No Internet access with VLAN via OPT1
-
Hello everyone!
It just doesn't want to go online... ;-((
The following configuration (HyperV-VM, VLAN-Trunking)
VLAN-ID 22 to OPT1 with the subnet 192.168.151.0/24
The two machines connected to VLAN 22 also receive the correct addresses from the IP pool via DHCP. However, both have no internet access. The ping on the address 192.168.151.1 also fails.
Maybe one of you has an idea or solution.
cheers
ron
-
The rules look fine :
Looking closer :
shows that no traffic what so ever ever reached this OPT1 interface.
My suggestion : Review your VLAN setup.
Btw : Only allowing port 53 = DNS traffic to reach the pfSense Interface = 192.168.151.1 and block all other DNS traffic, AND handing over by DHCP the 8.8.8.8 DNS IP is ... counterproductive.
The device will probably use 8.8.8.8 for its DNS needs and your pfSense will not allow (block) this. -
Alright, many thanks for the tip. The only thing that comes to mind is that the Pfsense must be restarted after the "Trunking" has been permitted.
cheers
ron -
PS: However, this isn't really possible because the client receives the correct IP address from the DHCP circle for the Vlan.
-
VLANs : can't tell, sorry, I'm lazy and old school. When I need more LANs, as my pfSense (4100) already has 6 interfaces, I wire them up. I stay away from VLANs as this needs VLAN capable 'smart' switches, and an exact matching config between pfSense and this switch, etc.
-
ping on the address 192.168.151.1 also fails
This means the connection between the client and pfSense isnโt working since ICMP is allowed by firewall rule.
-
-
@jogovogo is the mask correct on the client/in DHCP settings?
-
@jogovogo said in No Internet access with VLAN via OPT1:
But why do I get an IP address from the dhcp for Opt1?
I'll add that behavior to the "VLAN switch isn't setup correctly" list.
The initial client initiated DHCP traffic is "broadcast" (probably not related).
You have activated the DHCP server on OPT1 ?
On the OPT1 connected device shown above, you can
(windows example) :ipconfig /releaseand
ipconfig /renew?
-
Hello, that works automatically. I've already made it so that it receives an address from the DHCP area right away after the release.
This is the case with two different machines.
-
@jogovogo said in No Internet access with VLAN via OPT1:
Hello, that works automatically ....
That's what you want to happen.
Never ever believe the "system". As the network admin, at all times, fact check everything
For example, red flags were already shown : The IP (192.168.151.11) looks ok. Mask and gateway also. But the 8.8.8.8 DNS is a fail.
So, my thoughts : some one set them up statically ? Or entered 'strange' settings in the DHCP server ? -
The 8.8.8.8 is only for testing; even if I use the machine to set the IP and as a DNS and gate, the 192.168.151.1 does not work.
-
My first surprise is that I'm now on the firewall, but why?
But still no access to the Internet...
-
Hello again!
The issue has been resolved, simply, by restarting the DNS resolver.
I just had another one, though; perhaps you could also respond to it?
NAT and VLAN
The port 2413 should be seen on 192.168.151.10. The corresponding rule is created automatically. Unfortunately, it does not function.
The "LAN " operates it without any intervention.
-
@jogovogo said in No Internet access with VLAN via OPT1:
restarting the DNS resolver
but:
ping on the address 192.168.151.1 also fails
...is not related to DNS.
In any case restarting DNS is necessary if a new interface has been added, because unbound didn't know about that IP when it started.
re: NAT, often the firewall on the server isn't set to allow traffic from any IP, only the local subnet or RFC1918.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html may help. -
Hello, many thanks for your prompt response!
Indeed, ping has nothing to do with DNS.
I didn't notice it because I didn't even attempt it on one machine.This is working now as well. We used pfBlockerNG, and the opt1 still needed to be defined in the Outbound Firewall Rules. Then once update via cron and now it works!
cheers
ron
