How to set the same VLANs between the switch and PfSense

JT40

Ok the gateway was all about it, what a bs...... :D

Now I have another problem, which makes tiredesome every troubleshooting or setup I do...

Real world example:

Management interface:

• IP set as 192.168.2.1
• mask 255.255.255.0 or /24
• no DHCP whatsoever
• The connection from my laptop works

Management interface change

I changed the interface IP to 192.168.20.1, mask 255.255.255.0 or /24 (I can't connect anymore, I'm using the same port and I reconfigured my laptop in this way):

• laptop IP 192.168.20.2
• gateway 192.168.20.1 (nothing else than the interface IP)
• no DHCP whatsoever

Revert the change

I reverted the change directly from the machine, basically assigning the IP 192.168.2.1 to the same interface, no DHCP again, nothing specific.
Yes, I tried to hit 192.168.2.1 :D from the WebGUI

I can't connect anymore, normally I would expect my laptop to be the problem, specifically in this case.
With "ifconfig" I see that the IP is correctly assigned, but I can't see the gateway and it's normal so far...
I checked the respective network config file under /etc/sysconfig/network/scripts/ , well, it's not there... Actually many of them are missing there.... The only thing I noticed is that there are few wireless and wired connections, so not only one of this type, but that's it, what I need is not there.

Even after I re-created the network config in the laptop UI, the config is not in that directory...
Also, this file is empty: /etc/sysconfig/network , and it shouldn't

Looking at this doc, these 2 things mentioned above should be there... https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/ch-Network_Interfaces.html
The doc is a bit old but I don't think they made changes on how this component works...

In the end, I found the config file under /etc/NetworkManager/system-connections/ , it contains all the correct details, even though I found strange this line:
[ipv4]
address1=192.168.2.1/24,192.168.2.1

As you can see, the gateway is on the same line of the machine IP address... I think it's weird but looking at other files it seems correct.

PfSense system reboot it didn't help...

I'll configure a new interface, but this looks a bit crazy.

I exausted my ideas, let me know what you think :D

johnpoz

@jt40 what rules did you put on pfsense "management" interface you created?

If you had set the source to 192.168.20/24 or something sim at first and then changed the IP, this rule would not have changed.

The rule on the management interface your creating should prob be source "management net". This way when you change the management IP on pfsense, the alias for "management net" would change to reflect the network network.

When troubleshooting local connectivity like laptop plugged directly into pfsense port, or even via a switch with devices on the same network.

First thing to validate is you can arp for the IP your trying to talk to on the same network.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 what rules did you put on pfsense "management" interface you created?

If you had set the source to 192.168.20/24 or something sim at first and then changed the IP, this rule would not have changed.

The rule on the management interface your creating should prob be source "management net". This way when you change the management IP on pfsense, the alias for "management net" would change to reflect the network network.

When troubleshooting local connectivity like laptop plugged directly into pfsense port, or even via a switch with devices on the same network.

First thing to validate is you can arp for the IP your trying to talk to on the same network.

@jt40 what rules did you put on pfsense "management" interface you created?

I didn't set any rule, if what you mean is a firewall rule, there is no FW rule at the moment.

If you had set the source to 192.168.20/24 or something sim at first and then changed the IP, this rule would not have changed.

Due to my previous answer, I think that there is nothing to worry about here.

The rule on the management interface your creating should prob be source "management net". This way when you change the management IP on pfsense, the alias for "management net" would change to reflect the network network.

Thanks for the tip, but I still didn't create any rule, so my case it's much simpler.

When troubleshooting local connectivity like laptop plugged directly into pfsense port, or even via a switch with devices on the same network.

First thing to validate is you can arp for the IP your trying to talk to on the same network.

I can see the ARP table from the laptop, it's something like this:

<FIRST_PART_MISSING_OF_THE_NETWORK_INTERFACE_NAME>_gateway 192.168.2.1 at <MAC that is correct> [ether] on enp2s0

The beginning means that I miss whatever is before _gateway. In any case it seems strange, that is actually the gateway name, the one that in PfSense is 192.168.0.1 (my modem/router).

Btw, I'm still able to ping google from the shell, so the UPLINK interface is working...
It doesn't show what interface did it use, but I guess that it used the UPLINK, not the MANAGEMENT interface, I don't have a gateway assigned on the MANAGEMENT interface.

I'll reboot also my laptop, that's the last thing that remains for my knowledge...

