My first VLAN - Not internet connectivity on the VLAN

Dom293

Hey guys, thanks in advance. I've been running PFSENSE for about 6mths now without issue.

Problem:
I configured NordVPN on the PFSENSE so all outgoing traffic from the single LAN connection gets routed through the VPN. This works perfectly fine and haven't had the need for a VLAN before. However my work laptop won't connect to the internet with this setup, assuming because it runs it's own VPN to connect to my work network so I believe there might be a clash between the two VPN's.

So to get around this, I decided to implement a VLAN (20) that bypasses the NordVPN setup on the current LAN interface.

To do this I bought a unifi AP for wifi dedicated to the VLAN 20, and a TPLINK Smart Switch where I have configured VLAN 20 on the port for the Unifi AP. The setup is in the below diagram, but in short:

Unifi AP is configured for a VLAN 20 Wifi - IP Range 10.17.20.1
Eero AP is standard internet over NordVPN - IP Range 10.17.17.1
Switch Ports:

Port 1 - Unifi AP - VLAN 20 configured - Tagged port
Port 16 - Connection to the PFSENSE LAN input - Tagged port
Port 15 - All my other network devices which access the internet through the Eero AP - untagged port

Network layout:
Network Layout - Dom.png

Configuration on the Switch:
TPLink VLAN Config.png

I have setup VLAN 20 on pfSense after watching a number of Youtube videos. VLAN is configured, Network Interface is configured, firewalls rule is configured - This is possibly where the problem lies.

I can get my phone for example to connect to the VLAN 20 network, it picks up a 10.17.20.x IP address but it doesn't have internet connectivity "Connected without Internet".

I ran a DHCP sniff on the VLAN20 interface when i connected my phone to VLAN20 Wifi and got the below results:

PFSENSE:
VLAN20 - DHCP
13:25:06.432295 32:54:4f:ed:a7:de > ff:ff:ff:ff:ff:ff Null Unnumbered, xid, Flags [Response], length 42: 01 00
13:25:06.575731 IP6 :: > ff02::1:ffed:a7de: ICMP6, neighbor solicitation, who has fe80::3054:4fff:feed:a7de, length 32
13:25:06.604520 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 316
13:25:06.604692 ARP, Request who-has 10.17.20.20 tell 10.17.20.1, length 28
13:25:07.311617 IP6 fe80::3054:4fff:feed:a7de > ff02::2: ICMP6, router solicitation, length 16
13:25:07.547647 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 316
13:25:07.609264 IP 10.17.20.1.67 > 10.17.20.20.68: UDP, length 300
13:25:07.658940 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 326
13:25:07.660403 IP 10.17.20.1.67 > 10.17.20.20.68: UDP, length 300
13:25:07.732654 ARP, Request who-has 10.17.20.1 tell 10.17.20.20, length 42
13:25:07.732696 IP 10.17.20.1 > 10.17.20.20: ICMP echo request, id 61555, seq 0, length 28
13:25:07.732699 ARP, Reply 10.17.20.1 is-at 60:be:b4:06:bb:c9, length 28
13:25:07.805413 IP 10.17.20.20.5353 > 224.0.0.251.5353: UDP, length 110
13:25:07.805451 IP6 fe80::3054:4fff:feed:a7de.5353 > ff02::fb.5353: UDP, length 110
13:25:07.873559 IP 10.17.20.20.33070 > 8.8.8.8.853: tcp 0
13:25:07.873561 IP 10.17.20.20.33249 > 1.1.1.1.53: UDP, length 32
13:25:07.873601 IP 10.17.20.20.41903 > 8.8.8.8.443: UDP, length 1200
13:25:07.873602 IP 10.17.20.20.10688 > 1.1.1.1.53: UDP, length 47
13:25:07.873615 IP 10.17.20.20.33378 > 1.1.1.1.853: tcp 0
13:25:07.873667 IP 10.17.20.20 > 10.17.20.1: ICMP echo reply, id 61555, seq 0, length 28
13:25:08.734020 IP 10.17.20.20.33378 > 1.1.1.1.853: tcp 0
13:25:08.734063 IP 10.17.20.20.33070 > 8.8.8.8.853: tcp 0
13:25:08.734344 IP 10.17.20.20.41903 > 8.8.8.8.443: UDP, length 1200
13:25:08.812132 IP 10.17.20.20.5353 > 224.0.0.251.5353: UDP, length 110
13:25:08.812171 IP6 fe80::3054:4fff:feed:a7de.5353 > ff02::fb.5353: UDP, length 110
13:25:09.819974 IP6 fe80::3054:4fff:feed:a7de.5353 > ff02::fb.5353: UDP, length 110
13:25:09.820010 IP 10.17.20.20.5353 > 224.0.0.251.5353: UDP, length 110
13:25:10.817367 IP 10.17.20.20.33070 > 8.8.8.8.853: tcp 0
13:25:10.817414 IP 10.17.20.20.41903 > 8.8.8.8.443: UDP, length 1200
13:25:10.817416 IP 10.17.20.20.41903 > 8.8.8.8.443: UDP, length 1200
13:25:10.817424 IP 10.17.20.20.33378 > 1.1.1.1.853: tcp 0
13:25:11.468498 IP6 fe80::3054:4fff:feed:a7de > ff02::2: ICMP6, router solicitation, length 16
13:25:12.811535 IP 10.17.20.20.4621 > 8.8.8.8.53: UDP, length 47
13:25:12.811536 IP 10.17.20.20.12380 > 8.8.8.8.53: UDP, length 32
13:25:14.790838 IP 10.17.20.20.41903 > 8.8.8.8.443: UDP, length 1200
13:25:14.790842 IP 10.17.20.20.41903 > 8.8.8.8.443: UDP, length 1200
13:25:14.790960 IP 10.17.20.20.33378 > 1.1.1.1.853: tcp 0
13:25:14.790968 IP 10.17.20.20.33070 > 8.8.8.8.853: tcp 0
13:25:14.888519 IP 10.17.20.20.49944 > 1.1.1.1.53: UDP, length 32
13:25:14.890412 IP 10.17.20.20.50833 > 8.8.8.8.53: UDP, length 32
13:25:17.821698 IP 10.17.20.20.10688 > 1.1.1.1.53: UDP, length 47
13:25:17.821733 IP 10.17.20.20.33249 > 1.1.1.1.53: UDP, length 32
13:25:19.125018 IP6 fe80::3054:4fff:feed:a7de > ff02::2: ICMP6, router solicitation, length 16

