PfSense & Netgear Smart Switch - VLAN Problems



  • I'm attempting to setup a isolated VLAN to separate my work equipment and my personal equipment.  For the life of me, I cannot get my Netgear GS724T v3 smart switch and pfSense setup to get any sort of VLAN traffic to work.

    The VLAN tag I created is 10, but I get no DHCP lease or anything once it's all said and done.  Can anyone see where something in the screenshots below might be the cause?

    VLAN interface setup

    Interface Setup

    Firewall Rule

    DHCP Server setup

    Switch Access Port Assignment

    Switch PVID Assignment



  • I see you created the vlan, and configured the opt1.
    2 questions:

    • Did you assign opt1 correctly? (pse show me screenshot of interfaces -> (assign) )

    • Other than that, in the switch you only seem to have configured 1 interface (23) as vlan 10 member, and it's untagged?

    Not trying to be rude (open question here); what are you trying to accomplish? One interface on pfSense with multiple vlans, or just some vlans on your switch and equally as much physical connections on your pfSense?



  • @bennyc:

    I see you created the vlan, and configured the opt1.
    2 questions:

    • Did you assign opt1 correctly? (pse show me screenshot of interfaces -> (assign) )

    • Other than that, in the switch you only seem to have configured 1 interface (23) as vlan 10 member, and it's untagged?

    Not trying to be rude (open question here); what are you trying to accomplish? One interface on pfSense with multiple vlans, or just some vlans on your switch and equally as much physical connections on your pfSense?

    Hi Benny,

    Here's the assignment screeny showing i've assigned it to my physical LAN em0 interface.

    In terms of what my end game is with this, my employer has provided me with a Cisco CVO router that maintains a direct VPN connection to work for my Cisco IP Phone and laptop.  It is plugged into port 23 of my Netgear smart switch and the only port i need vlan tagging on.  I ultimately want the Cisco CVO appliance to be on a isolated network from the rest of my home network, yet connect in/outbound on my WAN interface.

    If I blow away the configurations I screenshotted above, it works great, as it has for months since using the CVO appliance.


  • Netgate Administrator

    Don't you need the pfSense connected port (trunk) to be assigned as tagged for VLAN10 in the switch?

    Steve



  • @stephenw10:

    Don't you need the pfSense connected port (trunk) to be assigned as tagged for VLAN10 in the switch?

    Steve

    I'll try that.  Below are the screenshots of how VLAN 1 (mgmt) is, and has remained since day 1.  Is it OK that on VLAN1 that every port is untagged?

    Here is how I have VLAN10 setup, based on how I think you suggested. Unfortunately, no luck still :(



  • EDIT:

    It looks like setting the port the pfSense router is plugged into the switch as to Trunk let it get a .10.x DHCP IP!


  • Netgate Administrator

    If you're still not seeing full success you may want to alter your firewall rule on OPT1 to include UDP (or all protocols) so that DNS can function.

    Steve



  • OK, getting the setup now (I think  ;))
    You took off well (approach). To directly answer your question on vlan1: yes, it is ok to have all members untagged.
    This means vlan1 will be your native vlan (the vlan without tagging (a dot1q field inserted))

    Port 23, where the cisco router is plugged in, should only belong untagged to vlan 10. (you should remove it from vlan1. Traffic entering this port (ingress) will be marked with the tag so it belongs to vlan 10, traffic leaving this port (egress) will get the tag removed (because your router doesn't need/understand the tag))

    Port 16, connected to em0, should be configured as untagged member for vlan1, and tagged member for vlan10 (already the case). Basicly what you have done by doing so, is creating a dot1q trunk on which traffic from vlan1 will go in and out un-altered, and traffic from vlan10 will be marked with that tag.

    For the config from pfSense, I could recommend you to open the proto(col) in the rules to IPv4 TCP/UDP, and allow all (*) for now. Most likely the cisco is configured for ipsec, and that requires upd (as does dhcp, what Steve already mentioned)
    Once everything is working, you can narrow down the rules if needed…

    Hope this helps...


  • Netgate Administrator

    Good call, I forgot about removing port 23 from the default VLAN.

    You probably want to allow only the required protocols if your purpose is to islate the Cisco device. Once you have it working you may want to tighten the firewall rules further to restrict the IPs that can connect to it.
    DHCP requests are always allowed into an interface that is running a DHCP server but DNS is not.

