VLAN won't communicate with LAN

DjJoakim

@bingo600 Hmm, strange.
I did an edit on my last post, i tried to "reduce" the issue so i tried the same thing on my other vlan, WIFI. And when i did that, the problem is on the other way. From WIFI i can reach FAST, but from FAST i can't reach WIFI, something is really strange here.

To answer you'r question, from my PC (LAN) i can only ping 192.168.1.1, it dosen't respond on anything else. (While on my WIFI, i can ping 172.18.0.1, 172.19.0.1, 192.168.1.1, and the same on FAST)
Sorry, i am not trying to confuse the situation by starting to talk about the WIFI vlan, i just think it's strange that the problem is on the other way around there.

Anyways, here is my RFC1918

DjJoakim

Hmm okey, well - forget about that WIFI connection, i used my brain and figured out that it probably had something with windows firewall to do, said and done - when i turn off the firewall on that WIFI device, i can reach it from FAST - so clearly it was something wrong at that side.
So, since everything works with the firewall settings in that VLAN, it seems like there is something really wrong with my LAN, and maybe not PFsense fault...

bingo600

@djjoakim

That RFC1918 rule is outright "Sick" .....

RFC1918 should be defined like this.

Dammm

DjJoakim

@bingo600 I followed this "guide" https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
Isn't it how i should do it?

DjJoakim

@bingo600 Ooops.. Well, fixed now

bingo600

@djjoakim

@djjoakim said in VLAN won't communicate with LAN:

@bingo600 I followed this "guide" https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
Isn't it how i should do it?

Yes but do as they write

Can i see your RFC1819 rule now please

DjJoakim

@bingo600 Yeah sorry, i am new to this.. one step at a time

bingo600

@djjoakim

Would work ...

But please don't call it RFC1918

Call it LOCAL_LANS or something

RFC1918 is

DjJoakim

@bingo600 Yep, changed it... I saw RFC1918 was on the "WAN" rule, so i didn't wan't to confuse it, so now it's called Local_lan.

bingo600

@djjoakim

The guy making this RFC1918 Alias should be .......

I'm 90% sure that every "professional" in here would expect a RFC1918 alias to contain :

bingo600

@djjoakim said in VLAN won't communicate with LAN:

@bingo600 Yep, changed it... I saw RFC1918 was on the "WAN" rule, so i didn't wan't to confuse it, so now it's called Local_lan.

If it's used on the WAN
Did you remember to change it back to the hosts it contained , not the networks you made.

bingo600

@bingo600

How is your pfSense behaving now , with pings etc ....
Should behave as expected now ....

DjJoakim

@bingo600 When i mean't i saw it on WAN, i mean't this. This is nothing i have put there.

Yes, well.. something else is wrong in my setup, i just realised, it's not related to PFsense. Bc now with my WIFI unit, i can reach FAST, and from FAST i can reach my WIFI.
But, from FAST i can reach LAN and from LAN i can't reach FAST, so the problem lays in my PC, i just need to figure out where it is...

bingo600

@djjoakim
Ah ... That alias is a pfSense internal , no worries.
But the home made RFC1918 Alias , not being the full range ....

I'd try to reboot the firewall first , before ripping the PC apart.
Real reboot , not just clear states.

bingo600

@bingo600

A Tip of Experience....
Move your lan away from 192.168.1.0/24
Move your WiFi away from 10.0.0.0/24

They are always used , and might "Bite your ..." if/when you have to run a VPN to a buddy , that also uses those two

And why have you used a network from each of the 3 RFC1918 ranges ??
Why haven't you used all your internal nets in the same range ...

Ie.

10.42.0.0/16 = Home Lan

10.42.1.0/24 = Lan
10.42.64.0/24 = WiFi
10.42.128.0/24 = Fast
10.42.129.0/24 = EJFast

etc ......

Er du norsk ?

DjJoakim

@bingo600 Alright, thanks.

Yeah well since i am very new to this, i have watched alot of youtube guides, and a friend of mine who is somehow better at this then me, has helped alot aswell.
But yeah, i understand how you mean - that do sound better.. I will figure out why my PC won't communicate with the other subnets and then i will re-do my ip adresses in my firewall.
I think the problem maybe something wrong in my switch..

Since you seem to be alot better at this then me, can you just confirm this settings(?) I think i have done it like netgate site says it should be done, i have set Do not create rules when gateway is down in the settings. My goal here is that if my vpn client goes down, the devices connected to it can't leak into my regular WAN.

