Hello. I’m a guy that broke the internet.

fnord

Newly acquired shiny sg2100 was up and running (modem —> netgate —> consumer ap) after spending an embarrassing amount of time only to realize I had to call ISP to activate modem, also by which point I had to clear up the boot loop that I had created on the netgate from too many restarts.

Added pfblocker and suricata (suricata lan side only). After a day since no one was using my home network I turned on suricata blocking. Played around with different devices in the house to see what if anything would no longer be functional. Sky didn’t fall. Seemed like it wouldn’t be too bad as far as tv’s and whatnot were concerned. I was just happy to see that running it didn’t seem to be too taxing on the 2100 (17-30% gpu). Figured if it was too taxing I would remove pfblocker and go back to pihole.

To give you an idea of my level of network competence I then added a second ap (linksys) to port 2 (lan—>lan) thinking that was the same thing as a vlan.. After realizing my folly and creating a vlan and designating it to port 2 I decided that since it was 2am I’d be done for the day. Checked a couple websites and about 10 minutes later I had no internet. I assumed it was suricata, or the newly added ap so I unplugged the ap, turned off blocking on suricata.

I still didn’t have internet access but I could see wan/lan activity in pfsense. I could run dns lookup successfully. Also my VPN would connect but then drop, suggesting that it did have short internet access. I assumed dhcp with the new ap was interfering so I turned off laptop and I went to bed.

Woke up and made a bad situation worse. I now can no longer access pfsense via local network or the internet. Here’s what I did:

Attempted to change “tracking ipv6” on the vlan to “none”. Was presented with a warning that “advertising dhcpv6” would need to be disabled first. Wasn’t sure what that meant but I then disabled the dhcpv6 for the wan interface. I also disabled the vlan interface. I’m not sure which order I performed the above two tasks but the result is that I can no longer access pfsense or internet.

I have powered off all devices and left ap’s off. I can’t seem to access netgate device via ssh, though I believed I had added it. I’m connected directly via Ethernet. Do I need to do a factory reset? I thought I had turned on a “no lockout” feature. Does that mean I’m officially a hacker?

Thanks for reading my life story and I appreciate any and all insights provided. Feel free to chastise if it comes along with an ability to learn. This is just a home network, and this is my first attempt at any off this.

stephenw10

Did you add a gateway on the new VLAN interface?

It shouldn't have one but if you did it may have become the default route.

Make sure the WAN gateway is set as default in System > Routing > Gateways.

If you only have console access run netstat -rn4 to see the routing table. Make sure there is a default route and it's the WAN gateway.

Steve

fnord

[quote]
@stephenw10

Did you add a gateway on the new VLAN interface?

Make sure the WAN gateway is set as default in System > Routing > Gateways.

If you only have console access run netstat -rn4 to see the routing table. Make sure there is a default route and it's the WAN gateway.

Steve
[/quote]

Thank you! That must have been it but I’d like to learn how I messed that up. The vlan didn’t have a gateway designated, to the best of my knowledge. Running the above command showed WAN-mveta0, LAN-mveta1, OPT1-mveta1.69. I reconfigured interface and auto wouldn’t work but manually setting WAN and LAN and deleting OPT1 got me back in business.

Could it have been because I retroactively assigned port 2 as vlan while it was already functioning as a switch for my lan?

stephenw10

It could have been if the switch/vlan wasn't properly separating the ports for example.

Hard to say without checking the config at the time.

Steve

fnord

@stephenw10

That's what it was, and still seems to be. I missed changing the vlan tag and members. Suricata was also putting my vpn in time out. So I changed that back to alert only. For now just separating the network is enough to take on.

I'm still confused about whether both members should be tagged or just the root or "5" in the case of the sg2100. I've got 5 tagged and the port listed without the tag as per the netgate guide, but I've seen other guides saying to tag both.

I added a vlan (members 4,5t), wired ethernet via lan port to wan port on a linksys router and set the linksys in bridge mode. Trying to ssh into a pi on that network and only after resetting ssh and burning a new image have I realized that my issue has been my network and not the pi. I could see and ping the pi so I assumed I was on the same network while logged into the wifi on that router. However, today I plugged laptop into lan port on linksys and it tells me I'm on my other ap that I thought should be separate than this network. They share "5", but 4 is removed from the default group and in the vlan members.

Ultimately I just want 3 networks 2 of which are isolated and the other that can access them all.

stephenw10

@fnord said in Hello. I’m a guy that broke the internet.:

I've got 5 tagged and the port listed without the tag as per the netgate guide

That's correct if you don't want the VLAN traffic to be tagged outside the SG-2100.
You might have both tagged if you were using another switch to connect other devices onto the VLAN. Or if you had an access point that supports multiple SSIDs via VLANs directly.

Post some screenshots of the switch and VLAN config and we can review them.

Steve

fnord

@stephenw10!

VLANS

Ports

stephenw10

That's the same shot twice

We need to see the Interfaces > VLANs tab.

And the Interfaces > Switches > Ports and VLANs tabs.

fnord

@stephenw10

Of course it would be. Almost posted it a third time too. I appreciate the assistance, btw.

ports

stephenw10

Those both look correct. As long as you have VLAN 57 assigned as an interface in Interfaces > Assignment you should be able to use that as port 4 separately.

fnord

@stephenw10

I think this is mostly ironed out after a restart. My connectivity was oddly intermittent prior to that. When I plug in laptop via ethernet directly to my vlan AP it still says I'm on my lan network, but assigns correct IP and I can connect to my pi.

Thanks again for your help!