Single NIC on pfSense using VLANs - not working. EDIT: FIXED
-
For some reason (probably ineptitude) I can't seem to get a single NIC / VLAN configuration to work. Setup:
pfSense 2.0-RELEASE, i386, currently on Hamakua box…trying single NIC as proof of concept with idea of moving to smaller box, perhaps a Mac Mini.
Using em3 for VLANS : em3_vlan10 - LAN, em3_vlan20 - Wireless LAN, em3_vlan900 - WAN.
Switch is Trendnet TEG-160WS v. 2.02.
Ports 1-8, VLAN 10, untagged, client access ports.
Ports 9, 11, 13, VLAN 20, untagged, client access ports.
Port 15, VLAN 900, untagged (WAN connection).
Port 16, trunked, VLANs 10, 20, 900 all tagged, to port em3 on the pfSense box.Clients on the LAN and WAN ports can see each other but not the pfSense box.
With a normal multi-NIC configuration, VPNs on the switch work fine, isolating WLAN from LAN.
It seems as though trunking is not working but I'm not sure why. Any help would be much appreciated. -
I am guessing that you have a managed switch. If your clients can see each other, then you either did something wrong in the config or you modified the config and didn't apply it.
-
Config as in the OP has been verified by switch settings GUI. Clients of VLANs can see each other (within, not between, VLANs); clients cannot see the pfSense router.
Router, FWIW, was rebooted after VLAN configuration per comment in pfSense book that some NICs require a restart for VLAN operation.
-
I presume each of your pfSense VLAN interfaces belongs to a different IP subnet.
What sort of access to pfSense are you attempting and what is reported when you attempt it?
I suggest you pick one of the VLANs (say 10) and a computer on that VLAN and on the selected computer issue a ping to the IP address of the pfSense interface for that VLAN. What response do you see?
-
I presume each of your pfSense VLAN interfaces belongs to a different IP subnet.
Correct.
What sort of access to pfSense are you attempting and what is reported when you attempt it?
Ping, HTTPS to the web interface. Pings time out, as does the web access.
I suggest you pick one of the VLANs (say 10) and a computer on that VLAN and on the selected computer issue a ping to the IP address of the pfSense interface for that VLAN. What response do you see?
As noted above, pings time out.
-
Lets work with VLAN 10 and a particular client on VLAN 10 for now. Is that client configured to get its IP address by DHCP? What is its IP address?
-
Well, thanks for the hint on DHCP; this is getting interesting.
VLAN 10 client can acquire a DHCP address from pfSense. So can a VLAN 20 client. Both are correct (they're reserved by MAC address).
I can, through the console, force pfSense to acquire a DHCP address from my edge router (Verizon FiOS).However: No client has WAN (internet) access. Nor can I ping the edge router or the pfSense box. Nor can I reach the web GUI of pfSense on either VLAN 10 or 20.
-
Sounds like you're missing firewall rules on those VLAN interfaces so everything's getting blocked.
-
You have previously stated that VLAN 10 is assigned as the pfSense LAN interface. The default firewall rules for the pfSense LAN interface allow access anywhere. Therefore on systems connected to the pfSense LAN interface (VLAN 10) it should be possible to access the pfSense GUI and get a ping response from the IP address of the pfSense LAN interface.
Given that you say a VLAN 10 client got its IP address by DHCP from pfSense it is now hard to see why a VLAN 10 client doesn't get a response to a ping to pfSense LAN IP address.
Has the switch ever been a DHCP server? Does the pfSense DHCP log (Status -> System Logs, click on the DHCP tab) confirm that the pfSense box answered a DHCP request from the VLAN 10 client?
What firewall rules does pfSense have on the LAN interface? Have you ever changed the default firewall rules on the pfSense LAN interface? Please start a ping on the VLAN 10 client and then take a packet capture (say 20 packets) on the client and on the pfSense physical interface supporting VLAN 10 and post the captures here. -
@cmb:
Sounds like you're missing firewall rules on those VLAN interfaces so everything's getting blocked.
You have previously stated that VLAN 10 is assigned as the pfSense LAN interface. The default firewall rules for the pfSense LAN interface allow access anywhere. Therefore on systems connected to the pfSense LAN interface (VLAN 10) it should be possible to access the pfSense GUI and get a ping response from the IP address of the pfSense LAN interface.
A bit more by way of explanation: I have only one pfSense machine configured. I am switching between what I will call "normal" configuration (separate NICs for WAN, LAN, and WLAN) and the VLAN configuration described in the OP. This is done in the console by using option 1 to reassign interfaces. I am not changing firewall rules at all, and the rules do not appear to be affected by the interface reassignment between VLANs and separate physical NICs. This makes it difficult for me to understand why the pfSense box responds differently between configurations.
Given that you say a VLAN 10 client got its IP address by DHCP from pfSense it is now hard to see why a VLAN 10 client doesn't get a response to a ping to pfSense LAN IP address.
Has the switch ever been a DHCP server? Does the pfSense DHCP log (Status -> System Logs, click on the DHCP tab) confirm that the pfSense box answered a DHCP request from the VLAN 10 client?
