Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I'm having a vlan problem with my setup

    Scheduled Pinned Locked Moved Routing and Multi WAN
    13 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Trel
      last edited by

      Let me start with right now the only rule on my vlan interface is an allow any out.

      My setup is LAN is a bridge of port 0 and 1.
      I created a vlan (101) on port 0 and assigned it to OPT7

      I enabled DHCP and connected a machine to the port on my switch for that vlan.
      I got the correct IP which means it's hitting the firewall on the right vlan.

      However, I can ping the firewall, and I can ping IPs on LAN, but I can't seem to resolve any DNS.
      I'm not sure where to look.  All other interfaces seem to be working.

      Anyone have any ideas what might be the issue?  I'm using a Dell powerconnect switch, and since I'm getting the proper IP and can ping correctly, I don't think this is an issue with the switch.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If you have a switch why a bridge?

        Anyway, for the port you're connecting to the switch, port 0, you want to remove the native port 0 (en0, re0, rl0, whatever) from the bridge.

        Add the VLAN interface that was created when you added VLAN 101 to port 0, OPT7, to the bridge.

        You want the switch port connected to port 0 to be tagged VLAN 101.

        You will then have the bridge untagged out of port 1, tagged with 101 out port 0, and VLAN 101 present on the switch.

        On the firewall rules, you want pass any any on the bridge member interfaces with firewall rules on BRIDGE0 just like you would on LAN.  Assign your LAN IP address to BRIDGE0.

        Again, why the bridge if you have a switch?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          Trel
          last edited by

          @Derelict:

          If you have a switch why a bridge?

          Anyway, for the port you're connecting to the switch, port 0, you want to remove the native port 0 (en0, re0, rl0, whatever) from the bridge.

          Add the VLAN interface that was created when you added VLAN 101 to port 0, OPT7, to the bridge.

          You want the switch port connected to port 0 to be tagged VLAN 101.

          You will then have the bridge untagged out of port 1, tagged with 101 out port 0, and VLAN 101 present on the switch.

          On the firewall rules, you want pass any any on the bridge member interfaces with firewall rules on BRIDGE0 just like you would on LAN.  Assign your LAN IP address to BRIDGE0.

          Again, why the bridge if you have a switch?

          I'm not sure I follow here.  If I do what you're suggesting, I'm losing the untagged coming in and bridging the vlan 101 to my LAN which is the exact opposite of what I want.

          I need port 0 and 1 bridged.
          0 is my Switch for ALL wired connections
          1 is my access point for ALL wireless connections  (and I do NOT want this AP attached to the switch)

          If I'm reading this right though you're telling me to include opt7 (the vlan) in the bridge which would then mean that's a single interface.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Then you don't want a bridge.  If you bridge port 0 and port 1 then everything connected to port 0 is also connected (bridged) with port 1.

            Again, why the bridge?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Maybe it would be better if you made a diagram.  I might be misunderstanding and you want untagged traffic on port 0 and port 1 to be bridged and have port0_vlan101 tagged through to the switch.

              You can do that too, and sounds like you have.

              What are your firewall rules on OPT7?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • T
                Trel
                last edited by

                @Derelict:

                Maybe it would be better if you made a diagram.  I might be misunderstanding and you want untagged traffic on port 0 and port 1 to be bridged and have port0_vlan101 tagged through to the switch.

                You can do that too, and sounds like you have.

                What are your firewall rules on OPT7?

                That is what I want, untagged to be bridged, and port0_vlan101 separate.
                That's what I thought I did now, and the firewall rule on opt7 is a single allow any with source opt7 net.

                But I'm having the issue I described in the first post.  Since the only rule is the allow any, I do not think it's a firewalling issue which is why I posted in this forum.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  If you can't resolve DNS, then we;ll need to know what you're trying to do.  The DNS forwarder?  External DNS? What DNS are you giving to your clients via DHCP?  Are there static DNS servers in the client? Could be a hundred different things.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • T
                    Trel
                    last edited by

                    @Derelict:

                    If you can't resolve DNS, then we;ll need to know what you're trying to do.  The DNS forwarder?  External DNS? What DNS are you giving to your clients via DHCP?  Are there static DNS servers in the client? Could be a hundred different things.

