None of my firewall rules are working on VLANs
-
I have a rule that passes all TCP/UDP traffic on my NetMgmt interface from source: AdminLaptop to destination *
(The only devices on my LAN segment [10.1.1.x] are network management devices so I named the interface NetMgmt. All other devices are on one of 5 VLANs.)When my laptop has a static IP of 10.1.1.6, I can access anything on the NetMgmt segment as well as all internet destinations. But when I assign it an IP of 10.1.10.33 (BizVLAN), I can access my Proxmox server (10.1.10.10) but nothing on the NET_MGMT segment and nothing on the web - even though I have the same rule (with the new source IP, of course) setup on the BizVLAN interface.
I also have a (BizVLAN interface) rule that passes source: * to destination: WAN subnets (any port) - which should give my Proxmox server internet access so I can download LXC containers - but that doesn't work, either. I even tried a rule to allow all traffic from my Proxmox server's IP address to destination: * - but that still doesn't work.
Where might the problem be?
-
@ErniePantuso said in None of my firewall rules are working on VLANs:
I also have a (BizVLAN interface) rule that passes source: * to destination: WAN subnets (any port)
This only allows "WAN subnets" as it indicates, which might probably be 10.1.10.0 - 10.1.10.255, nothing else.
If you want to allow access to the internet you need to set "any" for the destination.
To block access to local subnets, in case is this is your concern, add a block rule for theses destinations above of the pass rule. Best to add an RFC 1918 alias with all the private network ranges and state this for the destination in the block rule. -
@viragomann Thanks for the help. I changed the pass rule to allow all (* / *) but still nothing works. I think it's a DNS issue. When I try to download an LXC container template, this is the error that's returned in Proxmox:
Resolving mirror.turnkeylinux.org (mirror.turnkeylinux.org)... failed: Temporary failure in name resolution. TASK ERROR: download failed: wget: unable to resolve host address 'mirror.turnkeylinux.org'Are there separate DNS rules for VLANs? If so, where?
-
@ErniePantuso it would be much easier to help you if you actually just posted a screen shots of your rules.
But when I assign it an IP of 10.1.10.33 (BizVLAN), I can access my Proxmox server (10.1.10.10) but nothing on the NET_MGMT segment and nothing on the web
The wording of how you changed over to different IP, gets me thinking your not actually running vlans, but just multiple networks on the same L2?
Are you doing any policy routing out a vpn? Or different gateway.. A couple screenshots would save a lot of time.. Do you have any rules in floating, can we see the screen shots of the rules on your vlans that you say can not talk to anything or the internet?
And dns is pretty simple to diagnose.. Can you ping 8.8.8.8, can you do a dns query to www.google.com - use your fav tool, nslookup, dig, host, doggo, etc. etc.
-
@johnpoz said in None of my firewall rules are working on VLANs:
@ErniePantuso it would be much easier to help you if you actually just posted a screen shots of your rules.
Sorry, I should have thought of that. I'll post screenshots of both the NetMgmt segment (which is working fine) and the BizVLAN segment (which doesn't work at all.)
But when I assign it an IP of 10.1.10.33 (BizVLAN), I can access my Proxmox server (10.1.10.10) but nothing on the NET_MGMT segment and nothing on the web
The wording of how you changed over to different IP, gets me thinking your not actually running vlans, but just multiple networks on the same L2?
I don't know the answer to that.
Are you doing any policy routing out a vpn?
No. (Don't even know what that is.)
Or different gateway
No
Do you have any rules in floating
None
And dns is pretty simple to diagnose.. Can you ping 8.8.8.8, can you do a dns query to www.google.com - use your fav tool, nslookup, dig, host, doggo, etc. etc.
With a 10.1.1.6 (NetMgmt) IP, I can ping whatever with no problems. With a 10.1.10.33 (BizVLAN) IP, I can't ping anything. I also tried it from the shell on my Proxmox server. It can't ping anything, either.
I do understand about DNS and pinging; I just have no clue how I give my VLAN different DNS settings.
-
@ErniePantuso
Is your outbound NAT running in automatic mode?
And if so, is there a rule in place for this subnet? -
@viragomann I haven't made any changes to NAT so no, it's not in automatic mode.
-
Another piece of the puzzle? I have a TP-Link Omada controller running in a container. I gave it a static IP of 10.1.1.10 to keep it on the NetMgmt segment but of course, it exists within Proxmox which lives on a box with a BizVLAN IP. I tried to ping from the shell of this container and it can't ping anything.
