VLAN Issue
-
Can you run wireshark or tcpdump on the machine you're trying to get traffic to to verify that it's not getting through? Or do you know for a fact that none of the traffic is touching it?
Sadly I can't, since every "machine" on the network on a regular basis I control is a Wi-Fi AP or a small smart switch. I could, next time I'm on site, put a machine on it running wireshark and attempt to VPN in from my iPad… there's an OVPN iPad client now. I'll do that next time I'm on site if I get a chance to.
-
I honestly can't find anything wrong with your firewall or routing tables. Could you post a simplified version of your topology when you get a chance? If you have an intermediary L3 device, I'm thinking your issue may be similar to what was going on with me, but I don't believe at this point that it's pf's fault.
-
Okay here's the basic text description:
WAN 1 is Montana Digital (mtdig.net) 72.250.187.21
WAN 2 is CenturyLink PPPoE
both feed into pfSense
Local side of pfSense is one port - three VLAN's. VLAN 69 - 172.21.12.1/22, VLAN 15 - 172.16.16.1/22, VLAN 763 - 192.168.41.1/24This feeds a MikroTik RB 250/GS 5-port switch.
One of these ports feeds a Raspberry Pi (and is a VLAN 69 access port) for RADIUS
The rest are trunk ports of which two are used (one free port):
One feeds a Trendnet PoE 8-port switch which feeds an EnGenius ENH-200, a Trendnet TEW-653AP and a Buffalo WHR-HP-G300NOne feeds another building which has a small 8-port ASUS Gigabit Unmanaged Switch which in turn feeds:
A EnGenius EAP-600
A Buffalo WHR-HP-G300N
An EnGenius ENH-202
An Ubiquiti Nanostation M5 in WDS-AP modeThe Nanostation M5 has three clients in WDS-STA mode, which feed:
Nanostation Loco M5 #1:
Another ASUS unmanaged switch connected to:
EnGenius ENH-202
EnGenius ENH-500
EnGenius EAP-300Nanostation Loco M5 #2:
Another MikroTik RB/250GS feeding:
Trunk: Trendnet PoE switch connected to an EnGenius EAP600 (more devices to come, LOL)
Access 763: Audio DSP (forgot the make/model)
Access 763: Buffalo WHR-HP-G300NNanostation Loco M5 #3:
Buffalo WHR-HP-G300NAll except the AP for the sound techs are on receiving all VLAN's and set to management on VLAN 69. This has all worked very well historically, I reinstalled pfSense and upgraded from a snap several months old when I needed to add a new NIC to support the second WAN connection. (which itself is a pain, I didn't know Squid didn't load balance so I'm trying to learn how to do that, but that's unrelated obviously)
-
No intermediary L3 devices, can't get traffic that originates on the VPN side through, I'm stumped. Unless your default gateway is wrong on your machines (I'm assuming it's the pfSense IP for each respective VLAN), I can't find a reason your configuration isn't working without knowing your network/config more in-depth. Good luck with it!
-
No intermediary L3 devices, can't get traffic that originates on the VPN side through, I'm stumped. Unless your default gateway is wrong on your machines (I'm assuming it's the pfSense IP for each respective VLAN), I can't find a reason your configuration isn't working without knowing your network/config more in-depth. Good luck with it!
Default gateway is the pfSense IP for VLAN_69 on everything. I think I've tracked down the problem as an OpenVPN issue though more than a firewall issue. All that testing was with the OpenVPN client for Windows which had been working and suddenly stopped with no config changes (couldn't get traffic to anything). I just installed the client for iPad and for Android. Lots of random disconnects, especially on the Android version, but both 95% work - definitely enough to be usable for my purposes. I changed NOTHING on the Windows client from when it was working though. I sure wish the OpenVPN setup on pfSense worked with Fedora (it doesn't even let you try because there's no certificate password).
So, it seems the only issue I'm having that's actually possibly VLAN caused (I still need to figure out load balancing Squid but that's obviously a topic for another thread) is need for the seemingly redundant allow from any rule on the LAN side (since as said, established states should just be allowed).
Thanks for the good wishes on sorting this out :) I really am trying to be as useful as I can be with this.
-
Can you make a network diagram? gliffy.com . Are you seeing the mac address of the default gateways on the various subnets? (arp -a in windows will show you your arp table) Not sure how to do it in FreeBSD. I'm thinking that you might have a switching loop on your network. Also are your trunk ports tagged vlan ports. Are you sending tagged traffic to a end device? Most computers and access points will drop tagged traffic unless they are configured to deal with the extra 4 bytes. I like a puzzle, looking forward to seeing your diagram.
-
Can you make a network diagram? gliffy.com . Are you seeing the mac address of the default gateways on the various subnets? (arp -a in windows will show you your arp table) Not sure how to do it in FreeBSD. I'm thinking that you might have a switching loop on your network. Also are your trunk ports tagged vlan ports. Are you sending tagged traffic to a end device? Most computers and access points will drop tagged traffic unless they are configured to deal with the extra 4 bytes. I like a puzzle, looking forward to seeing your diagram.
I'm adding a few AP's and a couple more little MikroTik switches to create access ports NEXT weekend but as of today, here's how it looks:
http://www.gliffy.com/go/publish/4535154/
The access points are configured to deal with tagged traffic as we run separate SSID's on each VLAN. Nobody is plugging into a trunk port directly (nobody gets to come in and plug into ANY port anymore for that matter since the switches that accomplished that broke)
P.S. As I noted this same basic setup used to work perfectly fine without any "extra" rules. Thanks a ton for your help! It seems to be mostly working now, I think all my OpenVPN issues are actually my internet connection where I live.
-
Okay if you said it's working then I will leave enough alone. I know you said it worked before but from your diagram you are using unmanaged switches with shouldn't pass tagged traffic. No if they are on access ports assigned to specific vlans then there should be no problem there. However if you send tagged traffic into a access port most unmanaged switches I would think would drop it. Just something to look at. Just wanted to offer my input, let me know if I could be of any further assistance? By the way I have a EnGenius EAP 600 Access Point in my house, that is a sweet piece of gear.
-
Okay if you said it's working then I will leave enough alone. I know you said it worked before but from your diagram you are using unmanaged switches with shouldn't pass tagged traffic. No if they are on access ports assigned to specific vlans then there should be no problem there. However if you send tagged traffic into a access port most unmanaged switches I would think would drop it. Just something to look at. Just wanted to offer my input, let me know if I could be of any further assistance? By the way I have a EnGenius EAP 600 Access Point in my house, that is a sweet piece of gear.
MOST unmanaged switches pass tagged traffic just fine. They don't do anything with the tags, nor do they need to in this application. Some will drop tagged frames, but they generally don't - and shouldn't. They aren't smart enough to know what the tags are, and if behaving properly they just ignore them.
It seems to be working okay now, though I had to roll back last night's pfSense snap - I made a new thread for that!
Yes, the EAP600 is very nice, I was a beta tester for them and they're fantastic for the price. They've got a removable-antenna version the ECB600 coming soon.
-
This affects this particular install so little, I haven't had time to worry about it - but I still can't get traffic between interfaces at all most of the time (sometimes it works, the extra rule had nothing to do with it, it's actually rather random, and hasn't worked in weeks). I'm on the latest snapshot tonight and… nothing. Firewall to any address is fine. Any address to another interface's firewall address is fine. Any LAN interface out to the Internet is fine. But pinging a machine on another LAN interface or connecting to it in any way? Just silently blocked (it doesn't show up in the firewall logs, it just doesn't work).
I'm at a total loss for why - my rules should definitely be allowing this traffic to the best of my understanding.