pfSense 2.5.2 VLANs with Cisco 2960X not working..Please help.
-
@mcnile off the top why aer you setting the native (untagged vlan as 3) on your switch.. Your lan network from your interfaces is untagged. And vlan 3 is tagged since it rides on re3 (lan)
Your trunk port connected to re3 on pfsense should be untagged (native for the vlan your using for lan on your switch) and 3 and 4 should be tagged.
Looks like from your switch its just the default vlan 1 for your normal lan traffic.
-
@johnpoz When I set it to default(Vlan 1) nothing works.
-
@mcnile said in pfSense 2.5.2 VLANs with Cisco 2960X not working..Please help.:
When I set it to default(Vlan 1) nothing works.
Well how are you setting it? It sure is not going to work for lan with native set to 3 and lan being just on re3 (no vlan)..
And don't see how it would work for vlan 3 either since that should be tagged.
I took Int 47 and made it a Trunk port and allowed VLANs 1-3
What specific port on the switch is connected to re3 on pfsense?
How many ports do you have on pfsense? How many free on the switch - you know you don't actually have to trunk anything or setup vlans on pfsense if you have the ports to use.. Your switch ports could all be access if you wanted too. if you have the ports..
Do your AP support vlans? I would test that your vlans are working by plugging a device (laptop or pc) into the port and making sure it gets dhcp from the correct vlan.. Or can ping pfsense IP on that vlan if your not using dhcp once you setup the IP/mask on the device..
-
@johnpoz I have pfSense's LAN connected to port 47 of the Switch. my pfSense set up has a 4 port NIC. I have 12 free ports left on the switch. I did plug a laptop into port 29 on the switch and the DHCP is working I am getting 192.168.2.77 as my IP and the gateway of 192.168.2.1 is showing up. Just not getting any internet I did ping the pfSense machine from the laptop and gt 25% loss 3 out of 4 went through.
not sure what to do from here. I think the whole VLAN tagging and between the switch and pfSense is getting me stuck for sure.
-
@mcnile said in pfSense 2.5.2 VLANs with Cisco 2960X not working..Please help.:
gt 25% loss 3 out of 4 went through.
Well something not right there for sure..
If tags were not working you would not get proper dhcp, and you wouldn't get any pings.. You go something else wrong.
But from what I saw on your switch, vlan 1 should be native, which 3 and 4 would be tagged.
But yeah if your seeing 25% loss you have a problem that could effect internet.
If your nat outbound rules are auto, it would of auto set to nat your new vlan network to your wan IP. You might want to check that, if manual then no internet would not work. Until you added your new network to the outbound nat.
I could see on your als_free wifi going to have a problem unless your unless you your pointing clients to something other than pfsense for dns.
-
@johnpoz Here are the NAT rules
-
@johnpoz Also here is what happens when I change the native vlan
-
@mcnile where do you have a duplicate IP - that would cause issues for sure that 3.1 address
-
@johnpoz I'm not sure as that is new as of today trying to troubleshoot this headache.
-
@mcnile that could also explain your ping issues.. You don't have a svi set on the switch with that IP do you?
I take it 3.1 is pfsense IP on the 3 vlan.. Quick fix might be to just change pfsense IP to something different 3.254 or 3.253.. I like to use .253 for my interfaces since common default for devices is .1 or .254..
-
@johnpoz I changed the IPs. I'll try them tomorrow as I have appointments today that take me out of the office.
-
@johnpoz I'm half tempted to do a backup and start from scratch. Would you have any info on setting pfSense from scratch? The WAN is connected to our DMZ, the LAN to the Switch, needing two VLANs for the Staff and Patrons. With no crossing from Patron to Staff.
Would you recommend this?
-
@mcnile I don't see any reason to start from scratch.
But its simple enough to do.. If that is what you want - its really just follow the bouncing ball. And you have working nat firewall router with a wan an lan.. As long as your wan is not overlapping the network you use on the lan you should have not issues at all just clicking through the wizard as you set it up.. If takes 5 minutes I would be surprised..
Setting up 2 vlans and preventing 1 of those from talking to either other vlan or lan is simple rule..
-
@johnpoz Cool! Thank you for your input. I have been coming in on days off and staying late trying to figure out where I went wrong... LOL I did just try ping from the laptop again 100% all packets went through but no internet.
-
@mcnile said in pfSense 2.5.2 VLANs with Cisco 2960X not working..Please help.:
but no internet.
No internet in that you can not resolve? DNS? Or can not ping? Can you ping the IP address of pfsense wan gateway? 8.8.8.8 as another test. Pfsense wan IP even?
Quite often uses say internet isn't working, when really the problem is they are having an issue with dns resolving where they are trying to go..
-
@johnpoz I can Ping the pfSense gateway IP address of GuestWiFi
-
@mcnile said in pfSense 2.5.2 VLANs with Cisco 2960X not working..Please help.:
Ping the pfSense gateway IP address of GuestWiFi
Not what what I meant... Pfsense wan IP can you ping that? Can you ping the IP of whatever pfsense wan gateway is? Can you ping 8.8.8.8
While pinging pfsense IP in whatever network you on is yeah is good.. And talking to pfsense IP on the network your on is a requirement to get to the internet..
-
@johnpoz Nope, can't ping the WAN IP of pfSense or the 8.8.8.8.
-
@mcnile Well if you can not ping the wan IP of pfsense, but you can ping the lan IP of pfsense - is the clients gateway set to the IP of pfsense lan interface?
What are the specific rules on this interface? Your not forcing traffic out a specific gateway? Any floating rules?
If the rules are any any on the interface, and you can ping pfsense IP on that interface - but not the wan IP of pfsense. This points to the client not having a gateway that points to pfsense as its default.. Do a traceroute from this client to the wan IP of pfsense.. It should be hitting the pfsense IP in that network as its first hop..
Or the IP your pinging is not actually pfsense? ie your duplicate IP error you saw sort of problem..
On your client validate that its gateway is pfsense IP, validate that the mac address it shows for this IP is the correct pfsense mac address.
-
@johnpoz Well, I think I found the problem. I completely wiped the switch to a factory reset and updated the IOS. I now have the main LAN working again. I did find before the reset that the settings of Vlan 1 were buggy (done before I took over here). It was set to shut down and some other odd settings. There were also other issues in the IOS too that is why I wiped it and loaded the new image. going to start fresh with pfSence too.
@johnpoz Thank you so much for your help and thoughts. It helps to have others give input for ideas and places too look.
