Cannot reach my firewall through VLan

goorooj

I cannot reach my netgate from Vlan, connected machine even directly....

I configured my netgate SG-2100 from the manual...

I assigned VLAN 4084 to Switch port 4 to see it as Interface.
I assigned the IP address 192.168.150.1 to this port.
I assigned VLan 210 to port 4

the trunk from the switch ( as configured to my juniper too ) contains 210

But when i try to reach 192.168.150.1 nothing happens.

I even went back so far that i connected directly, without VLan 210, from a machine in the 192.168.150.0/24 range to port 4 on the firewall, it says destination host cannot be reached...

moreover, i dont see anything in the firewall- or routing logs that it even connects. i only see a link up on port 4 when i plug it in, thats it.

I fight with this since a day now and i am at the end of my wisdom... I really dont know anymore where to look

Gertjan

@goorooj

Does your device receives a DHCP lease (IP gateway DNS) ?
If it does, this should correspond with the DHCP server logs.
What firewall rules did you place on the VLAN interface ?

When you remove all the VLAN stuff, everything works, right ?

goorooj

@gertjan i do not use dhcp, the client has a fixed address. I have Infratsructure servers in each LAN segment that do DNS, DHCP....
These are of course in the production environment, this is not productive yet but i have a duplicate of the 48-Port Main switch, Vlan configs on the switch, etc....

I opened the Vlan interface completely any-any for testing before securing it down, all protocols, all ports.

its 192.168.150.11/24 on the client, 192.168.150.1 on the Vlan interface OPT1
My Vlan Config is 100 for Office, 210 For Testnet ( this one ), 211 for HardwareLoRa, 220 For Wlan, 230 for Phone and so on.

But even when i connect the cable from the client directly without switch, without Vlan ( except the 4084 needed for the OPT1 interface ) there is no reaction, so i think i may have a problem with the OPT1 Interface?

Gertjan

@goorooj said in Cannot reach my firewall through VLan:

think i may have a problem with the OPT1 Interface?

Stop thinking.
Just a rapid fact check.

=> save your config.
=> restore to default.
=> OPT1 is working
====> If yes, your config is wrong.
=>>>> If no, device has a bad OPT1 port.

goorooj

@gertjan

The Netgate SG_2100 has a Wan-Port and an integrated Switch as Ports 1-4
There is no OPT1 in Default but you make an OPT1, OPT2 etc. Ports by assigning a VLAN to these ports and making them Interfaces
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html

So going back to default would not help at all.

Gertjan

@goorooj said in Cannot reach my firewall through VLan:

So going back to default would not help at all.

You are correct.
I don't have a 2100 at hand, so can't try out something myself

goorooj

@gertjan

i found it. after days. works now.
this here https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
is not suitable for my config, because i need the 210 VLAN to terminate, so i dont need a dedicated Switch port, just a VLAN interface.

this is the right tutorial: https://mitky.com/pfsense-virtual-lan-setup-vlans/

there it works.

now the other VLANs should be working as well like this one.