I'm having a vlan problem with my setup



  • Let me start with right now the only rule on my vlan interface is an allow any out.

    My setup is LAN is a bridge of port 0 and 1.
    I created a vlan (101) on port 0 and assigned it to OPT7

    I enabled DHCP and connected a machine to the port on my switch for that vlan.
    I got the correct IP which means it's hitting the firewall on the right vlan.

    However, I can ping the firewall, and I can ping IPs on LAN, but I can't seem to resolve any DNS.
    I'm not sure where to look.  All other interfaces seem to be working.

    Anyone have any ideas what might be the issue?  I'm using a Dell powerconnect switch, and since I'm getting the proper IP and can ping correctly, I don't think this is an issue with the switch.


  • Netgate

    If you have a switch why a bridge?

    Anyway, for the port you're connecting to the switch, port 0, you want to remove the native port 0 (en0, re0, rl0, whatever) from the bridge.

    Add the VLAN interface that was created when you added VLAN 101 to port 0, OPT7, to the bridge.

    You want the switch port connected to port 0 to be tagged VLAN 101.

    You will then have the bridge untagged out of port 1, tagged with 101 out port 0, and VLAN 101 present on the switch.

    On the firewall rules, you want pass any any on the bridge member interfaces with firewall rules on BRIDGE0 just like you would on LAN.  Assign your LAN IP address to BRIDGE0.

    Again, why the bridge if you have a switch?



  • @Derelict:

    If you have a switch why a bridge?

    Anyway, for the port you're connecting to the switch, port 0, you want to remove the native port 0 (en0, re0, rl0, whatever) from the bridge.

    Add the VLAN interface that was created when you added VLAN 101 to port 0, OPT7, to the bridge.

    You want the switch port connected to port 0 to be tagged VLAN 101.

    You will then have the bridge untagged out of port 1, tagged with 101 out port 0, and VLAN 101 present on the switch.

    On the firewall rules, you want pass any any on the bridge member interfaces with firewall rules on BRIDGE0 just like you would on LAN.  Assign your LAN IP address to BRIDGE0.

    Again, why the bridge if you have a switch?

    I'm not sure I follow here.  If I do what you're suggesting, I'm losing the untagged coming in and bridging the vlan 101 to my LAN which is the exact opposite of what I want.

    I need port 0 and 1 bridged.
    0 is my Switch for ALL wired connections
    1 is my access point for ALL wireless connections  (and I do NOT want this AP attached to the switch)

    If I'm reading this right though you're telling me to include opt7 (the vlan) in the bridge which would then mean that's a single interface.


  • Netgate

    Then you don't want a bridge.  If you bridge port 0 and port 1 then everything connected to port 0 is also connected (bridged) with port 1.

    Again, why the bridge?


  • Netgate

    Maybe it would be better if you made a diagram.  I might be misunderstanding and you want untagged traffic on port 0 and port 1 to be bridged and have port0_vlan101 tagged through to the switch.

    You can do that too, and sounds like you have.

    What are your firewall rules on OPT7?



  • @Derelict:

    Maybe it would be better if you made a diagram.  I might be misunderstanding and you want untagged traffic on port 0 and port 1 to be bridged and have port0_vlan101 tagged through to the switch.

    You can do that too, and sounds like you have.

    What are your firewall rules on OPT7?

    That is what I want, untagged to be bridged, and port0_vlan101 separate.
    That's what I thought I did now, and the firewall rule on opt7 is a single allow any with source opt7 net.

    But I'm having the issue I described in the first post.  Since the only rule is the allow any, I do not think it's a firewalling issue which is why I posted in this forum.


  • Netgate

    If you can't resolve DNS, then we;ll need to know what you're trying to do.  The DNS forwarder?  External DNS? What DNS are you giving to your clients via DHCP?  Are there static DNS servers in the client? Could be a hundred different things.



  • @Derelict:

    If you can't resolve DNS, then we;ll need to know what you're trying to do.  The DNS forwarder?  External DNS? What DNS are you giving to your clients via DHCP?  Are there static DNS servers in the client? Could be a hundred different things.

    (Note, this works fine on every interface I have other than the vlan one)

    1. DNS is set to forwarder
    2. DHCP gives firewall IP as DNS
    3. Client shows correct DNS servers
    4. nslookup with firewall IP manually specified also times out
    5. no log is generated (which it shouldn't as there's an allow any)
    6. I put in a block rule for a specific IP and tried pinging that, it showed up in the log

    Anything else I should test/any other info I should include?


  • Netgate

    2. DHCP gives firewall IP as DNS
    3. Client shows correct DNS servers

    Is it the firewall IP or is it "servers"??

    Instead of saying "Everything is correct" tell us what's really set.  It's obviously not correct or it would be working.  ;)

    Screenshots, output from dig on the client, ipconfig /all, etc.



  • @Derelict:

    2. DHCP gives firewall IP as DNS
    3. Client shows correct DNS servers

    Is it the firewall IP or is it "servers"??

    Instead of saying "Everything is correct" tell us what's really set.  It's obviously not correct or it would be working.  ;)

    Screenshots, output from dig on the client, ipconfig /all, etc.

    Ok, I can't get screenshots right now but

    1. Firewall info

    10.209.209.1/24
    DHCP Range: 10.209.209.20 - 10.209.209.30

    Rules on interface

    1. block+log with destination being 10.9.0.50
    2. allow any

    2. Client info
    IP: 10.209.209.20
    Subnet Mask: 255.255.255.0
    Gateway: 10.209.209.1
    DNS: 10.209.209.1

    3. What I've done on client
    a. ping 10.209.209.1 - success
    b. ping 10.9.0.51 - success
    c. ping 10.9.0.50 - fail with log generated (rule is there just so I can be sure it's actually hitting the firewall)
    d. ping anything by name - host not found
    e. nslookup (any name) - timed out (no log)
    f. nslookup (any name) 10.209.209.1 - timed out (no log)
    g. nslookup (any name) 4.2.2.1 - timed out (no log)

    Is there any information I'm missing?

    I want to reiterate that I have multiple interfaces on this firewall (the vlan is opt7) and every one of those works fine.  This is the only one with a problem.  Other than what the specific IPs and rules are, the settings are pretty much uniform.  DNS works on all other interfaces.


  • Netgate

    Sorry.  Still need to see the screenshot of the rules on the interface that's not working.  Are you sure the pass rule is for IPv4 Protocol any?

    The only other thing I can think of that would do this would be you've selected specific interfaces in Services->DNS Forwarder instead of "All" and omitted OPT7.



  • @Derelict:

    Sorry.  Still need to see the screenshot of the rules on the interface that's not working.  Are you sure the pass rule is for IPv4 Protocol any?

    The only other thing I can think of that would do this would be you've selected specific interfaces in Services->DNS Forwarder instead of "All" and omitted OPT7.

    I can give you screenshots of PFSense, it's just the client I can't get to right now.






  • Aaaaand nevermind.

    This was a case of too many cooks.

    Someone who shall remain nameless had changed DNS from all interfaces and made it on just the required interfaces.
    They added opt7, get this, yesterday.

    If I posted two days ago, I would've seen opt7 not selected on that list.