NetGate 2100 Vlans

John_McNoob

HI all

I just got my Netgate 2100 and i am really excited about it :)

I am hoping to set up the following

Lan port 1 - Work net ( 192.168.1.1/24 )
Lan port 2 - Wifi AP / ( 10.10.0.1/24 )
Lan Port 3 - Gamer pc´s ( 192.168.2.1/24 (Not setup yet)
Lan port 4 - Test / play ( not cinfiged yet )

I am current usinig an old asus router as AP ( in AP mode ) i can connect to the wifi and get ip but no internet access

I followed this guide Configuring the Switch Ports

To setup Lan port 2 to Vlan (Vlan id = 4082)
My Lan port 1 network works fine - and if i reset AP and set it up for this network i can connect over wifi and get internet access

Can anyone give me a hint on what/where i need to look at in order to get internet access on Lan port 2 with the ap ? i can see in the DHCP Leases the IP´s is given on the 10.10.0.1/24 network

I mad a FirewallAliases for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 and applied it for the Vlan
Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

Is that the reson ?

Thanks

viragomann

@John_McNoob said in NetGate 2100 Vlans:

I mad a FirewallAliases for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 and applied it for the Vlan
Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

You didn't mention, which interface you called "GuestNetworks", so not clear, if the rule should work.
Anyway, the DHCP might give the interface IP for DNS. So you need to allow access to it.

For testing and get it up, just allow any to any, also any protocol and restrict the access later.

SteveITS

@John_McNoob Similar answer, DNS uses UDP in addition to TCP, and pinging is ICMP so ensure you’ve allowed what you want. The default for a rule is TCP.

What isn’t working specifically? DNS? Ping by IP? Traceroute?

John_McNoob

@viragomann

"GuestNetworks" is the wifi on Lan port 2 sry my bad for not mention it

i am new to this, and i asume the 2100 only has 2 interface right ? Wan & Lan ? if so its on the Lan Interface

I made a rule

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = Any - Destination = Any

And place that below

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

And now the network has internet access :)

Thnaks for the help

viragomann

@John_McNoob
Remember that the rules are probed from top to the bottom. If one matches, others are ignored.

So you're advised to the alias rule into a bock rule (uncheck invert match) and then move it up to the top.
However, this will block DNS requests to pfSense again.
So you need to pass rule for DNS (protocol TCP/UDP, port 53) to "Firewall itself" at the top of the rule set.

DHCP doesn't need a rule. If a server or proxy is enabled on an interface, pfSense let it pass automatically.

John_McNoob

@viragomann

Thnak you for the heads up

How ever i moved the alias rule on top so now its

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name
Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = Any - Destination = Any

and i still have Internet access

As i understand it, i should block the guestnetwork from the lan networks with the alias rule
and the the allow rule lets the rest out to the internet ?

Is the correct ?

viragomann

@John_McNoob said in NetGate 2100 Vlans:

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

This one should be a block rule.

If a rule doesn't match, as in this case, the next one is probed.

John_McNoob

@viragomann

I thought that the Alias rule

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

Ment that all from GuestNetworks not going to Alias ( 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ) will be allowed cuz of the Invirt match

So all trafik to the lan should be blocked ?

Now my ruls look like this

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = TCP/UDP - Source = GuestNetwork subnets - Destination = GuestNetwork address - Destination Port Range DNS(53) / DNS(53)

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

John_McNoob

BTW Thnaks alot for all the help .. really apriciate it :)

viragomann

@John_McNoob said in NetGate 2100 Vlans:

Now my ruls look like this

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = TCP/UDP - Source = GuestNetwork subnets - Destination = GuestNetwork address - Destination Port Range DNS(53) / DNS(53)

Action = pass - Interface = GuestNetworks - Address Family= IPv4 - Protocol = Any - Source = GuestNetwork subnets - Destination = Invirt match = Address or Alias = Alias-name

Yes, that's fine.
Think, I messed some "inverts" up...