Anyway, thank a lot so far to everyone :)

JT40

I also did the following:

• Rebooted the laptop
• Assigned a new IPV4 IP to a new interface, never used with this setup. I did the same simple setup and assigned 192.168.5.1/24, no gateway assigned
• Reconfigured the laptop network and assigned the IP 192.168.5.200 or 192.168.5.2
• ARP table looks good
• Rebooted the WebConfigurator in PfSense

After all that, I can't connect to the WebGUI of PfSense... Thepage keeps loading until it doesn't timeout, but it's not a gateway timeout or something very well defined, it's just a timeout due to the browser config...

I also did:

• I checked the interface config in PfSense, it looks ok
• The traffic between UPLINK and modem/router (gateway) is all good, but it was already visible from a simple ping test.
• No other error messages, unless there is some sort of dmesg for such scenarios in BSD, something easy to read all in one place, I have experience with Linux but not BSD, so I'll need to dig almost from scratch.

What an experience, a bit speechless :D , fun but never had so many obstacles :D

JT40

I listed all the possible bugs here: https://forum.netgate.com/topic/168438/bunch-of-weird-things-happening-here/2

I also met this situation:
Configured the interface with HTTP from the backend, now it doesn't ask me anymore to set it up with HTTPS... So it remains in HTTP, this is definitely a bug.
Anyway, it doesn't make a difference for my case.

JT40

I also tried enabling DHCP, I successfully received the IP address in the range I specified, but I can't connect...

Interface IP: 192.168.2.1
Mask /24
DHCP range 192.168.2.2 <--> 192.168.2.254
IP received: 192.168.2.2

Looks good but I can't connect to the WebUI, HTTP or HTTPS same thing, but currently it's stuck with HTTP.
As mentioned previously, I can't change the protocol anymore...

I'm done for today, see you next week, LOL :D
Thanks everyone.

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

Looks good but I can't connect to the WebUI,

And what are the rules you put on the interface?

There are not rules on a new interface - you have to create them.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

Looks good but I can't connect to the WebUI,

And what are the rules you put on the interface?

There are not rules on a new interface - you have to create them.

No rules, very simple setup.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

Looks good but I can't connect to the WebUI,

And what are the rules you put on the interface?

There are not rules on a new interface - you have to create them.

To be honest I can't specify any rule there, if for "rules" you mean firewall rules.
The shell is quite limited in terms of setup, I recall interface IPV4, IPV6, gateway (if any), DHCP, HTTP or HTTPS, and that's it.

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

No rules, very simple setup.

How is it going to work with NO rules? You have to add the rules in the gui! It will not work without rules! Because the default rule is DENY! so no rules - nothing works! If you locked yourself out of the gui. Disable the firewall for a minute, access the gui and adjust the rules on this interface.

This is why if your going to do an admin interface, its should be the default LAN, which has the antilock out rule on it. And create other interfaces for your other networks.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

No rules, very simple setup.

How is it going to work with NO rules? You have to add the rules in the gui! It will not work without rules! Because the default rule is DENY! so no rules - nothing works! If you locked yourself out of the gui. Disable the firewall for a minute, access the gui and adjust the rules on this interface.

This is why if your going to do an admin interface, its should be the default LAN, which has the antilock out rule on it. And create other interfaces for your other networks.

I'll test it, but how did I login before???
In the backend, it asked me the same info as in the WebGui...
So every time I change the IP of the interface, it denies the WebGUI from every network interface?
What aboutt the rest of the communications? I'd be quite scared if every time I need to reconfigure everything... Especially because the rollback didn't allow me to connect, or it was not enough, say it as you wish.

Where is located this rule?? Do you mean firewall rule?

On the other side, it's possible that I won't change the interface IPs, or at least I should not change it if my assumptions are correct :D

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

Where is located this rule?? Do you mean firewall rule?

Yes the Firewall Rules!

How what worked - Your are so all over the place, have no idea.. But this is for sure.. If an interface has NO rules, nothing is allowed.. Default is DENY!

Maybe you had a floating rule that allowed it.

If you want an admin only network, or management port to use to manage the firewall. This should be the default lan interface. Since it has antilock out rule.. All your other networks would be created interfaces and have no rules on them. You would then create the firewall rules on those interfaces to allow the traffic you want. And they have no built in antilock rule.

Lets go back again to what I said in the beginning.. Set pfsense up out of the box, with 1 network default lan.. Get it working... Then move on to creating other networks - using your default lan as your admin network.. You can change the IP range to be whatever you want, etc.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

Where is located this rule?? Do you mean firewall rule?

Yes the Firewall Rules!

How what worked - Your are so all over the place, have no idea.. But this is for sure.. If an interface has NO rules, nothing is allowed.. Default is DENY!

Maybe you had a floating rule that allowed it.

If you want an admin only network, or management port to use to manage the firewall. This should be the default lan interface. Since it has antilock out rule.. All your other networks would be created interfaces and have no rules on them. You would then create the firewall rules on those interfaces to allow the traffic you want. And they have no built in antilock rule.

