Pfsense not accessable through VLAN?



  • Hi,

    I have a problem to get pfsense working with VLAN's which is driving me crazy for the last 2 days :(

    Network topology looks like this:

    
                   ( Internet )
                        |
                        |
              __________|_________
             [ Perimiter-firewall ]
             [____________________]
                        |
                        |
                        |port 1
                  ______|_______
                 [              ] port 13                   re0 [ pfsense1 only 1 ethernet card! ]
                 [ DMZ-2 Switch ] trunk VLAN1+VLAN101           [ connect on port 13 dmz2 switch ]
                 [              ]-------------------------------[ LAN tagged on VLAN id 101      ]
                 [______________]--port 15(trunk VLAN1+VLAN101  [ WAN on default VLAN id 1       ]
                        | port 12                               [ LAN ip=172.17.7.254            ]
                        | trunk VLAN1+VLAN101
                        | 
                        |
                        | eth1 (IP=public IP range)
                        | vlan101 (IP=172.17.7.2) virtual network on eth1 with vlan id 101
                ________|_______
               [ choke-firewall ]
               [________________]
                        | eth0 (gw 10.24.8.254)
                        |
                        |
                  ______|_______
                 [ Internal LAN ]
                 [ 10.0.0.0/8   ]
                 [  LAN Switch  ]
                 [______________]
                        |
                        |
                        |________ [ test-laptop ]
                                  [ 10.8.0.100  ]
    
    

    So what i did was creating a virtual adapter (vlan101) on the choke-firewall with vlan id 101.
    The choke-firewall is a debian linux server, so i added the following to my /etc/network/interfaces to accomplish this:

    auto vlan101
    iface vlan101 inet static
            address 172.17.7.2
            netmask 255.255.255.0
            network 172.17.7.0
            broadcast 172.17.7.255
            vlan-raw-device eth1

    and used 'ifup vlan101' to bring it online.
    The eth1 network card from the choke-firewall is connected to my dmz2 switch on port 12 which is a trunked port with VLAN id 101 added (and the default VLAN1 for access to the internet via perimeter firewall).

    Then i added a route on the choke-firewall to allow the 172.17.7.0/24 range to be routed through the vlan101 interface (ip=172.17.7.2).

    Here's the problem, i want to manage the pfsense1 server from my internal LAN (test-laptop 10.8.0.100) but i can not access the pfsense web interface on https://172.17.7.254. Pinging to 172.17.7.254 also doesn't work.
    However i can ping succesfully from the choke-firewall to the pfsense1 on 172.17.7.254 and also a 'telnet 172.17.7.254 443' from the choke-firewall
    connects without problems (choke-firewall is stripped linux server with only console access).
    Also i can ping the vlan101 interface on ip=172.17.7.2 from my test-laptop on 10.8.0.100.
    So i looks like traffic from my internal LAN (10.0.0.0/8) to the pfsense1 LAN side (172.17.7.254) does not get forwarded.
    But any other traffic from my 10.0.0.0/8 LAN gets through the choke-firewall just fine, so routing on choke-firewall is working.
    I suspect something with the VLAN but can not figure it out :(

    I also tried to connect my test-laptop directly in the dmz2 switch (port 15) and gave my test-laptop an IP=172.17.7.10/24
    and tried to access the web interface of pfsense1 (172.17.7.254) but that didn't work either.

    What am i missing … ?
    Hope someone here can help me out!

    The final goal is to setup a IPSec tunnel with the pfsense to our hosted servers outside.
    But for now i can't even reach the pfsense1 server from within our internal LAN.

    Thanks,

    ps. pfsense install is latest version 2.1.4


  • Netgate Administrator

    Is your choke firewall NATing? If not then traffic arriving from your test laptop will have a source address that's outside the LAN subnet. Do your firewall rules allow that? Check the firewall logs to see if incoming traffic is being blocked.

    Steve



  • Hi Steve,

    Thank you for your reply.

    My Choke fw is not NATing but it simply routes all traffic from my LAN (10.0.0.0/8) to the vlan101 (IP=172.17.7.2) virtual network on eth1.
    And i have setup fw rules in the pfSense fw to allow all traffic from the 10.0.0.0/8 network (for testing i allowed any traffic)
    But i do not see anything blocked in the pfSense fw logs from the 10.0.0.0/8 network.

    Also nothing in the choke fw logs …



  • You need the "route back" :

    Then i added a route on the choke-firewall to allow the 172.17.7.0/24 range to be routed through the vlan101 interface (ip=172.17.7.2).

    Now you have to make your PF know how to reach the 10.8.x.y subnet! Your PF need a route to !

    Another important thing : Cisco and HP switch works better with PF by using the General mode instead of the Trunk mode. Plus, tripple check that you Tag EACH Vlan on your phys interface (i.e. You have NOT any 'untagged' Vlan set on your PF Phys Interface.)



  • Thx for your reply AIMS-Informatique!

    Stupid of me, i forgot to add the 'route back' on the PF firewall  :-[
    Haven't got the time yet to check because i was sick at home for couple of days but will surely try this as soon as i get back at the office!

    I did already used the general mode for the trunk on the HP/3Com switch.
    Not 100% sure about the 'untagged' Vlan tags. I thought i did but good point to (tripple) check! Thx.

    Hope to try this asap when i am back at the office next week.


  • Netgate Administrator

    If you haven't already added a route (or used some routing protocol) that will definitely stop any replies reaching you. Looks like you may have found your problem.  :)

    Steve