Some devices not working in new VLAN config

Laplacian

Hello all,
I recently set up a bunch of VLANs (thanks to good advice from folks here, and some good online tutorials). Each VLAN is on a static /24 IP space and DHCP server is enabled for each.

I set up some rudimentary rules (e.g. block VLAN from rest of local network, allow internet, etc.). Some of my devices are connecting and working properly and some are not (even on the same VLAN). For example, one my largest VLANs has the following rule:

(I disabled the "reject local" to troubleshoot my issues--I will enable later.)

For example, my Nest thermostats on this VLAN are online, are grabbing the right IP addresses, and work as expected. However, my Nest doorbell (same VLAN) does not even get an IP address from DHCP. (I tried adding a static IP mapping and still nothing.) These devices don't need local access and just talk to cloud/internet servers.

Am I missing something else when I configure them?

Bob.Dig

@laplacian DHCP should always work, the rules for that are hidden, so has nothing to do with your rules. We talking IPv4 right?
Do you use external DNS?

Laplacian

@bob-dig Yes, IPv4 only on my local networks.

I use clouldflare's DNS 1.1.1.1 for DNS server for internet access--is that what you mean?

I didn't change pfsense DNS forwarder or resolver default settings. DNS forwarder is not enabled. DNS resolver is enabled with the check box for DHCP static mappings.

Bob.Dig

@laplacian If your first rule would be active, it would also block the DNS server (Resolver) on pfSense. And without DNS there should be problems.

Laplacian

@bob-dig said in Some device not working in new VLAN config:

@laplacian If your first rule would be active, it would also block the DNS server (Resolver) on pfSense. And without DNS there should be problems.

Okay, understood. I need to allow access to DNS, NTP, and some other basic stuff to "this firewall", right? Something like this?

However, I've disabled the "reject" rule above and my devices still aren't working. (I know my first rule does nothing currently.) What else should I look at?

Jarhead

@laplacian Is the Doorbell wired or wireless?
If wireless, do you have the vlan going to your AP?

Laplacian

Does anyone have any ideas what else I should check? At this point, my VLANs seem like they are configured the same as my default LAN rules (just allowing any/any). My devices worked properly when on my LAN

...but some (not all) don't work properly (don't even get IP from DHCP) when in the VLAN

Any ideas of what could be wrong?

Laplacian

@jarhead said in Some devices not working in new VLAN config:

@laplacian Is the Doorbell wired or wireless?
If wireless, do you have the vlan going to your AP?

Yes, my non-working doorbell (not getting IP) is wireless. So are my working thermostats--wireless on the same VLAN.

Yes, I am doing MAC-based VLANing through my switch. Most of my devices are getting on the right VLAN through the exact same AP, same SSID.

Laplacian

Okay, I got my doorbell to work. I pulled it off the wall and did a hard reboot. It was able to get the right IP and is back online.

However, I have a WiFi lock that was spotty, but now is not working at all. Also, my game consoles are not working either.

WiFi lock: I see it getting an IP sometimes (could be due to power savings that it doesn't stay connected all the time?), but I cannot access any functionality via the manufacturer's app
game consoles: getting IP on the correct VLAN, but don't have internet connectivity outbound.

I must have some conflict or am missing something. If anyone has any tips on what to check for misconfiguration, etc., I'd love to hear it! Thanks again.