    Steve

    Edit: typo



  • @bennyc:

    OK, getting the setup now (I think  ;))
    You took off well (approach). To directly answer your question on vlan1: yes, it is ok to have all members untagged.
    This means vlan1 will be your native vlan (the vlan without tagging (a dot1q field inserted))

    Port 23, where the cisco router is plugged in, should only belong untagged to vlan 10. (you should remove it from vlan1. Traffic entering this port (ingress) will be marked with the tag so it belongs to vlan 10, traffic leaving this port (egress) will get the tag removed (because your router doesn't need/understand the tag))

    Port 16, connected to em0, should be configured as untagged member for vlan1, and tagged member for vlan10 (already the case). Basicly what you have done by doing so, is creating a dot1q trunk on which traffic from vlan1 will go in and out un-altered, and traffic from vlan10 will be marked with that tag.

    For the config from pfSense, I could recommend you to open the proto(col) in the rules to IPv4 TCP/UDP, and allow all (*) for now. Most likely the cisco is configured for ipsec, and that requires upd (as does dhcp, what Steve already mentioned)
    Once everything is working, you can narrow down the rules if needed…

    Hope this helps...

    Thanks for the tips.  I still have port 23 untagged on VLAN1, so I'll remove that here in a little bit and just leave the VLAN membership as untagged on VLAN10.  You are spot on on the Cisco CVO router running ipsec, I think (see below).  When I was in the system logs looking at the firewall, it was dropping several UDP connection attempts.

    @stephenw10:

    Good call, I forgot about removing port 23 from the default VLAN.

    You probably want to allow only the required protocols if your purpose is to islate the Cisco device. Once you have it working you may want to tighten the firewall rules further to restrict the IPs that can connect to it.
    DHCP requests are always allowed into an interface that is running a DHCP server but DNS is not.

    Stevee

    The network admin gave me the ports as TCP 50, TCP 51, UDP 500, UDP 4500 and optionally IPSec over UDP/TCP - udp port 1000 and tcp port 10000.  However, the system logs > firewall was showing ports in the range of 55xxx as being dropped, so will have to do some digging on that front.

    Thanks, you two, for following up with me.



  • I must have something in the firewall rules not configured correctly.  My Cisco 7965 VoIP phone keeps trying to register, an indicator that the Cisco CVO router can't talk inbound or outbound (more likely, see below).  But, I plugged in one of my laptops into the VLAN10 switch port directly, got a correctly assigned DHCP lease, but no Internet connectivity.

    Can anyone help with what pass/block firewall rules I need so the Cisco CVO router can't see anything on my private 192.168.1.x LAN, only its own 192.168.10.x LAN, but can also have free reign in/out on the em1 WAN interface?

    EDIT:

    Also tried adding a pass rule from the WAN subnet to my VLAN10 subnet, but still can't ping google.com or browse Internet from the test laptop I have plugged in.  However, DNS seems to be working as nslookup google.com give non-authoritative IPs back.

    EDIT #2:

    I changed the default LAN rule from LAN net to * and instead * to *, but still no go.


  • Netgate Administrator

    Do you still have outbound NAT set to automatic? That's the default setting so it will be unless you've changed it.

    You can't ping because your firewall rule on OPT1 only allows TCP/UDP and ping uses ICMP.

    Steve



  • @stephenw10:

    Do you still have outbound NAT set to automatic? That's the default setting so it will be unless you've changed it.

    You can't ping because your firewall rule on OPT1 only allows TCP/UDP and ping uses ICMP.

    Steve

    Yep - AON is enabled.

    I'm giving the advice here a try: https://forum.pfsense.org/index.php?topic=78533.msg428398#msg428398 to see if that gets me anywhere.


  • Netgate Administrator

    I have a similar setup on home box to isolate the guest wifi interface. You will need to do that if you want to isolate the Cisco VoIP device. However your existing 'allow any' rule should give you internet access on that interface especially on a laptop connected to it.

    Check the firewall logs. Do you have more than one gateway listed in System: Routing:

    Steve



  • @stephenw10:

    I have a similar setup on home box to isolate the guest wifi interface. You will need to do that if you want to isolate the Cisco VoIP device. However your existing 'allow any' rule should give you internet access on that interface especially on a laptop connected to it.

    Check the firewall logs. Do you have more than one gateway listed in System: Routing:

    Steve

    Hi Steve,

    I think I finally got the correct firewall rules in place.  At least, the laptop I had plugged into that VLAN10 port could not ping any devices on 192.168.1.x, but could browse the Internet.

    I've got a higher precedence rule blocking everything on my 192.168.1.x subnet, with an allow all TCP/UDP under it.  Does this look alright for a long term solution for what I want to accomplish? I can still ping the 192.168.10.x devices from my 192.168.1.x network, but I guess that's alright.


  • Netgate Administrator

    Yes, that should work.
    You may want to lock it down further. For example devices on OPT1 will have access to the webgui (though it's password protected) and any other services running on the pfSense box.

    Steve


Log in to reply