Can’t access TrueNAS machine outside its own VLAN
I’ve a problem to access a NAS machine, but this is not making much sense.
My global configuration is something like this:
LAN – 192.168.5.0
pfSense machine, switches, centralized controller
VLAN 10 – 192.168.10.0
TrueNAS machine, printer, user computers
VLAN 20 – 192.168.20.0
VLAN 30 – 192.168.30.0
OpenVPN Tunnel – 192.168.50.0
Basically, everything works fine except when we try access to TrueNAS machine outside its own VLAN.
I created all rules to let the traffic pass between VLANs and OpenVPN, but something should be wrong. To make sure that I’m not blocking traffic from / to a specific IP, I’m leaving pass all range of IPs. Under pfSense logs, all traffic looks ok - nothing appears blocked. However, I can’t PING or access the TrueNAS machine outside VLAN 10 (locally or using OpenVPN). But I access perfectly the printer, which is into the same VLAN. The only way to access the TrueNAS is from a PC that is connected directly into the same VLAN.
Any idea about what could be wrong?
Many thanks for all your help.
OpenVPN Tunnel – 192.168.50.0
Is that a typo - use of tunnel network that overlaps one of your own networks wouldn't be correct setup.
NAS is own firewall comes to mind. The nas not having a gateway set to point back to pfsense as another. How are you trying to connect to the nas - L2 discovery not going to work across vlans.
Many thanks for your answer.
Can you be a little more precise about what you are trying to explain me?
Just to clarify, I'm not having access (or even PING) to the NAS from VPN, LAN or any other VLAN that is not the one where TrueNAS belongs. From a PC connected to the same VLAN, I’ve full access to web interface, shares, etc…
What is really weird is that I’ve a network printer in the same VLAN of TrueNAS and with it everything is running well (ping, print from other VLANS or VPN, etc…).
As for now I'm using “open configs” to let pass all traffic and protocols from all IP range (xxxx/24), exactly to make sure that I've same rule for all devices, but I can't understand why I've access to the printer and not the TrueNAS.
If it helps, when I try to ping the TrueNAS (outside its own VLAN), the pfSense Packet Capture of the interface is the following:
10:03:56.033293 IP (tos 0x0, ttl 127, id 48780, offset 0, flags [none], proto ICMP (1), length 60)
192.168.50.2 > 192.168.10.20: ICMP echo request, id 1, seq 557, length 40
10:04:01.037589 IP (tos 0x0, ttl 127, id 48781, offset 0, flags [none], proto ICMP (1), length 60)
192.168.50.2 > 192.168.10.20: ICMP echo request, id 1, seq 558, length 40
So, it looks that something reaches to the corresponding VLAN, right?
@agomendes dude my bad.. I saw your lan as 192.168.50 and your tunnel as 192.168.50 - doh!
Yeah your pinging the device - if it has a firewall, which most NASes do - then it could be set to not answer anything unless its on the same network. Validate your nas firewall allows the traffic you want to allow.
Other reason you might not be able to talk to NAS if no gateway set on the nas, and it just doesn't know how to answer to that IP, since no gateway - or different gateway than pfsense IP on your nas vlan.
Or another reason is your tagging traffic out of your vlan interface, and how your setup your nas is never seeing the traffic, because it doesn't understand that it should be looking for that tagged traffic..
Normally a with vlans pfsense would send with tag, the switch would say oh that is vlan X traffic.. Send that to to stuff on that vlan, but remove the tag on the device on the access port..
pfsense -- vlan X (tagged) --- switch --- vlan X (untagged) nas
But if you have it like this
pfsense -- vlan X (tagged) -- Nas
Then the nas would have to be set to know about vlan X tag.
Or dumb switch (not vlan capable)
pfsense -- vlan X (tagged) -- dumb switch -- vlan X (tagged) Nas..
If you see pfsense sending the traffic to the NAS ip, and its too the correct mac address.. But you get no answer that screams firewall on that device. or the device has no gateway, or different gateway, and pfsense never sees the reply to send it back to the IP wanting to talk to the nas. Or for whatever reason the nas is never seeing the traffic in the first place to be able to answer..
But if your seeing traffic sent to the nas, and nas can actually access the internet through pfsense - get an ip from pfsense dhcp, etc. Then screams nas firewall just not set to allow that source IP to talk to it..
Oh god! Indeed, I realise now that I didn’t define any VLAN on the TrueNAS. The interface is just configured to have an IP that is used into the VLAN range, but nothing else (it's why I don't have problems when I use other machine connecterd to the same VLAN).
It makes sense that this could be the cause of the issue.
Next Monday I’ll reconfigure everything and come back to say what it is the result.
Meanwhile, many thanks for your support and clarifications.
I didn’t define any VLAN on the TrueNAS.
You normally would not want or need to do this. Because your device would be connected to a vlan capable switch that would handle the vlans tags for you. Normally end use devices are ignorant of what vlan they are on.. Devices like routers or switches or AP, etc. are normally the only sort of devices that need to understand be setup to know what tag ID is what vlan, etc.
And in my example like this
pfsense -- vlan X (tagged) -- Nas
Not sure why you would tag that interface at all if only the NAS was connected to that pfsense interface.
Only scenario I can think of would be using a "dumb" non vlan aware switch.. Or if you were wanting to run multiple vlans for say vms or docker containers on your nas. I do this for example.. One of the interfaces on the nas carriers tagged vlans, and the other interface is used for native access to its normal "nas" network..
Yap! You are right... Some times we don’t think as it should be. It’s exactly the same situation that I’ve with the printer – just an IP assign and everything is working.
As far as I know, TrueNAS (before FreeNAS) has not any internal firewall. At least configurable with the GUI. I’ll investigate deeper.
Maybe it’s the gateway (I’ve some doubts that is wrong), so I’ve to confirm.
For testing, I’ll also change the NAS to the LAN (same net where I’ve also the pfSense) and check if anything changes.