-
@ErniePantuso
It's in automatic mode by default.And if you go to the outbound NAT page, you can see the automatically added rules at the bottom. Please check, if all your subnets are shown up there.
-
-
@ErniePantuso You need to read up on rules. They need to be on the interface the traffic originates on. You have a rule on bizvlan with a destination of bizvlan. Not gonna work.
You have an any/any rule with other pass rules below it. Not gonna work.
If you want to block (or allow) the bizvlan access to LAN, the rule goes on bizvlan.You have no traffic shown on the bizvlan rules. Are you sure you're even connecting to it? Does it get a DHCP address if you connect to it?
-
@ErniePantuso Why are blocking bogon on your lan side interfaces? How would bogon ever be on your lan side as a source? You understand rfc1918 is bogon.. That anything at all can work is pfsense pulls rfc1918 out of the bogon rule.. There is no point to putting bogon on any of your lan side interfaces.
-
@ErniePantuso
This one:
Firewall > NAT > Outbound -
-
@johnpoz said in None of my firewall rules are working on VLANs:
@ErniePantuso Why are blocking bogon on your lan side interfaces?
That was the default so I left it.
There is no point to putting bogon on any of your lan side interfaces.
Got it. Fixed. Thanks!
-
@ErniePantuso said in None of my firewall rules are working on VLANs:
That was the default so I left it.
No it is not that is for sure.. It is default on the WAN, not any other interface.
-
@johnpoz said in None of my firewall rules are working on VLANs:
@ErniePantuso said in None of my firewall rules are working on VLANs:
That was the default so I left it.
No it is not that is for sure.. It is default on the WAN, not any other interface.
OK. I guess I don't remember when or why that got changed. I've really struggled to learn all this stuff; I've asked for and received help from a lot of different sources. Either I got some bad information or (more likely) I misunderstood the info I got.
-
@ErniePantuso It has never been the default, ever - because it make no logical sense at all.. I have been running pfsense pretty much since it has come out.. And never has block bogon been a thing on the lan side.. It only makes sense on the wan. And even then its not very useful or needed..
If you mean when you changed it ok ;) its not a thing anyone would ever have need to do.. And if pfsense didn't pull out rfc1918 from the bogon list you would of broken your network.. Would of remembered then when you changed it ;) hehehe
They enable you to be able to check it - because maybe its a transit network, and you have no idea what the source would be, or maybe its an actual wan and you would want to enable it.
-
@johnpoz said in None of my firewall rules are working on VLANs:
@ErniePantuso . . . And if pfsense didn't pull out rfc1918 from the bogon list you would of broken your network.. Would of remembered then when you changed it ;) hehehe
Not necessarily. In the first place, I've never really had the network setup. It's been in an alpha state for months as I slog my way through learning this stuff. And within that framework, I've broken my network and restored pfSense from backed up configurations numerous times - so it could have been any of those and I don't know which! hahaha
-
@Jarhead said in None of my firewall rules are working on VLANs:
@ErniePantuso You need to read up on rules. They need to be on the interface the traffic originates on. You have a rule on bizvlan with a destination of bizvlan. Not gonna work.
You have an any/any rule with other pass rules below it. Not gonna work.
If you want to block (or allow) the bizvlan access to LAN, the rule goes on bizvlan.You have no traffic shown on the bizvlan rules. Are you sure you're even connecting to it? Does it get a DHCP address if you connect to it?
I'm not a complete idiot. ;D I do have a basic understanding of rules. I understand that any pass rules after the any/any rule are superfluous. I put the any/any rule there as a troubleshooting measure. And I understand that rules for BizVLAN have to go on BizVLAN. My rule on BizVLAN with a destination of BizVLAN subnets was intended to allow nodes on that VLAN to be able to talk to each other. I thought it was blocked otherwise. But I now know that's not correct because I tried disabling ALL the rules on BizVLAN and (with a static IP in that subnet), I can still access my Proxmox server. That confuses the heck out of me!
How/where do you see that I have no traffic shown on the bizvlan rules? Am I connected to it? Well, again, with a static IP in that subnet, I can access my Proxmox server - and when I go back to a NetMgmt IP, I can't. That would seem to indicate that I'm connected, wouldn't it? I wasn't worrying yet about DHCP but now that you asked, when I switch my laptop to DHCP, it does not pull an IP address.
So what does all that tell me? I keep trying to download an LXC container template from my Proxmox server and it continues to give me a DNS error - even when the only rule on BizVLAN is the pass any/any. If it's allowed to pass any/any, shouldn't that include DNS server(s)?
