Cant use webConfigurator through VLAN



  • I'm trying to setup a few VLANS on my LAN interface. When I do this, I am no longer able to access the pfsense web gui.

    Physical Interfaces:
    em0 - WAN (DHCP)
    em1 - LAN (192.168.1.111, which is the IP for my webConfigurator)
    fxp0 - DMZ (192.168.50.x)

    em1 contains the following VLANS:
    VLAN ID 10 - Wired Clients (192.168.2.x)
    VLAN ID 20 - Wireless Clients (192.168.3.x)
    VLAN ID 30 - Server Traffic (192.168.1.x)

    I have setup the VLANS on parent interface em1, and created the virtual interfaces for each vlan.

    Each virtual interface then has a static ip address in it's subnet, but for the 'x' is just 1 ie: (192.168.1.1 for the static IP of the VLAN 30 virtual interface). And I have setup a DHCP server for each of the virtual interfaces to assign IP's in the range of .100-.200.

    (During this whole time of configuration, I've been using the web gui, directly plugged into the LAN port, NOT through my switch- so I'm basically untagged at this point)

    So now, when I plug my trunk port into the LAN interface, I can verify on the different switch ports that I'm getting the correct IP addresses for the VLANS. However, when I plug into the VLAN 30 (server traffic), and try to reach either 192.168.1.1 (the IP of the virtual interface hosting VLAN30) or 192.168.1.111 (the LAN IP Address) I get a timeout or 404.

    So- how do I get the webConfigurator to pickup on my VLAN 30 traffic, so I can stop accessing it via an untagged port?



  • I suspect you might have to restart the web configurator from the console menu. You might also need firewall rules to allow access from the VLAN.



  • If you have, as wallabybob mentioned, a firewall rule in place allowing access from the VLAN to the pfSense, you should be able to access the gui via the pfSenses respective IP on this subnet
    eg: from VLAN20 on 192.168.3.1?, From VLAN10 on 192.168.2.1?

    You currently mix tagged and untagged traffic on em1. You shouldn't do that, since this leads to problems if your MAC is reachable via the untagged and the tagged subnet.

    You also have the same subnet untagged and on VLAN30. (192.168.1.x/24?)
    –> This will not work.



  • @GruensFroeschli:

    If you have, as wallabybob mentioned, a firewall rule in place allowing access from the VLAN to the pfSense, you should be able to access the gui via the pfSenses respective IP on this subnet
    eg: from VLAN20 on 192.168.3.1?, From VLAN10 on 192.168.2.1?

    You currently mix tagged and untagged traffic on em1. You shouldn't do that, since this leads to problems if your MAC is reachable via the untagged and the tagged subnet.

    You also have the same subnet untagged and on VLAN30. (192.168.1.x/24?)
    –> This will not work.

    I'd like to fix the tagged and untagged traffic that is on em1, so how would I do that? Eliminate the LAN interface on em1, while leaving the VLAN virtual interfaces that are using em1? I basically want pfSense as a member of my server network, and I didn't know how to get it's IP onto the VLAN30, hence the same subnet.

    I guess my root problem is how do I get the webConfigurator to listen on a different interface? That way I could remove the IP for the physical interface, and point webConfigurator to listen on the VLAN30 virtual interface.



  • You can assign a VLAN as LAN interface.
    The pfSense always listens on all interfaces.
    –> It's just a matter of creating a firewall rule on the interface to allow traffic.

    From your descriptions, what i would do:
    em0: DHCP --> WAN
    fxp0: 192.168.50.1/24 --> OPT1 (DMZ)
    VLAN10 on em1: 192.168.1.1/24 --> LAN
    VLAN20 on em1: 192.168.2.1/24 --> OPT2
    VLAN30 on em1: 192.168.3.1/24 --> OPT3

    To ensure that you still have access to the pfSense when doing these changes, i would access it via the OPT1 (DMZ) interface.
    Simply create a firewall rule on this interface, allowing traffic to the interface IP.



  • @GruensFroeschli:

    You can assign a VLAN as LAN interface.
    The pfSense always listens on all interfaces.
    –> It's just a matter of creating a firewall rule on the interface to allow traffic.

    From your descriptions, what i would do:
    em0: DHCP --> WAN
    fxp0: 192.168.50.1/24 --> OPT1 (DMZ)
    VLAN10 on em1: 192.168.1.1/24 --> LAN
    VLAN20 on em1: 192.168.2.1/24 --> OPT2
    VLAN30 on em1: 192.168.3.1/24 --> OPT3

    To ensure that you still have access to the pfSense when doing these changes, i would access it via the OPT1 (DMZ) interface.
    Simply create a firewall rule on this interface, allowing traffic to the interface IP.

    Perfect, I understand much better now. I guess with the LAN port being setup by default through the wizard, it automatically creates those rules to access the interface, which I never realized was happening.



  • Ok, I thought I had this figured out, but I must be missing something small here, but I can't quite pinpoint it. I can access the web GUI from the DMZ now, and have firewall rules to permit it. I also have my VLANS setup now too, with rules to permit the CBC_SERVER vlan access so I can use the web gui from it, but I can't access the GUI from the CBC_SERVER vlan. My managed switch is working fine, because I can plug into the different ports, and I get an IP address in the assigned ranges below.

    My Current Setup:

    VLANS:
    CBC_SECURE on interface em1 (VLAN 10)
    CBC_GUEST on interface em1 (VLAN 20)
    CBC_SERVER on interface em1 (VLAN 30)

    Interfaces:
    WAN (assigned by DHCP)
    DMZ (192.168.50.1, DHCP setup to serve .100-.200)
    CBC_SECURE (192.168.2.1, DHCP setup to serve .100-.200)
    CBC_GUEST (192.168.3.1, DHCP setup to serve .100-.200)
    CBC_SERVER (192.168.1.1, DHCP setup to serve .100-.200)

    Firewall Rules:
    DMZ
    TCP/UDP          *                    * DMZ address 80 * none
    TCP/UDP          *                    * DMZ address 22 * none
    *                DMZ net                *        *        *  * none

    I have repeated the above rules for the CBC_SERVER VLAN, replacing DMZ with CBC_SERVER



  • To debug this:
    Create an allow any protocol from anything to anything on the interface.
    Can you ping the pfSense?
    Which IP are you connecting to?


Locked