Inte norsk, men väldigt nära granne... ;)

bingo600

@djjoakim said in VLAN won't communicate with LAN:

@bingo600 Alright, thanks.

But yeah, i understand how you mean - that do sound better.. I will figure out why my PC won't communicate with the other subnets and then i will re-do my ip adresses in my firewall.

You will be happier later on.
And now is the time to do it , before you have to move tonzz of devices.

I think the problem maybe something wrong in my switch..

Your switch is a L2 (Layer 2) device, i would expect.
Brand/Model ?

If it works one way and not the other , it's usually not on L2.
Unless you have short circuited some vlans.

Since you seem to be alot better at this then me, can you just confirm this settings(?) I think i have done it like netgate site says it should be done, i have set Do not create rules when gateway is down in the settings. My goal here is that if my vpn client goes down, the devices connected to it can't leak into my regular WAN.

I would change the first LOKALA til FAST net.

That line would cause anything having a FAST net IP , to be "dropped/denyed" if destination is one of the ip's matching the nets in LOKALA.

Now get the logging enabled on those DENY lines ...
You will make your life so much easier.

If they log kazillions of lines , you can consider removing them , but else you will be happy to see what is being blocked.

Inte norsk, men väldigt nära granne... ;)

Heh ... Har et Torp näre Laholm.

Vet du der er et Svensk forum her

DjJoakim

@bingo600 Yeah, i just wan't the LAN to communicate with VLAN first.. then i will swap ip's ;) one problem at a time...

I have a TP-Link TL-SG105E Switch, but i tried to change my LAN in a different port (witch i thought was the problem) but the problem is still there, i also disabled my windows firewall.. And yep, still not working.

Alright, now i have done that (Changed lokala to FAST net) Yes, i will turn on logging for that - there is no so many devices so it's true, it would be really nice to see the log what's blocking and what's not.. You are right about that.

Ah! En kompis har en stuga i Gördalen, precis bredvid norska gränsen. Brukar vara där på vintrarna.. :)
Hade faktiskt ingen aning de fanns ett svensk forum, ska kolla in det :) Tack!

bingo600

@djjoakim said in VLAN won't communicate with LAN:

@bingo600 Yeah, i just wan't the LAN to communicate with VLAN first.. then i will swap ip's ;) one problem at a time...

Good strategy

I have a TP-Link TL-SG105E Switch,

That's probably the worst switch to own. 105/108
It is known for leaking VLAN1 on every port ..
See
https://forum.netgate.com/topic/68488/tp-link-smart-switches-anyone

What hardware version do you have , do you have the latest firmware ?
https://www.tp-link.com/us/support/download/tl-sg105e/#Firmware

I think they might have fixed something in HW version 3 or higher.
But i don't trust them. I have a 108E that i don't use because of those issues.
TP-Link switches are "Cheap & Bad"

Suggest a Dlink DGS-1100-08v2
https://www.pricerunner.se/pl/167-3200059049/Switchar/D-Link-DGS-1100-08-v2-priser

but i tried to change my LAN in a different port (witch i thought was the problem) but the problem is still there, i also disabled my windows firewall.. And yep, still not working.

Lousy switch

But there is no 100% guarantee that a DGS-1100-08 would solve your issue.
But it will solve the VLAN Leaking security issue.

Alright, now i have done that (Changed lokala to FAST net) Yes, i will turn on logging for that - there is no so many devices so it's true, it would be really nice to see the log what's blocking and what's not.. You are right about that.

Ah! En kompis har en stuga i Gördalen, precis bredvid norska gränsen. Brukar vara där på vintrarna.. :)

Er dansk , så Halland (Laholm) er jo näre (og gammelt dansk)

Hade faktiskt ingen aning de fanns ett svensk forum, ska kolla in det :) Tack!

DjJoakim

@bingo600 Yeah i heard some people was having problem with the switch, but people was also complaing on D-link.. I was getting another switch first, but that was sold out and was expected in november, so then i bought this model..

Oh, that dosen't sound good.. Well, i have VLAN1 deactivated in the switch, so hopfully it will work.. but it dosen't feel so good, since it's only my PC that can't reach the other subnets, but all the other devices can..

Yep, the switch is only 1 month old, so it's the latest.

If i can't get the problem solved, i will defently check other switches.. but i hope the problem isn't in the switches, since i just paid 1000SEK for them..

Ah såklart! Jag förknippade Danmark med Norge... ber om ursäkt för det :) Men då är vi grannar trots allt.. Jag är ju dock bosatt på andra sidan Sverige.. "baksidan" som dom flesta kallar det..