opt2</network> </source> <destination> <any></any> </destination> <descr></descr> <created> <time>1588065927</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </created> <updated> <time>1588065945</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </updated> </rule> <rule> <id></id> <tracker>1588064726</tracker> <type>pass</type> <interface>opt3</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <source> <network>opt3</network> </source> <destination> <any></any> </destination> <descr></descr> <created> <time>1588064726</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </created> <updated> <time>1588065382</time> <username><![CDATA[admin@192.168.1.11 (Local Database)]]></username> </updated> </rule> <separator> <lan_interfaces></lan_interfaces> <opt3></opt3> <opt2></opt2> <lan></lan> </separator> </filter> <rrd> <enable></enable> </rrd> <revision> <time>1588142281</time> <description><![CDATA[admin@192.168.200.11 (Local Database): /system_advanced_admin.php made unknown change]]></description> <username><![CDATA[admin@192.168.200.11 (Local Database)]]></username> </revision> <gateways></gateways> <ifgroups> <ifgroupentry> <members>lan opt2 opt3</members> <descr><![CDATA[Internal lan interfaces]]></descr> <ifname>lan_interfaces</ifname> </ifgroupentry> <ifgroupentry> <members>wan opt1</members> <descr><![CDATA[WAN interfaces]]></descr> <ifname>wan_interfaces</ifname> </ifgroupentry> </ifgroups> <vlans> <vlan> <if>igb1</if> <tag>104</tag> <pcp></pcp> <descr><![CDATA[axx_intra]]></descr> <vlanif>igb1.104</vlanif> </vlan> <vlan> <if>igb1</if> <tag>100</tag> <pcp></pcp> <descr><![CDATA[AxxCloud test network]]></descr> <vlanif>igb1.100</vlanif> </vlan> </vlans> </pfsense> - igb0 = WAN
-
After 3 days of testing and experimenting i found out that one of the cables is not 100%. After putting a new cable between PfSense and the switch everything works with the configuration like described in my question. This means the problem is solved!
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.