Here are a few screenshots of my VLAN setup on pfSense:

Network Interface:
Network Interfaces - detail.png Network Interfaces.png

VLAN Config:
VLAN setup.png

Firewall Rule:
Firewall Rules - detail.png Firewall Rules.png

Only things I can think of is it's an issue in pfSense, possibly to do with IPV6 as I don't have that configured on the WAN as my ISP doesn't support it....or maybe I just haven't configured something to bypass the NordVPN....but either way, VLAN20 should push me through NordVPN if nothing else. Besides that, i'm not sure. Any help is appreciated.

patient0

@Dom293 How have you set the gateway for that VLAN 20? I expected you to set the gateway in the NOVPN_OPT2 firewall rule.

Have you set NordVPN as the default gateway in System / Routing / Gateways?

Dom293

@patient0 I just had the VLAN20 firewall rule set as 'Default' gateway. But I just switched it to the WAN_PPPOE and re-tested and still no internet on my phone.
Firewall Rules - Gateways.png

And the standard WAN IPV4 is the Default Gateway:
Default Gateways.png

Gateways Connectivity.png

patient0

@Dom293

I don't have that configured on the WAN as my ISP doesn't support it

Regarding IPv6: you have configured something on your WAN for IPv6 if you get WAN_DHCP6 gateway.
If your ISP doesn't support IPv6 then just set IPv6 in PPPoE to none.

Can you ping pfSense or access the pfSense webGUI from a VLAN20 device?

Dom293

@patient0 Thx, I just disabled the IPV6 Gateway, all is good there.

Yep, I can access the pfSense GUI from VLAN20. Are there any other logs I should be checking in pfSense to see what's going on?

Dom293

This post is deleted!

Dom293

Got it sorted. For anyone reading, the main issue was I have manual outbound NAT rules setup. I had to set up a NAT rule for the VLAN IP address range and the WAN as the interface (thanks ChatGPT for correcting my mistake of putting the VLAN assignment as the interface). All is now working and bypassing NordVPN