• Hi.

    I need help with communication between VLAN and LAN in pfSense 2.3.4-RELEASE-p1.
    I did a lot of research and did several tests, but I still haven't been able to resolve this last issue.

    The scenario is as follows:

    1 LAN 10.0.x.y / 16
    1 VLAN 10.100.100.1/16
    Some AP: 10.100.50.x / 16
    DHCP: 10.100.200.x ~ 10.100.202.y / 16

    Testing from pfSense, I can ping anything (local network, Access Points in the range 10.100.50, devices with IP by DHCP, without any problem).

    But, I need a Zabbix to ping the APs, so his gateway is the LAN IP of pfSense. It can ping VLAN 10.100.100.1 and also any client that receives via DHCP, for example. But if I try to ping any device with fixed IP on the VLAN, it does not respond. I realized that if the IP is fixed, that it does not respond. If it is DHCP, it responds perfectly. I couldn't understand why.

    The firewall rules are all open for testing and I still couldn't. I also tried to create in Floating and without success too.

    If you can help with any ideas, I am very grateful.
    Thanks!


  • @snows-0
    Two /16 subnets? You have quite a large network!

    @snows-0 said in I need help with VLAN:

    It can ping VLAN 10.100.100.1 and also any client that receives via DHCP, for example. But if I try to ping any device with fixed IP on the VLAN, it does not respond.

    Possibly the network mask is not set correctly on the device.
    Or its firewall blocks access from out of its own subnet.


  • @viragomann Thanks for answering.

    The masks are correct, yes. I've checked it out several times. I also came to think of it.

    As for the firewall, do you mean pfSense itself? If so, everything is free. I have also done it many times to check it out.
    And if it is not there, for example, Access Points have no restrictions in this regard.

    It doesn't really make much sense. If pfSense can ping everything, and the LAN ping the VLAN, I don't understand the reason why I can't ping anything else on the VLAN, but the difference is that it has a fixed IP and not DHCP.


  • @snows-0

    Yes, I was talking about the deviced firewall.

    The gateway setting is another possible issue. It is set by DHCP, so check if it set correctly.

    Another check you can do is to try a ping from the pfSense Diagnostic menu, then change the source to the other subnet and try again.
    If the gateway is set correctly and the devices firewall allows the pings from outside, you should get responses on both attempts.


  • @viragomann In this case, I need Zabbix to ping and it is not using DHCP.

    He is on the 10.0.x.y network and I configured his gateway as the LAN IP of pfSense. With this, Zabbix can ping the IP of VLAN 10.100.x.y normally.

    I did the test you said and really the ping only responds when I change the source to VLAN100. In other words, I would then have to change the entire structure of Zabbix to have the gateway as the one for this VLAN, correct? But then I would have other problems, because I would no longer have the connectivity that I already have today with him being able to ping the servers that are on the same network as him.

    What I still can't understand is why I can ping the IP of the VLAN normally and also the IPs that pfSense provides via DHCP, which in theory, are also in the same IP range as the AP. That is, it should also respond. That which until now I have not been able to understand. Or is he not responding because he does not "know" 10.100.50.x, instead of the other IPs he provides and he is supposed to know and trust? I don't know ... bizarre.


  • @snows-0 said in I need help with VLAN:

    1 VLAN 10.100.100.1/16
    Some AP: 10.100.50.x / 16
    DHCP: 10.100.200.x ~ 10.100.202.y / 16

    Those 3 are overlapping. Are they supposed to be on the same subnet?


  • @snows-0 said in I need help with VLAN:

    In this case, I need Zabbix to ping and it is not using DHCP.

    I was talking about the destination devices.

    @snows-0 said in I need help with VLAN:

    What I still can't understand is why I can ping the IP of the VLAN normally and also the IPs that pfSense provides via DHCP

    As I mentioned, possibly the network settings on the destination devices are wrong. Check all settings, network mask and gateway.

    Does this problem only affect the APs or also other devices which pull IPs from DHCP?


  • Most likely...one (or more) of the devices have the wrong gateway and/or mask set.

    My suggestion... simplify your network:

    • Leave the parent LAN interface unassigned
    • Move your current LAN subnet to a VLAN
    • Refine all your subnets down to /24's.

    Once that's done, make the appropriate adjustments on your switch. You are using a managed switch right?

    Then I'd re-verify that your access ports are configured for the appropriate VLAN(s), and re-verify the masks and gw's of all your devices.


  • @viragomann said in I need help with VLAN:

    @snows-0 said in I need help with VLAN:

    In this case, I need Zabbix to ping and it is not using DHCP.

    I was talking about the destination devices.

    In this case, Access Points are not via DHCP. They have fixed IP.
    Example:
    10.100.50.50/16, GW: 10.100.100.1 (VLAN IP)

    If I try to ping from PC that is in the VLAN, receiving IP via DHCP from pfSense, it can ping everything. But, if I try the same, from a PC with a fixed IP (Zabbix, for example, which is using the pfSense lan IP as a gateway), it can only ping the IP of VLAN 10.100.100.1 and any device that has received IP via DHCP from pfSense. If I try to ping an AP (which has a fixed IP, but is on the VLAN and with GW 10.100.100.1), there is no connectivity.

    It makes no sense.

    @snows-0 said in I need help with VLAN:

    What I still can't understand is why I can ping the IP of the VLAN normally and also the IPs that pfSense provides via DHCP

    As I mentioned, possibly the network settings on the destination devices are wrong. Check all settings, network mask and gateway.

    Does this problem only affect the APs or also other devices which pull IPs from DHCP?

    It only affects those with fixed IP. If it's like DHCP, it works.
    I've checked and re-checked several times and in different APs to make sure.

    I also checked the logs and apparently, everything is normal, see:

    9ccd1cf7-409b-4c4a-b623-3af885b667aa-image.png
    Zabbix > AP


  • @marvosa said in I need help with VLAN:

    Most likely...one (or more) of the devices have the wrong gateway and/or mask set.

    My suggestion... simplify your network:

    • Leave the parent LAN interface unassigned
    • Move your current LAN subnet to a VLAN
    • Refine all your subnets down to /24's.

    Once that's done, make the appropriate adjustments on your switch. You are using a managed switch right?

    Then I'd re-verify that your access ports are configured for the appropriate VLAN(s), and re-verify the masks and gw's of all your devices.

    I confess that I thought of something similar, because it keeps the LAN running is strange, I don't know.. If this whole issue would not be resolved if I worked only with VLAN for VLAN. I'll try.
    Tks


  • It only affects those with fixed IP. If it's like DHCP, it works.
    I've checked and re-checked several times and in different APs to make sure.

    I also checked the logs and apparently, everything is normal, see:

    9ccd1cf7-409b-4c4a-b623-3af885b667aa-image.png
    Zabbix > AP

    My first thoughts would be... do the AP's have a gateway set? If not, that's your issue. If so, please share their IP, Mask, and GW.