                    (Note, this works fine on every interface I have other than the vlan one)

                    1. DNS is set to forwarder
                    2. DHCP gives firewall IP as DNS
                    3. Client shows correct DNS servers
                    4. nslookup with firewall IP manually specified also times out
                    5. no log is generated (which it shouldn't as there's an allow any)
                    6. I put in a block rule for a specific IP and tried pinging that, it showed up in the log

                    Anything else I should test/any other info I should include?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      2. DHCP gives firewall IP as DNS
                      3. Client shows correct DNS servers

                      Is it the firewall IP or is it "servers"??

                      Instead of saying "Everything is correct" tell us what's really set.  It's obviously not correct or it would be working.  ;)

                      Screenshots, output from dig on the client, ipconfig /all, etc.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • T
                        Trel
                        last edited by

                        @Derelict:

                        2. DHCP gives firewall IP as DNS
                        3. Client shows correct DNS servers

                        Is it the firewall IP or is it "servers"??

                        Instead of saying "Everything is correct" tell us what's really set.  It's obviously not correct or it would be working.  ;)

                        Screenshots, output from dig on the client, ipconfig /all, etc.

                        Ok, I can't get screenshots right now but

                        1. Firewall info

                        10.209.209.1/24
                        DHCP Range: 10.209.209.20 - 10.209.209.30

                        Rules on interface

                        1. block+log with destination being 10.9.0.50
                        2. allow any

                        2. Client info
                        IP: 10.209.209.20
                        Subnet Mask: 255.255.255.0
                        Gateway: 10.209.209.1
                        DNS: 10.209.209.1

                        3. What I've done on client
                        a. ping 10.209.209.1 - success
                        b. ping 10.9.0.51 - success
                        c. ping 10.9.0.50 - fail with log generated (rule is there just so I can be sure it's actually hitting the firewall)
                        d. ping anything by name - host not found
                        e. nslookup (any name) - timed out (no log)
                        f. nslookup (any name) 10.209.209.1 - timed out (no log)
                        g. nslookup (any name) 4.2.2.1 - timed out (no log)

                        Is there any information I'm missing?

                        I want to reiterate that I have multiple interfaces on this firewall (the vlan is opt7) and every one of those works fine.  This is the only one with a problem.  Other than what the specific IPs and rules are, the settings are pretty much uniform.  DNS works on all other interfaces.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Sorry.  Still need to see the screenshot of the rules on the interface that's not working.  Are you sure the pass rule is for IPv4 Protocol any?

                          The only other thing I can think of that would do this would be you've selected specific interfaces in Services->DNS Forwarder instead of "All" and omitted OPT7.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • T
                            Trel
                            last edited by

                            @Derelict:

                            Sorry.  Still need to see the screenshot of the rules on the interface that's not working.  Are you sure the pass rule is for IPv4 Protocol any?

                            The only other thing I can think of that would do this would be you've selected specific interfaces in Services->DNS Forwarder instead of "All" and omitted OPT7.

                            I can give you screenshots of PFSense, it's just the client I can't get to right now.

                            pfopt7_rules.jpg_thumb
                            pfopt7_rules.jpg
                            pfopt7_dns.jpg
                            pfopt7_dns.jpg_thumb

                            1 Reply Last reply Reply Quote 0
                            • T
                              Trel
                              last edited by

                              Aaaaand nevermind.

                              This was a case of too many cooks.

                              Someone who shall remain nameless had changed DNS from all interfaces and made it on just the required interfaces.
                              They added opt7, get this, yesterday.

                              If I posted two days ago, I would've seen opt7 not selected on that list.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.