Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help setting up VLAN [SOLVED]

    Scheduled Pinned Locked Moved Hardware
    37 Posts 8 Posters 34.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clarknova
      last edited by

      Everything in the screenshots appears correct to me. Perhaps there is a problem in your firewall rules or NAT config. Can you ping internet sites from pfsense and get a response? Can you ping a LAN host? Do you have a "Pass from all to all" rule on the LAN? Is Advanced Outbound NAT disabled?

      db

      1 Reply Last reply Reply Quote 0
      • H
        hmishra
        last edited by

        Here are my answers and some more screenshots.

        • No I cannot ping any internet sites from the pfsense web interface
        • The default pass for all rule on the LAN is still active
        • Advanced outbound NAT is disabled.

        Interestingly, pfsense firewall log screen is completely empty as if no traffic is passing through the firewall.

        pfSense-LAN-NAT.GIF
        pfSense-LAN-NAT.GIF_thumb
        pfSense-WAN-NAT.GIF
        pfSense-WAN-NAT.GIF_thumb
        pfSense-Outbound-NAT.GIF
        pfSense-Outbound-NAT.GIF_thumb
        pfSense-firewall-Logs.GIF
        pfSense-firewall-Logs.GIF_thumb

        1 Reply Last reply Reply Quote 0
        • H
          hmishra
          last edited by

          The only other detail I omitted here is that I need to spoof the MAC address of my WAN side because FIOS expects it. Without it, I couldn't even pull the WAN ip. But I thought this is no big deal since I can actually establish a WAN connection, just no internet access.  ;)

          1 Reply Last reply Reply Quote 0
          • C
            clarknova
            last edited by

            Everything you posted looks in order to me. Can you get a ping response from your WAN gateway? From the DNS servers? Immediately after pinging these try this on the console:

            
            arp -an -i em0_vlan10
            
            

            The above assumes that your WAN interface is named em0_vlan10, which it would be in 2.0beta, but it might be different in 1.2.3.

            Interestingly, pfsense firewall log screen is completely empty as if no traffic is passing through the firewall.

            Your LAN rule doesn't have logging enabled, so you won't see any logged traffic there. The only firewall logging that is done by default is for the default block rule on the WAN, so unless you disabled that, I would expect to see some blocks in the log after a short time of being connected.

            db

            1 Reply Last reply Reply Quote 0
            • H
              hmishra
              last edited by

              Ok, here is what happened.

              • No ping response from the WAN gateway. 100% packet loss.
              • No ping response from DNS servers. 100% packet loss.
              • arp -an -i -em0_vlan10 yields:

              ? (173.57.84.1) at (incomplete) on em0_vlan10 expires in 19 seconds [vlan]
              ? (68.238.96.12) at (incomplete) on em0_vlan10 expired [vlan]
              ? (68.238.64.12) at (incomplete) on em0_vlan10 expired [vlan]
              ? (173.57.84.60) at <obfuscated wan="" mac="">on em0_vlan10 permanent [vlan]</obfuscated>

              1 Reply Last reply Reply Quote 0
              • C
                clarknova
                last edited by

                You're getting no arp resolution on the WAN, and yet you have an IP address. I don't think dhcp will work without arp resolution, so unless I'm wrong, you had it long enough to get an address, and then you lost it.

                Are you able to get internet access from the FIOS using any other device, like a computer connected directly instead of pfsense?

                You may also need to stop blocking bogons on the WAN. I seem to recall reading on dslreports that some FIOS users had bogon-listed addresses upstream of them.

                db

                1 Reply Last reply Reply Quote 0
                • H
                  hmishra
                  last edited by

                  Hmmm….That may be so but pfsense installed on the dual core power hungry pc I am trying to replace with the laptop and a smart switch works just fine with my FIOS connection. I just have the issue I have outlined here on the smart switch and laptop.

                  Also, the aforementioned dual core pc works just fine with the "block bogon networks" setting checked so it has to be specific to the new config. So, if you have any other suggestions, I am willing to try those out too.

                  1 Reply Last reply Reply Quote 0
                  • C
                    clarknova
                    last edited by

                    I would suggest trying the following.

                    1. Copy the config from the working pfsense to the laptop pfsense. You will have to manually change the vlan and interface information to reflect the difference in hardware.

                    2. Double-check the MAC address info on the WAN to make sure that you are using a valid MAC.

                    3. On the pfsense shell do 'tcpdump -i em0_vlan10 -n' and watch packets come and go on the WAN to see what is working and what isn't. Try renewing the dhcp lease while doing this, ping the gateway, etc. Paste the output here if you want us to have a look at it.

                    db

                    1 Reply Last reply Reply Quote 0
                    • H
                      hmishra
                      last edited by

                      Hi, finally got a chance to try the shell command you mentioned above…...with interesting results!

