Custom VLAN setup - help needed!
-
Reading through this there seems to be quite a bit of confusion. ;)
You shouldn't need to switch to manual outbound NAT in my opinion.
It's important to make the distinction between Network Ports which are either physical ethernet interfaces (em0, em1 etc) or virtual interfaces (vlan1, pppoe1 etc) and pfSense Interfaces (WAN, LAN, OPT1 etc).
There's nothing special about any of pfSenses interfaces, they are just names, and they can be assigned any of the network ports. pfSense distinguishes only between interfaces that have a gateway (usually external) and those that don't (usually internal).
Hmm, not sure I'm reducing the confusion. ::)
Steve
-
Hi steve,
Without disabling outbound nat, all traffic between vlans will have pfsense ip as source.
This may not be a good choice in my opinion. -
Without disabling outbound nat, all traffic between vlans will have pfsense ip as source.
That's not true, only if you have a gateway chosen under Interfaces>(VLAN interface name) page will the source be NATed. That should only be done on Internet connections, so it will never happen on VLANs unless they're configured as an Internet connection.
-
This maybe also something started on 2.0 too because on 1.2.3 I had always to disable automatic nat when using vlans.
One more note for me.
Sorry for that.
-
1.2.3 was exactly the same there, if you don't have a gateway specified on an interface, it does not NAT out of that interface. If you do have a gateway, or it's set to a dynamic interface type (DHCP, PPPoE, etc.) it does NAT out of that interface since almost always that's going to be an Internet connection, where NAT is required.
-
Aah, ok! I have had some success now thanks to you marcelloc (but I'm not finished with you yet ;)
I also see others have jumped in - thank you so much for sharing!
I think the whole em1 -> vlan1 192.168.0.1 was key here - thank you for explaining that in a different way for me.
I went ahead and moved everything into its respective VLAN's, setup the trunk, and added the rules and this time I've got it working :)
My next question is: Now that everything is working, I want to change the IP address of the LAN interface on pfsense to be 192.168.5.1 instead of 192.168.0.1 - this way I can start to setup openVPN without worrying about duplicating IP's. Can I just go into the interface, change the IP and be good to? Or will it totally trash my setup if I try to change it? I'm not using the default VLAN on the switch for anything anymore (I changed the mgmt VLAN to VLAN 30 so only one of my wired mgmt PC's can get to it), so I think that changing pfsense's LAN IP to 192.168.5.1 should work, as pfsense is literally the only thing left with an IP in 192.168.0.x subnet, a subnet which really doesn't even exist anymore - thoughts?
Another question: It looks like this may still be up for debate, but I left the outbound NAT at default, and everything is working. You had suggested disabling it and creating rules instead- I just have rules right now that allow everything, but outbound NAT is still default - can I just turn NAT to manual and everything will still work (and I can slowly lock everything down with better rules)? Or will I need to re-create specific rules that would mimic what the default outbound NAT does?
From what I see below, I did not specify a gateway under the interface, so I'm guessing that because my WAN connection is PPPoE any traffic that hits it (i.e. any outbound traffic) will get NAT'ed to the WAN IP - thoughts?Thanks again for all of your help so far, you guys rock.
-
My next question is: Now that everything is working, I want to change the IP address of the LAN interface on pfsense to be 192.168.5.1 instead of 192.168.0.1 - this way I can start to setup openVPN without worrying about duplicating IP's. Can I just go into the interface, change the IP and be good to? Or will it totally trash my setup if I try to change it? I'm not using the default VLAN on the switch for anything anymore (I changed the mgmt VLAN to VLAN 30 so only one of my wired mgmt PC's can get to it), so I think that changing pfsense's LAN IP to 192.168.5.1 should work, as pfsense is literally the only thing left with an IP in 192.168.0.x subnet, a subnet which really doesn't even exist anymore - thoughts?
If you are on the right vlan, you can use any network range you want. :)
Another question: It looks like this may still be up for debate, but I left the outbound NAT at default, and everything is working. You had suggested disabling it and creating rules instead- I just have rules right now that allow everything, but outbound NAT is still default - can I just turn NAT to manual and everything will still work (and I can slowly lock everything down with better rules)? Or will I need to re-create specific rules that would mimic what the default outbound NAT does?
From what I see below, I did not specify a gateway under the interface, so I'm guessing that because my WAN connection is PPPoE any traffic that hits it (i.e. any outbound traffic) will get NAT'ed to the WAN IP - thoughts?Keep nat on automatic just like cmb said. It will work.
-
Thanks again marcelloc.
Ok, I've accomplished everything I've set out to with pfsense so far, but I have one last question/issue (it changes gears a bit).
Everything on my network is now good to go, except that I separated my wireless into a vlan and my media into a vlan - the one issue that caused is that my wife has an app on her iPhone that streams movies via upnp/dnla from my NAS to her iPhone - the NAS is now in a separate VLAN from her iPhone (NAS in media vlan and iPhone in wireless VLAN), so the app cannot discover the NAS anymore. I need to get this one last thing working for her before I can declare this deployment complete - from a starting phase at least :)
What would be the best way to get the iPhone to discover the NAS like it is in the same L2 network (even though it isn't)? Could I setup a port-forwarding rule that forwards any traffic coming in on the wireless vlan on the upnp/dnla ports to the media vlan? Thoughts?
Thanks!
-
This last answer I do not have. :(
Take a look on services->UPnP & NAT-PMP Settings to see if it helps.
-
So while waiting I tried a couple of things - below is a screenshot of the port forwarding rule I created, but of course it does not work (and I'm sure there is an obvious reason why, as this is my first time):
Can you take a look an help me out? I'm trying to go from "iphone in vlan10 –> NAS in vlan20" trying to port forward the upnp ports (1900 UDP, 2869 TCP - is this even right?) from the iphone to the NAS, so that when the iphone app does a discovery the upnp traffic gets forwarded to the media vlan (specifically the NAS box - 192.168.20.54) and the iphone can see the NAS box and stream upnp from it. Thoughts?
-
try to change source port to any on this nat rule.
-
changed the source port to any - still no luck.
I tried a couple of other things with no luck as well.
Google isn't being very helpful in the matter either (everything is about how to hook up an xbox to pfsense, and it is setup differently than this would be).
Any other ideas? Should I start another thread on this topic of upnp forwarding?
Thanks!
-
This is an interesting problem. :)
If you imagine this working as a traditional WAN-LAN port forward you should have the destination address as 'VLAN10 address'. However if you do that with so many ports a lot of stuff might stop working.
You could perhaps add a virtual IP address to the VLAN10 interface and forward ports with that as destination.
Hmmm.Can you not simply set the address of the server in the iphone app.?
Steve
Edit: I think you have selected a range of ports 1900 to 2869 where as upnp uses only two ports, 1900 and 2869.
It's hard to know how this might work. You would usually have NAT running between WAN and LAN but that isn't the case in your situation.
Port forwarding 1900 and 2869 on the VLAN10 interface would prevent upnp working to open NAT holes to WAN for other services. Maybe not a problem. -
Hi Steve-
I like the virtual IP idea - I will have to try to wrap my head around that concept.
The app doesn't let me set the address of the server, it just discovers whatever it can see, but its one of the only upnp/dnla apps that actually works well with the NAS box.
P.S.- I started a new thread on the upnp port forwarding - I hope to see you there!
-
Sorry I edited while you were typing!
I'll read your other thread.Steve