Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help with access across VLANS

    Firewalling
    4
    5
    366
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pV5
      last edited by

      Hi.

      Router: Netgate SG-1100
      Switch: Mikrotik CRS326-24G-2S+IN

      (switch diagram below)
      Switch Port 1 (TR) is a trunk port connected to SG-1100 and carries all of the VLANS (10, 20, 30, 40, 50, 99)
      Switch Port 2 (TW) is a trunk port connected to a WiFi Access point and carries all of the VLANS (10, 20, 30, 40, 50, 99)

      IP assignments:
      Switch = 10.10.99.250
      Wifi Access Point = 10.10.99.251

      If I connect a laptop to port 3 (VLAN 99) I can access and ping both the switch (10.10.99.250) and Wifi Access Point (10.10.99.251).

      If I connect a laptop to port 17-23 (VLAN 10) I can NOT ping or access the switch (10.10.99.250) and Wifi Access Point (10.10.99.251). I have a firewall rule (see below) on VLAN 10 that passes any IPV4 protocol to any desitnation, so I thought this would work. What have I done wrong or what configurations am I missing to get this to work?

      Thank you.

      Screenshot from 2023-08-06 22-50-41.png

      Screenshot from 2023-08-06 22-51-03.png

      Bob.DigB V 2 Replies Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @pV5
        last edited by

        @pV5 said in Need help with access across VLANS:

        What have I done wrong or what configurations am I missing to get this to work?

        Hard to tell because we only see one rule.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @pV5
          last edited by

          @pV5
          Possibly the switch blocks access from outside of the management subnet.
          Another reason could be that the switch has an L2 leak.

          Sniff the packets on pfSense with the Packets Capture utility on VLAN 10 and 99 interfaces to see if packets are sent to the gateway properly and if they are forwarded on 99.

          1 Reply Last reply Reply Quote 0
          • P
            pV5
            last edited by

            I used Packet Capture and could see the request going to the AP and switch but nothing was coming back. I could see PFSense sending them ARP too but no response. I then changed ths AP and switch to use DHCP instead of assigning them with static IP addresses. I then made static reservations in PFSense for them. Now it works. Not sure exactly why but I suspect its becuase the router wasnt recognizing thie IP address with the first config. I'm learning more and more every day. So much fun!

            R 1 Reply Last reply Reply Quote 0
            • R
              rcoleman-netgate Netgate @pV5
              last edited by

              @pV5 said in Need help with access across VLANS:

              25 minutes ago

              I used Packet Capture and could see the request going to the AP and switch but nothing was coming back. I could see PFSense sending them ARP too but no response.

              This means the pfSense is not getting a response to find where that IP might be so it is not passing them. Usually this is caused by

              1. A missing device -- does not exist and thus cannot be foumd
              2. A mis-configured VLAN -- when you know the device is there but it's not getting an ARP validation then the likelihood is a VLAN issue. Could be on the pf, could be on the switch.

              Ryan
              Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
              Requesting firmware for your Netgate device? https://go.netgate.com
              Switching: Mikrotik, Netgear, Extreme
              Wireless: Aruba, Ubiquiti

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.