                      With the command running in the shell constantly capturing and logging packets, I get internet access. With it not running, back to no traffic with the same symptoms as described in my previous posts e.g. not being able to ping DNS server from WAN interface etc. Somehow just logging the traffic on the shell with the command somehow fixes the issue. Does that tell you guys anything at all about what the issue might be?

                      I am not sure how to copy the output of the command since I am running it in the shell. If you could tell me a few steps about copying the output and pasting it here, I could do that.

                      I suppose I don't have any issues running the tcpdump command running in the shell indefinitely if there would be no adverse effects but would really like to solve it if possible.

                      1 Reply Last reply Reply Quote 0
                      • C
                        clarknova
                        last edited by

                        Interesting. Maybe your NIC just needs more attention.

                        You can copy from the shell by accessing the shell via ssh (putty if you're in Windows). You'll have to enable the ssh server in pfsense first.

                        db

                        1 Reply Last reply Reply Quote 0
                        • D
                          dreamslacker
                          last edited by

                          Could you try removing Port 2 from VLAN 1?

                          1 Reply Last reply Reply Quote 0
                          • H
                            hmishra
                            last edited by

                            To dreamslacker:

                            I am not sure how. Do you mean on vlan membership mark port 2 as U, T or blank?

                            To clarknova:

                            Any specific sections or output of tcpdump -i vlan0 -n for anything specific? I have pasted a small sample below.

                            04:43:56.833417 IP 173.57.84.60.28747 > 208.83.244.123.1194: UDP, length 49
                            04:43:56.837783 IP 208.83.244.123.1194 > 173.57.84.60.28747: UDP, length 49
                            04:43:59.802912 IP 173.57.84.60.21579 > 208.83.244.21.123: NTPv4, Client, length 48
                            04:43:59.857742 IP 208.83.244.21.123 > 173.57.84.60.21579: NTPv4, Server, length 48
                            04:44:00.765513 IP 173.57.84.60.32769 > 192.168.0.100.57920: UDP, length 32
                            04:44:00.766951 IP 173.57.84.60.32769 > 192.168.0.100.57920: UDP, length 32
                            04:44:01.373543 IP 173.57.84.60.24484 > 67.18.187.111.123: NTPv4, Client, length 48
                            04:44:01.380244 IP 67.18.187.111.123 > 173.57.84.60.24484: NTPv4, Server, length 48

                            1 Reply Last reply Reply Quote 0
                            • D
                              dreamslacker
                              last edited by

                              @hmishra:

                              To dreamslacker:

                              I am not sure how. Do you mean on vlan membership mark port 2 as U, T or blank?

                              Mark vlan 1 membership for port 2 as blank.

                              1 Reply Last reply Reply Quote 0
                              • H
                                hmishra
                                last edited by

                                I did but it did not work. Screenshot attached. Just ignore the pot 8 marked as U. I have tried it all blanks for Port 2 - 8, U for 1 - 8, Port 1 T and rest U, Port 1 T and rest blanks etc. and few other combinations to no avail. For vlan1, the switch does not allow me to make port 1 as blank but I have tried with both T and U.

                                VLAN-Membership1.GIF
                                VLAN-Membership1.GIF_thumb

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dreamslacker
                                  last edited by

                                  I meant blanking ONLY port 2.

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hmishra
                                    last edited by

                                    So, you meant blanking port 2 but leave the rest 1 and 3-8 as T or U? I suppose I can try both.

                                    I am pretty sure I have done this combination as well but I will verify again. After doing this, does each step require a reboot or restart of the laptop or switch or the pc accessing it?

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      clarknova
                                      last edited by

                                      If you're just making changes on the switch then no need to reboot anything. The changes will be effected as soon as you hit the Apply or Save button (within a few seconds, anyway). In some cases you may need to reconfigure the interfaces on the connected hosts, like renewing an IP address.

                                      db

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        dreamslacker
                                        last edited by

                                        On second thoughts, blank both ports 1 & 2 on VLAN 1 ONLY and leave the rest as Untagged.
                                        No reboot is required on the switch, if it needs to, it will notify you and power cycle on its own.

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hmishra
                                          last edited by

                                          The switch does not allow me to blank Port 1. I get a message "Can't remove port 1 from this vlan, its PVID not changed". The only allowed setting for port 1 is either U or T. The rest don't matter and I could have them blank, U or T.

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            clarknova
                                            last edited by

                                            You can't black port 1 from vlan 1 because the PVID of that port is set to 1. Change the pvid to 10 or 20, then you will be able to blank it.

                                            db

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.