Need help setting up VLAN [SOLVED]
-
Everything in the screenshots appears correct to me. Perhaps there is a problem in your firewall rules or NAT config. Can you ping internet sites from pfsense and get a response? Can you ping a LAN host? Do you have a "Pass from all to all" rule on the LAN? Is Advanced Outbound NAT disabled?
-
Here are my answers and some more screenshots.
- No I cannot ping any internet sites from the pfsense web interface
- The default pass for all rule on the LAN is still active
- Advanced outbound NAT is disabled.
Interestingly, pfsense firewall log screen is completely empty as if no traffic is passing through the firewall.
-
The only other detail I omitted here is that I need to spoof the MAC address of my WAN side because FIOS expects it. Without it, I couldn't even pull the WAN ip. But I thought this is no big deal since I can actually establish a WAN connection, just no internet access. ;)
-
Everything you posted looks in order to me. Can you get a ping response from your WAN gateway? From the DNS servers? Immediately after pinging these try this on the console:
arp -an -i em0_vlan10The above assumes that your WAN interface is named em0_vlan10, which it would be in 2.0beta, but it might be different in 1.2.3.
Interestingly, pfsense firewall log screen is completely empty as if no traffic is passing through the firewall.
Your LAN rule doesn't have logging enabled, so you won't see any logged traffic there. The only firewall logging that is done by default is for the default block rule on the WAN, so unless you disabled that, I would expect to see some blocks in the log after a short time of being connected.
-
Ok, here is what happened.
- No ping response from the WAN gateway. 100% packet loss.
- No ping response from DNS servers. 100% packet loss.
- arp -an -i -em0_vlan10 yields:
? (173.57.84.1) at (incomplete) on em0_vlan10 expires in 19 seconds [vlan]
? (68.238.96.12) at (incomplete) on em0_vlan10 expired [vlan]
? (68.238.64.12) at (incomplete) on em0_vlan10 expired [vlan]
? (173.57.84.60) at <obfuscated wan="" mac="">on em0_vlan10 permanent [vlan]</obfuscated> -
You're getting no arp resolution on the WAN, and yet you have an IP address. I don't think dhcp will work without arp resolution, so unless I'm wrong, you had it long enough to get an address, and then you lost it.
Are you able to get internet access from the FIOS using any other device, like a computer connected directly instead of pfsense?
You may also need to stop blocking bogons on the WAN. I seem to recall reading on dslreports that some FIOS users had bogon-listed addresses upstream of them.
-
Hmmm….That may be so but pfsense installed on the dual core power hungry pc I am trying to replace with the laptop and a smart switch works just fine with my FIOS connection. I just have the issue I have outlined here on the smart switch and laptop.
Also, the aforementioned dual core pc works just fine with the "block bogon networks" setting checked so it has to be specific to the new config. So, if you have any other suggestions, I am willing to try those out too.
-
I would suggest trying the following.
1. Copy the config from the working pfsense to the laptop pfsense. You will have to manually change the vlan and interface information to reflect the difference in hardware.
2. Double-check the MAC address info on the WAN to make sure that you are using a valid MAC.
3. On the pfsense shell do 'tcpdump -i em0_vlan10 -n' and watch packets come and go on the WAN to see what is working and what isn't. Try renewing the dhcp lease while doing this, ping the gateway, etc. Paste the output here if you want us to have a look at it.
-
Hi, finally got a chance to try the shell command you mentioned above…...with interesting results!
With the command running in the shell constantly capturing and logging packets, I get internet access. With it not running, back to no traffic with the same symptoms as described in my previous posts e.g. not being able to ping DNS server from WAN interface etc. Somehow just logging the traffic on the shell with the command somehow fixes the issue. Does that tell you guys anything at all about what the issue might be?
I am not sure how to copy the output of the command since I am running it in the shell. If you could tell me a few steps about copying the output and pasting it here, I could do that.
I suppose I don't have any issues running the tcpdump command running in the shell indefinitely if there would be no adverse effects but would really like to solve it if possible.
-
Interesting. Maybe your NIC just needs more attention.
You can copy from the shell by accessing the shell via ssh (putty if you're in Windows). You'll have to enable the ssh server in pfsense first.
-
Could you try removing Port 2 from VLAN 1?
-
To dreamslacker:
I am not sure how. Do you mean on vlan membership mark port 2 as U, T or blank?
To clarknova:
Any specific sections or output of tcpdump -i vlan0 -n for anything specific? I have pasted a small sample below.
04:43:56.833417 IP 173.57.84.60.28747 > 208.83.244.123.1194: UDP, length 49
04:43:56.837783 IP 208.83.244.123.1194 > 173.57.84.60.28747: UDP, length 49
04:43:59.802912 IP 173.57.84.60.21579 > 208.83.244.21.123: NTPv4, Client, length 48
04:43:59.857742 IP 208.83.244.21.123 > 173.57.84.60.21579: NTPv4, Server, length 48
04:44:00.765513 IP 173.57.84.60.32769 > 192.168.0.100.57920: UDP, length 32
04:44:00.766951 IP 173.57.84.60.32769 > 192.168.0.100.57920: UDP, length 32
04:44:01.373543 IP 173.57.84.60.24484 > 67.18.187.111.123: NTPv4, Client, length 48
04:44:01.380244 IP 67.18.187.111.123 > 173.57.84.60.24484: NTPv4, Server, length 48 -
To dreamslacker:
I am not sure how. Do you mean on vlan membership mark port 2 as U, T or blank?
Mark vlan 1 membership for port 2 as blank.
-
I did but it did not work. Screenshot attached. Just ignore the pot 8 marked as U. I have tried it all blanks for Port 2 - 8, U for 1 - 8, Port 1 T and rest U, Port 1 T and rest blanks etc. and few other combinations to no avail. For vlan1, the switch does not allow me to make port 1 as blank but I have tried with both T and U.
-
I meant blanking ONLY port 2.
-
So, you meant blanking port 2 but leave the rest 1 and 3-8 as T or U? I suppose I can try both.
I am pretty sure I have done this combination as well but I will verify again. After doing this, does each step require a reboot or restart of the laptop or switch or the pc accessing it?
-
If you're just making changes on the switch then no need to reboot anything. The changes will be effected as soon as you hit the Apply or Save button (within a few seconds, anyway). In some cases you may need to reconfigure the interfaces on the connected hosts, like renewing an IP address.
-
On second thoughts, blank both ports 1 & 2 on VLAN 1 ONLY and leave the rest as Untagged.
No reboot is required on the switch, if it needs to, it will notify you and power cycle on its own. -
The switch does not allow me to blank Port 1. I get a message "Can't remove port 1 from this vlan, its PVID not changed". The only allowed setting for port 1 is either U or T. The rest don't matter and I could have them blank, U or T.
-
You can't black port 1 from vlan 1 because the PVID of that port is set to 1. Change the pvid to 10 or 20, then you will be able to blank it.