unable to connect vlan to vlan?
-
Hi, I have setup several vlans on my pfsense and on the unifi switch.
I now have connected a laptop on a port with vlan 220 and a poe phone on vlan 230.
But I am unable to ping from my laptop to the phone?I have added the rules, but still won't work. What am I missing here?
Oh, I cannot not ping/access the internet from vlan220 either?
-
@nick-loenders well for starts many of those rules are not needed.
For starts vlan220 net could never be source of traffic into vlan 230 interface, so such rules make no sense.
Also top rule there vlan230 to vlan230 are not well written, while this would allow access to the vlan230 interface of psfense. Clients on 230 do not talk to pfsense to talk to other clients on 230.
So this rule would be better written as dest vlan230 address if that is what your wanting to allow.
Also the rule on your 220 that allows access to wan net, that is not going to allow access to the internet.. That is only going to allow access to whatever the wan network is.. wan net does not = internet.. Any is what you need to allow internet access. For example internet address of google dns 8.8.8.8 sure is not part of your wan net - now is it ;)
So your rule vlan220 net allow to vlan230 net would allow access to a device IP on vlan 230.. I do not see any evaluations of that rule that 0/0 B on the states means nothing has pfsense requesting to go there.
But if you allow traffic to 230 from 220, no rules at allow would be need on the 230 interface to allow the return traffic.
Common issues users have when trying to talk to something in other vlan is, firewall on the dest device not allowing the traffic. The device not using pfsense as its gateway, or the mask on the device thinks the source traffic is local so never sends answer back to pfsense.
Also do you have any floating rules?
What I would suggest for testing your access to your 230 vlan device. Is sniff on the 230 interface on pfsense, now from 220 device start pinging the IP in the 230 vlan -- do you see pfsense sending on the traffic? If so that means something on the 230 device not answering..
-
@johnpoz said in unable to connect vlan to vlan?:
r be source of traffic into vlan 230 interface, so such rules
Hi,
I narrowed it down. First of all pinging to vlan230 works now. I forgot to add the switch with the vlan tags...
But then how do I allow it to go to the internet?
with that disabled rule I can ping google. Or do I need to make a group public ip's 1.1.1.1-9.254.254.254 , 11.0.0.1-191.254.254.254, .... and allow that?!?!?! -
@nick-loenders said in unable to connect vlan to vlan?:
But then how do I allow it to go to the internet?
You need a rule that allows destination ANY..
There is no way it would be realistic to try and create rules for ALL the possible IPs that might be the internet ;)
-
@johnpoz But then it is also allowed to the LAN and the other VLANS?
Or am I supposed to block traffic to the other vlans/lan ? So if you have 200 vlans, you need to make 200 rules, just to make sure the other vlans are block except 1 AND the internet?
-
@nick-loenders if you do not want vlan 220 to talk to vlan 230, then you put a rule above your any rule to block that.
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
as to create 200 rules? No - I would assume all your vlans are rfc1918 space right? Then create an alias that contains all the rfc1918 space. And use that as your rule to block access to your other vlans.
Example
-
This post is deleted! -
@nick-loenders again rules are evaluated top down..
rule to allow to 230
rule to block to rfc1918 alias
rule to anySo now 220 can talk to 230
but not any of your other vlans because they are all in the rfc1918 space
but if wants to talk to say 8.8.8.8 or 9.9.9.9 etc.. that is allowed by the any rule at the end.edit: here is a picture example
So I allow some required stuff, like ping pfsense to validate connectivity. Use dns and ntp on pfsense test address.
Then block all access to any other pfsense IPs on any interface, say the wan IP that is public and could change to prevent access to say the pfsense gui.
I then allow access to the guest network. But block all other access to any other rfc1918 address space, my other vlans. And then the last rule allows access to the internet (any)
-
@johnpoz
Ok so I got now:
But I cannot ping internet, nor surf.
Firewall even blocks on DNS:
Weird, nah?
-
@nick-loenders said in unable to connect vlan to vlan?:
Weird, nah?
Now your only allowing tcp, most dns is always udp.. Your dns rules should be for both tcp/udp since sometime tcp can be used.
Curious why you put in IP vs just vlan220 address alias? Is 20.253 not pfsense actual IP? Is it a vip or something?
If dns is not working you have a hard time resolving, and surfing anything. Can you say ping 8.8.8.8 ?
-
@johnpoz
Hi,
Those my DNS rules look okay? This is on the LAN interface.
Can I use the same rules on my other interfaces also?I have seen others using almost the same rules, but they use LAN Net as SOURCE.
-
@moonknight source should really always be the net the interface is connected to.. Only time it shouldn't be is if your using it as a transit network. But lan makes for a horrible transit because there should be no hosts on a transit network or you run into asymmetrical problems.
That first rule is attempting to redirect anything to loopback, which is fine - but then kind of makes the second rule pretty pointless. Is that tied to a port forward rule?
I would put the lan address rule above the rule from the port forward, just for easier reading
-
@johnpoz
Hi again, and thanks for your answer :)I was following docs at netgate.
1 rule:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html2 and 3 rule:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html2nd rule is not port forward. The 1st rule is NAT rule.
So I can remove 2nd rule then :)1st rule NAT
-
@moonknight said in unable to connect vlan to vlan?:
2nd rule is not port forward. The 1st rule is NAT rule.
huh? Not really its a "port forward" ;) look what section of nat rules you put it in hehehe
If your 1st rule there allows the port forward, so it would depend on the destination of your port forward if that 2nd rule is needed. Since you have it ! lan address, then you need it - but I would just put it above is all.. If you remove it you wouldn't be able to actual talk directly to the lan address for dns ;)
-
@johnpoz
Damn, you got me, hehe :)
Of course, it is a port forward.Something like this?
Should I also put "LAN Net" in the source? In all of them?
-
@moonknight its cleaner to have lan net there, makes it easy to know what interface your on, etc.
I mean when would there ever be anything other than lan net coming into that interface as source ;)
-
@johnpoz
I did it like this and that worked :)
The 10.233 is the WAN ip of my home setup modem..... Therefore it did not work when blocking the PrivateNetwork :)
-
@nick-loenders You mean you couldn't access its gui? Or the internet, since it would have nothing to do with internet access.
And your rules block it anyway - Remember, order top down. So trying to get to 192.168.10.233 is blocked by the private nets rule before it even gets to your allow rule.
What I don't get is why none of your rules are even showing being used... They are all 0/0 for states.. That means pfsense has not seen any traffic that matches any of those rules.
-
Well, at home, where it was as setup the internetmodem/router gives me 192.168.10.0/24 addresses. So the WAN ip of the pfsense was 10.233, but as 192.168.10 is blocked by the rule, I could not get passed the modem/router.
At the office now, I have:
And this works as it should.
-
@nick-loenders said in unable to connect vlan to vlan?:
I could not get passed the modem/router.
Again that rule you added wouldn't of worked, because it was below the block rfc1918 rule, unless you didn't have 192.168 listed in the alias? But if you didn't then you wouldn't of need a special rule to allow since your any at the bottom would of allowed.
Also even if you blocked access from your lan to the modem/router IP - that wouldn't of had anything to do with internet access. Since your clients behind pfsense would never be going to that IP other than trying to access its web gui.
