Nat assistance with VLAN requested
I've been using pfSense for years and have enjoyed it thoroughly however this latest problem has been driving me nuts. Up until recently, I have had my pfSense embedded running happily however as time grew, I realized that I would need to establish a second network for testing devices I don't want on my "primary" home network.
My pfSense version is 1.2.3-RELEASE and is running on NanoBSD. It's running on a small embedded device that has two NICs. So far I have managed to create the VLAN (tag 2) and have been able to successfully pull a DHCP lease provided by the pfSense box through my switch so I know the switch cfg is good. The issue is that while I can pull a DHCP lease, I can't ping out to anything, DNS resolution (both with and without using the DNS relay) and generally any device on the VLAN does not get any Internet access.
Here's what I've done so far:
- I created a vlan interface (vlan0) using VLAN tag 2 off of my LAN network adapter(xl0)
- I have validated that post-configuration, the "default" VLAN (untagged traffic) still works properly and is unaffected.
- I have validated that using tcpdump on a home IDS device, that VLAN traffic is hitting the pfSense box and that the pfSense box only responds to DHCP queries for some reason. The pfSense box does not respond to ICMP requests of any type and all ports on the vlan0 interface show up as filtered. (Please note, the IDS device should not be considered as part of the configuration. It is a passive sensor only).
- I have created the "default" rule for the OPT1 interface to match that of the LAN interface to ensure that I am allowed to talk to the vlan0 IP and the public Internet.
My configuration is as follows:
fxp0 - WAN interface - Static IP address assigned and working.
xl0 - LAN interface "default VLAN". 192.168.0.1/24
vlan0/OPT1 - VLAN interface from xl0, tagged with vlan 2. 192.168.1.1/24
The default rule in OPT1 is to allow from OPT1 subnet to any, any protocol, any destination, and any destination port.
As stated before, I know that until I added the vlan0/OPT1 interface, this worked perfectly however adding a VLAN seems to not want to work. I'm pretty sure it's something stupid that I'm overlooking but I've racked my brain and can't figure it out. Can anyone offer assistance that may get it working? I've done multi-LAN setups before on other pfSense installations however this is the first time I've tried this with VLANs using the same LAN interface. Due to the embedded device's only PCI slot being occupied by the LAN interface, I can not add another NIC to the box.
I appreciate any suggestions you may have. Please feel free to ask questions if I didn't explain something right. Thank you.
It appears as if the 3com switch I had was not playing nice with the VLAN configuration from pfSense. I purchased a Cisco device and will retest.
This issue has a workaround: http://forum.pfsense.org/index.php/topic,42971.0.html
It was due to a MAC address issue on the LAN interface. Click the link above for a workaround.
Note: Posted for historical reasons, in case someone has the same issue I did.