What firewall rules does pfSense have on the LAN interface? Have you ever changed the default firewall rules on the pfSense LAN interface? Please start a ping on the VLAN 10 client and then take a packet capture (say 20 packets) on the client and on the pfSense physical interface supporting VLAN 10 and post the captures here.The log shows that the DHCP request from the client was served by pfSense; it's the only DHCP server on the network and the switch does not have a DHCP server capability.
Firewall rules: As noted above, I am not changing the rules between VLAN and normal modes; in normal mode everything works (clients can reach the internet/WAN, permitted clients can reach the pfSense GUI, clients can ping pfSense.)
Packet capture shows that pings are originated by the client, received by pfSense, but not replied to by pfSense. Packet capture also shows normal DHCP handshaking. I can try to post a screen cap of the ping captures if needed, but they simply show origination and receipt, but no reply being sent from pfSense. (BTW, I'm doing the captures in pfSense using the GUI, by NOT configuring the WLAN to use VLAN trunking and leaving it on a separate NIC. I'm using Wireshark on the client.)
Thanks for your help…given that firewall rules aren't changing between configurations, and DHCP works but other services don't, I'm really at a loss as to what might be going on.
-
But do you have any firewall rules on vlan interface?
-
But do you have any firewall rules on vlan interface?
I've been discussing a VLAN interface that has been reported as being assigned LAN so firewall rules shouldn't be an issue but given that the configuration is a little unusual in being reset at boot time its worth checking that.
given that firewall rules aren't changing between configurations, and DHCP works but other services don't, I'm really at a loss as to what might be going on.
I'm puzzled too. Perhaps things will become clear when we get more specific details.
Have you ever rebooted after changing the configuration to use VLANs and then the system to the VLAN configuration you set on the previous startup? (This would mean the system started with the VLAN configuration.) Though I can't recall the specifics I have seen some problems when changing significant network parameters through the console. If such a reboot doesn't clear things up on VLAN 10 (LAN interface) I suggest you restart the client on VLAN 10 and start a ping to the pfSense LAN interface IP address THEN collect the following details (I assume you have access to the console):
-
the interface name on which DHCP requests from the client on VLAN 10 were received: the bold part in the output from the following pfSense shell command:
# date; clog /var/log/dhcpd.log | grep DHCPDISCOVER
Nov 20 15:24:15 dhcpd: DHCPDISCOVER from 00:30:18:b0:19:85 (pfsense2) via bridge0 -
The output from the pfSense shell command:
# date; clog /var/log/filter.log | tail -10
-
-
Have you ever rebooted after changing the configuration to use VLANs and then the system to the VLAN configuration you set on the previous startup? (This would mean the system started with the VLAN configuration.) Though I can't recall the specifics I have seen some problems when changing significant network parameters through the console.
In short, rebooting pfSense fixed everything; Thank you so much.
I had rebooted once before, due to a caution in the pfSense book that some NICs required it the first time a VLAN was set up. Not sure why that didn't do the trick. I had also noticed that (in the console) after assigning interfaces to the VLAN, I also needed to reset the interface IP addresses, even though they appeared correct in the console; that may have been a clue that things were not going exactly as they should have.
So this time, I assigned LAN to em3_vlan10 and WAN to em3_vlan900, changed the cabling to reflect that, and rebooted pfSense. When pfSense came up, the LAN and WAN were working properly through the VLAN trunk to pfSense. After verifying that LAN and WAN were connected properly, I used the pfSense GUI to add VLAN 20 to em3 and assign em3_vlan20 to the WLAN; changed cable for the WLAN and it came up without needing to reboot.
Thanks much again for your help. It seems that Occam's Razor is still valid. Perhaps this saga will be of help to others attempting similar configurations. Your point about significant changes through the console perhaps not taking effect properly and therefore possibly requiring a reboot is one that should be kept in mind when working with pfSense.
-
Great you have it working. Thanks for reporting back.
-
Hi, i have a setup here..
i tried setting UP 3 VLANS… VLAN10, VLAN20 and VLAN30
my lan IP is, 10.0.0.10/24
VLAN10 = 10.0.10.1/24
VLAN20 = 10.0.20.1/24
VLAN30 = 10.0.30.1/24All DHCP Enabled on all VLANS..
Manageable Switch (Netgear GS108T)
Port:
1 VLAN 1 - MacMini with PFsense VM.
2 VLAN10
3 VLAN10
4 VLAN20
5 VLAN20
6 VLAN30
7 VLAN30
8 VLAN30i tried transfering my mac mini to any of the ports with vlan10 and vlan20, cant get any IP from dhcp.
appreciate any help. thanks
-
i tried transfering my mac mini to any of the ports with vlan10 and vlan20, cant get any IP from dhcp.
It is probably not good form to add a problem to the end of a topic marked "FIXED".
There isn't anywhere enough information here to diagnose the problem. For starters, where is the DHCP server? What interfaces are on the pfSense VM? What vmware interfaces are the pfSense interfaces bound to?
-
That port where is pfsense connected should have vlan 10,20 & 30 tagged and vlan 1 untagged.
-
Opps. sorry @wallabybob.
@wallabybob : DHCP server is at VLAN10, 20,30 in PFSENSE which located at my Macmini VMware.. maybe i should make a new post for this. thanks..
@Metu69salemi: Thanks .. ill try that