Not getting internet from vlan

Aswin

Hello Guys,

I have configured a Pfsense Watchguard in my network. Here is the configuration:

WAN interface (sk0) 66.66.66.66/24
LAN interface (msk0) 192.168.1.1/24
VLAN1 interface (msk1) 10.0.0.254/24

Now, I am not getting internet from vlan network for example:

$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data

–- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3024ms

But, see I am getting ping till vlan static ip:

$ ping 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_req=1 ttl=64 time=0.788 ms
64 bytes from 10.0.0.254: icmp_req=2 ttl=64 time=0.360 ms
64 bytes from 10.0.0.254: icmp_req=3 ttl=64 time=0.353 ms
^C
--- 10.0.0.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.353/0.500/0.788/0.204 ms

I don't have any rules under Floating tab. Also, I have attached 2 screenshot of lan and vlan rules.. I just want to get connection beteen vlan and lan. Also I need to access internet from Vlan.

Please kindly help me on this..

Thanks in advance

Cmellons

**"Now, I am not getting internet from vlan network for example:

$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data

–- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms"**

Where are you pinging this from? From your Vlan of 10.0.0.254/24 ?

Just a question. Do you need 65536 subnets for your 10.0.0.254/24 network? Maybe that's none of my business sorry.

I use this place to calculate subnets.

http://www.subnet-calculator.com/subnet.php?net_class=A

I'm just trying to understand you better.

VLAN1 was obviously an OPT interface before correct? See the thing is that when I think of Vlans. I think of an interface that can be made into several interfaces to add extra Lans or multiple wans. But then again if it were multiple wans wouldn't it be called vwans? It's always been a confusing subject for me.

That kind of thing.  But I usually add them differently. If I was going to use an OPT interface most likely for my situation it would be a DMZ. However, quite a few of these pros here have several interfaces in the same orientation that you have because maybe they're running servers.

So, this is the main objective for you.

"I just want to get connection between vlan and lan. Also I need to access internet from Vlan."

Well, it's time to take a step back and look at your network infrastructure. Maybe if you draw it out it will help you to answer the problem. A lot of problems come with the misconfiguration of hardware. I know that you're saying vlans but just make sure that all interfaces are doing the correct thing. In other words. Make sure that you Lan and Wan interface are not swapped. Anything can happen.

I believe that your VLAN may need it's own DNS to have access to the internet and also I believe that the Vlan would need to be given specific access to the 192.168.1.1/24 subnet.  However, Pfsense is really awesome at blocking ICMP requests unless you specifically allow them through.

Derelict

The way you have it set should work, so something else is wrong.

Keep in mind that the second rule on LAN allows LAN to access VLAN.

The second rule on VLAN is never processed because all IPv4 traffic is matched by the first rule, including traffic to LAN.

Trying to ping something on LAN from VLAN could fail if the source or destination has the wrong default gateway, etc.  The wrong default gateway on the source machine on VLAN would also explain being able to ping the pfSense interfaces (which is on the same subnet) and not something through the router.

Cmellons

@Derelict:

The way you have it set should work, so something else is wrong.

Keep in mind that the second rule on LAN allows LAN to access VLAN.

The second rule on VLAN is never processed because all IPv4 traffic is matched by the first rule, including traffic to LAN.

Trying to ping something on LAN from VLAN could fail if the source or destination has the wrong default gateway, etc.  The wrong default gateway on the source machine on VLAN would also explain being able to ping the pfSense interfaces (which is on the same subnet) and not something through the router.

Great explanation:) I actually could not see the pictures before but I do see them now.

Aswin

Hello,

Right now, I think you guys may need to know one more thing. I have openstack running under my network, the gateway of instance is 10.0.0.1 that's why I am using the vlan interface ip as 10.0.0.254/24. Also openstack is running on vlan, which means each instance will have network 10.0.0.0 only.

Here is the routing table of openstack instance:

route

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
default        10.0.0.1        0.0.0.0        UG    100    0        0 eth0
10.0.0.0        *              255.255.255.0  U    0      0        0 eth0

as we know the gateway is 10.0.0.1 in the openstack instance that's why it is not able to communicate to 192.168.1.1

At this time, I am getting connection from openstack instance 10.0.0.4 to 10.0.0.254, but not getting ping to 192.168.1.1 or WAN. But I am also getting internet from other physical machine which has an ip 10.0.0.246, and can ping to lan 192.168.1.1, but not able to ping to another ips in the range of 192.168.1.0/24

I have attached the screenshot of updated current rules under lan and vlan.

Dear Derelict,

I have deleted the second rule under the vlan. As you said everything is working except vlan to lan connection and communication issue from openstack network to lan and wan.