VLAN, LAN can ping trunk, cannot ping any devices

brianjmc1

I have a 2.6 PFsense setup...
WAN(xxx.xxx.xxx.xxx)
LAN (192.168.10.0/24)
VLAN(192.168.20.0/24)

The VLAN has one rule(same as LAN) so it can get to the internet and its working...

From LAN, I can ping VLAN trunk(192.168.20.1), but no ping to any devices on the VLAN.
This is for security cameras. I put a laptop on VLAN and turned off firewall, to make sure OS wasnt dropping pings, still no good....

Thanks for any help and yes, I have been researching for hours....before I decided to post...

Jarhead

@brianjmc1 If you put a laptop on the vlan and still can't ping devices on that vlan, this has nothing to do with any router (pfSense in this case). Only thing pfSense would do here is DHCP if it's your server. Are the devices getting addresses?
You have a Layer 2 problem at that point.
How are these devices connected? Have to assume you have a switch connecting all of them, is the switch good?

brianjmc1

@Jarhead No, laptop can ping the other device on the VLAN, so thats working fine. LAN can only ping VLAN trunk. LAN cannot ping laptop or NVR(security camera).

Thanks for your help!

Jarhead

@brianjmc1 So then look at your devices, are they getting addresses by DHCP?
What is their gateway?
Show the rules on the interfaces. I know you say it's the same rule but there's many cases where the user says it's the same, but it isn't.
Can you ping from vlan to lan?
To test, put an ANY/ANY rule on the vlan interface. It should be able to get to the LAN devices that way.

brianjmc1

@Jarhead

Yes, VLAN devices are getting DHCP from PFsense
gateway: 192.168.20.1
mask 255.255.255.0

No, no pinging from VLAN to LAN only LAN to VLAN trunk responding to pings 192.168.20.1

will test ANY\ANY later today

Thanks,
brian

brianjmc1

Rules, requested...thanks!

brianjmc1

Newbie screwed up terminology - sorry about that!!!!
No VLAN, I have WAN, LAN and LAN2, on three of the interfaces... Two physical different LANS

I want LAN to be able to pass traffic to LAN2. I do not want LAN2 to be able to pass traffic to LAN.

again, setting up security cameras on LAN2 and want to keep any traffic out of LAN. I do want to be able to access the cameras, that's why I want LAN to be able to pass traffic to LAN2.

Currently LAN can ping LAN2 trunk only(no devices on LAN2).
Lan2 can ping LAN only trunk(no devices on LAN).

Jarhead

@brianjmc1 Ok. So this is not the firewalls problem. From what you say, it screams of a gateway issue on the devices.
Just to recap, all devices on LAN can access each other and the internet.
All devices on LAN2 can access each other and the internet.
Nothing on LAN can access LAN2.
Nothing on LAN2 can access LAN.
Is that correct?

I would hook up a laptop (turn off software firewalls on it) on LAN2 and use that for testing, stay away from the cams for now. Make sure it gets a DHCP address, then ping the gateway (by the way, it's not a trunk, it's a gateway. just for clarification). Make sure you can access the internet. Then ping something on the LAN. All that should pass by the rules you have.
Then try to ping the LAN2 laptop from a device on the LAN. Should also pass by rules.

If all that is good, look at the cams. Again, sounds like a gateway problem.

brianjmc1

@Jarhead

1. Yes, all devices on LAN can access each other and the internet
2. Yes, all devices on LAN2 can access each other and the internet
   LAN devices can only ping Gateway 192.168.20.1 on LAN2
   LAN2 devices can only ping Gateway 192.168.10.1 on LAN

Already have laptop on LAN2, that I can remote to so i can play in LAN2 for testing. Its getting DHCP and again, can ping LAN gateway(192.168.10.1), but no other devices.

So again, LAN cannot access anything on LAN2 and LAN2 cannot access anything on LAN - as of right now...

thanks,
Brian

Jarhead

@brianjmc1 And any software firewalls are off? Windows defender for example.
Nothing in pfSense is blocking traffic between the 2 so you have to look at the devices.

brianjmc1

No firewall on laptop, only for me to get at the other side for testing. Maybe it needs a reboot...

Thanks,
brian

Jarhead

@brianjmc1 Start using the packet capture in that case.
Filter it to pings from the laptops IP, start it on the LAN interface and do a ping from the laptop to LAN. See if the requests are getting to the LAN and the device is replying. Then start it on the LAN2 side and see if the replies are getting through.

brianjmc1

OK, in my home lab, I built a brand new PFsense 2.6
configured WAN, LAN, OPT1

Out of the box, LAN has internet , OPT1 does not...
added rule for Opt1, now it has internet.

No pinging from LAN to OPT1 devices or OPT1 to LAN devices
added a rule on LAN to pass traffic to OPT1
added a rule on OPT1 to pass traffic to LAN

It works and can access either direction......

must be something wrong with original PFsense that i have been trying...
that's my only conclusion.... extremely frustrating....

only other difference is on original not working right, I have openVPN and IPSEC tunnels..

I need a drink!!!!!!

Jarhead

@brianjmc1 Oh, Maybe you have overlapping subnets on the VPN's?
How about any policy routing?
Did you try the packet capture?

A Former User

@brianjmc1

If you do not have VLANs, you have no need for a trunk. You should use access ports on your switch instead.

brianjmc1

no VLANS, 2x LANS, two different physical networks off of 2x interfaces....

Wan, LAN, OPT1

thanks,
Brian

A Former User

@brianjmc1

Yeah, that's how I understood that. But, how do you connect pfSense to your network? The issue seems to be with that connection, not pfSense. How's your switch configured?

brianjmc1

@kjk54 sorry, my misunderstanding!!!!

I have two physical not connected, dumb LANS - best way i can say it...

Switch one connects to LAN and connects most devices
Switch two connects to OPT1 and then connects a security camera system

Trying to keep all traffic of OPT1 from getting to LAN...

My PFsense has 4 physical ports WAN, LAN, OPT1, OPT2(not used)

A Former User

@brianjmc1

2 unmanaged switches?

brianjmc1

Yes, sir