Only Single VLAN is Working Properly
-
Hello Everyone,
I'm pretty new to pfSense, so please forgive any operational ignorance.
I have 2 VLANS setup - ADMIN and WORK
WORK VLAN functions as expected. DHCP functioning and have internet access on all devices on that VLAN.
ADMIN VLAN does not function as expected. DHCP doesn't seem to be functioning - as I'm not getting an IP address issued. And even if I set manually, I'm unable to reach the internet or ping the gateway.
Both VLANS are functionally set up identically. Currently the only FW rules in place for both are ANY - ANYs (just for testing).
Outbound NAT rules are set automatically, and show both VLAN subnets.
I've tested this with multiple switches, so I believe the issues lies within the pfSense config somewhere. I'm just seemingly not able to find it.
I'd be very appreciative if someone was able to point me in the right direction on this.
Please let me know if you need any additional information from me.
Thanks,
KC -
@kindacorn
Post a network map of your topology. What type of switch are you using? How is the switch configured? Post the firewall rules from both interfaces. Are both VLANs configured on the same parent interface? -
Hey! Thanks for the quick reply!
Here's a rudimentary topology map (forgive my poor mspaint skills):
I've tested with two different switches. A cheap little TPLink (TL-SG108E) and a Dell x1018. Both switches replicate the same issue.
They are both set for 802.1Q. Port 1 is my trunk, port 2 is HOME VLAN, port 3 is WORK VLAN. Here's a screenshot from the Dell:
WORK Firewall Rule:
HOME Firewall Rule:
Both VLANs are set to the parent interface igb1 (LAN):
I appreciate the assistance!!!
-
@kindacorn
In the OP, you mentioned having issues with the "ADMIN" VLAN. I'm assuming Home = ADMIN? If so, looks like nothing's hitting PFsense, so the issue is likely at the switch.I'm not familiar with Dell switches, but if you haven't already... I'd research the VLAN options on the Dell x1080 platform and validate the options you've chosen are doing what you think they're doing. (E.g. a trunk on an HP switch is the equivalent to a port channel on Cisco).
VLAN 2 and 3 need to be tagged on G1/0/1, so if "trunk" on a Dell switch means the same as a trunk on Cisco, you should be good there, but I would verify... otherwise, you'll need to specify tag 2 and 3 on the uplink.
I'm not sure what a "general" port is to Dell, but in theory, G1/0/2 and G1/0/3 should be access ports... assuming Dell is using the term the same way I know an access port to be on Cisco.
Lastly, re-verify that the DHCP server is enabled and configured correctly on the Home interface.
-
Thanks for the response!
Apologies, yes the HOME and ADMIN VLANS are the same thing. I've just gone through some renaming while tearing down and rebuilding.
From what I can tell, Dell is analogous to Cisco / HP. Furthermore, when testing on my TP link switch - I get the same issue where only the WORK VLAN is operational.
Here's some screenshots of the TPLINK for reference:
I have switched between the "general" and "access" options on the Dell, and get the same results - fully functional WORK VLAN and non-functional HOME-VLAN.
Here's a screengrab of both the HOME and WORK DHCP server settings:
WORK:
HOME:
Thanks again for the help!
-
@kindacorn
How is the parent interface configured on PFsense? -
Apologies if this isn't what you're looking for, but here's the configuration of the LAN (igb1):
-
@kindacorn
The TP-Link screenshots are interesting. The few posts I've looked at regarding configuring 802.1Q VLAN tagging on the TL-SG108E show all the ports untagged on VLAN 1 (1-8). Although, yours shows 1-5, 7-8. Interestingly enough... port 6 with PVID 3 is the only one that's working.TP-Link's setup is strange to me, but I wonder if not having that consistency is sending it into a tailspin somehow. Go to VLAN 1 and add port 6 as untagged and see if that kicks things into gear. If that doesn't work, the next thing I would try would be removing port 5 and 6 from VLAN 1 to see if port 5 will now perform like port 6.
-
Share your interface assignments, that's where the Interface - VLAN assignment is located.
-
Their setup / interface is a bit unintuitive . I removed all VLAN 1 (1-8) members, and the issue remained the same. I then did the opposite and added them all back to untagged (1-8), which also had no affect. I was still only able to operate on the WORK VLAN.
I did notice that I was pulling an APIPA address 169xxx on the workstation tied to HOME VLAN. This made me think that it was a DHCP issue, but I re-verified my settings match WORK VLAN.
I'm really scratching my head on this one. Thanks again for the help!
-
Thanks for the response!
Here's a screencap of the interface assignments:
Please let me know if I can post anything else that would be helpful!
-
BTW, if needed. Here is my outbound NAT automatically created rules:
-
Ok the pfSense site looks good.
The Switch Part is the other site that must match the pfSense VLAN Tagging.
Ok you use on that Uplink VLAN 1 untagged, an all other VLANs Tagged.The PVID is another Problem, if it doesn’t match, you got a Warning in the Switch Log, but no error.
If the VLANs up and running, then you have to go for the PVID and finishing the configuration. -
Unintuitive interface aside, while the TP-Link config looks like it "should" work, there are far too many posts on here stating TP-Link switches do not handle VLANs properly that I wouldn't trust that TP-Link as far as I could throw it though.
I'll reserve judgment on the Dell since I haven't seen enough of the settings to determine if it's configured properly or not.
Bottom line though, assuming your HOME interface is configured with 10.0.2.1/24, the interface is enabled and has an any/any rule on it... if you statically set a device in the 10.0.2.0/24 subnet and plug it into an access port configured with a PVID of 2... you should be able to ping 10.0.2.1. If you can't, I'm still heavily leaning towards the switch being the issue.
You can do a capture on the HOME interface to verify that traffic is even making it to PFsense (I have a strong suspicion that it isn't) You could also run a capture on the switch to verify that the frame is tagged with the correct VLAN.
If you've made several PFsense changes along the way troubleshooting this, one thing that I've seen magically fix things that don't make sense on occasion is... rebooting PFsense. I don't think your issue is on the PFsense side, but it's worth a shot at this point.
-
Hey,
I used the TP-Link switch as well and yes, it has some irritating stuff to offer. But it will work with VLANs and from what you posted, it seems allrite.What ist your setting on pfsense > dhcp server > Static ARP ??
Is that one active?
-
But then again:
just looked at your tp link screenshot again...
it shows, that you have VLAN6 tagged on your trunk/upload/default VLAN1.
BUT you do NOT have your HOME VLAN5 tagged on VLAN1
(it says so anyways)Change that and have a try! Should be reason for WORK VLAN6 is working and HOME VLAN5 isn't...
:)
-
I have two of those switches..
All you need is:
Switch:
Port1: (connected to pfsense's LAN interface)
Tagged VLAN2,3
Untagged VLAN1Port5:
Untagged VLAN2Port6:
Untagged VLAN3 -
@mcury
you are absolutely right. And that's why I think it's not working, cause only one VLAN is tagged on Port 1 in the poster's screenshot...
I messed up the VLANs in my prior post:
Only VLAN3 WORK is tagged on VLAN1...(only Port 6). Port 5 carrying VLAN2 HOME is listed as untagged on VLAN1. -
@the-other Indeed.. the switch is not carrying all the VLANs tags through the trunk..
-
@marvosa @mcury @NOCling @the-other
Thanks for the help!
The issue has been resolved. I'm still not totally sure what the setting was, but something was of with my pfBlockerNG settings. I was playing around with some settings in there, screwed up, and had to run the wizard again. All of a sudden my HOME VLAN began working properly. Tested on both the Dell and TPLink switches.
Thanks again everyone!