Lets go back again to what I said in the beginning.. Set pfsense up out of the box, with 1 network default lan.. Get it working... Then move on to creating other networks - using your default lan as your admin network.. You can change the IP range to be whatever you want, etc.

Thank you, finally I understood what it was.

It's still a bit strange.
The anti lock out rule is now configured for the port 80 and 443 and it's enabled, but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.

I don't have any other rule on that interface, or any sort of alias yet.

As soon as I re-enable the firewall, it stops me from connecting to the WebGUI.

I used this guide: https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html
It doesn't mention other cases...

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.

NO its not a Bug - again default is DENY, if you have no rules to allow, traffic is DENIED! if no firewall running nothing could be denied.

The antilock rule is only on the LAN interface, if you create some new interface there is NO rules!

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

but only if I disabled the firewall from the shell I'm able to use the WebGUI...
This looks a bug to me.

NO its not a Bug - again default is DENY, if you have no rules to allow, traffic is DENIED! if no firewall running nothing could be denied.

The antilock rule is only on the LAN interface, if you create some new interface there is NO rules!

I'll check what you said, but now I f...... in another way :D

I re-enabled HTTP, and I disabled the firewall, I did only a minor change before this, unfortunately I forgot what change.
For sure no rules.

Well, without FW I reach the WebPage but I can't login, even though in the backend I can see that the login is successful.
I put the credentials and it stops there, I'll analyze the browser trace.

I never had so much fun with a system :D

JT40

ok it's an issue with the PHPSESSION, but in any case, I was able to access that page only with the firewall disabled...

At the moment my access is locked out, I received that message on the page, I need to wait awhile

JT40

I tested the firewall for a long time, here's my observations:

1. Even if I disable all the firewall rules on the interface to access the firewall UI, it's still necessary to disable the firewall in the backend in order to connect to the WebGUI...
   How do you see this if not a bug?

@johnpoz told me that if I disable all the firewall rules, the default becomes "deny", I think for a good reason :D , but is it all about that?
Well, I created a new and simple firewall rule to allow the traffic from any to any, with any protocoll as well, on that interface only.
Same behaviour, that was the only firewall rule enabled and I need to disable the firewall to get access...
I aslo tried network to network (same network basically), or IP to IP, nothing, same behaviour.

2. Every firewall change (every time you click on save changes), it reloads the firewall rules, so what I do is always disabling the firewall after every change to be able to browse the GUI again... It's in accordance to the previous point, but what a pain...

Until now I made only progresses, but so many challenges mate :D
Again, thanks everyone here that helps so deeply in my journey with PfSense.

Bob.Dig

@jt40 pfSense is not for everyone.

JT40

@bob-dig said in How to set the same VLANs between the switch and PfSense:

@jt40 pfSense is not for everyone.

Thanks for the feedback, but looking at the last message, tell me if I could have made some mistake.
That message was written before my test today, prepare yourself, you are gonna laugh hardly.

All looks good today, the firewall was re-enabled automatically overnight, which I don't mind if there is the auto-enable after some time, I still need to figure out where is such setting though.
The box has been working without reboot, magic happens during night :D .

Basically, alI I tried yesterday, today works well, firewall rules work as expected, IP to IP, network to IP, or network to network (not in every case though, but that could be my negligence)...

This is what I did today, mostly successful :

1. WebGUI connection always successful

2. Firewall rules behaved as expected for the WebGUI, even changing IP to network etc.

3. Firewall rules behaved as expected to reach the WAN from another interface , I couldn't believe it :D .
   The only thing is that I specified the modem/router from my ISP as a gateway, I think there is no other way to do it.
   Considering that I have 4 interfaces to use at the moment, I'll specify the same gateway in each interfaces, I hope it's safe enough in terms of security.

4. Firefox behaved bad today, I've got a HTTP 200 GET --> NS_BINDING_ABORTED
   This can happen for many reasons, I didn't investigate too much...
   Chrome works though, so today I can't blame the firewall in front of this case. I need to specify that yesterday Chrome didn't work, I had to disable every time the firewall to login.
   Yesterday I also rebooted the laptop and did a fresh test when the firewall was enabled, nothing changed.

What to say, today was productive again :) .
I'll check again tomorrow, just in case something changes overnight :D

SteveITS

@jt40 said in How to set the same VLANs between the switch and PfSense:

I'll specify the same gateway in each interfaces

Normally only the interface that connects to the network would have a gateway.

Aside from that, each interface would need a gateway in its subnet, so it can communicate with said gateway.

Glad it's working for you today. Make a backup of the config. :)