Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wake on LAN to different VLAN's

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 4 Posters 9.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cletus
      last edited by

      Hello!

      I'm new to pfSense but i like it already! Created different VLAN's on a trunk port etc, all works fine. Some VLAN's do not route, some VLANS can see eachother. Now i have the following issue. I'm using Kodi as media player on some PC's and this can be turned on by Wake on LAN on my remote controlled app on my phone, this worked fine when the machine was in the same subnet as the phone but now i've splitted my WiFi and Ethernet into different VLAN's. Now the WOL packed doens't arrive at my machines, probably because pfSense doesn't route the packet to the correct VLAN. Is there a way to enable this? I've tried searching for Firewall rules but WOL resides in layer 2 right? (not sure if the Firewall only does layer 3) also tried to check if multicast or IGMP proxy is something i can use but not sure if this is the solution.

      Google doesnt give me much ansers… Only that UDP helpers or something would help, or that there is an setting called: Subnet Directed Broadcasts is this something pfSense supports or can somebody help me with this issue?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        Cletus
        last edited by

        Maybe some background information would be handy, :)

        I've got 3 NIC's in my pfSense machine,

        1 WAN nic on DHCP
        1 LAN nic which holds my old legacy LAN (192.168.1.0/24)
        1 VLAN nic which hold my new network build

        All are Intel NIC's and are VLAN compatible,

        Created the following VLANS

        VLAN2 192.168.2.0/24
        VLAN3 192.168.3.0/24
        VLAN4 192.168.4.0/24
        VLAN5 192.168.5.0/24
        VLAN6 192.168.6.0/24

        Where i use VLAN2 for my clients and machine i want to wakeup is in that VLAN
        VLAN5 is Wi-Fi VLAN and the device that sends the "magic packet" is in that VLAN

        Both VLAN's are routeable to eachother and have communication and internet on them, phone remote control works fine when machine is power on from VLAN5 to VLAN2.

        I also tried in the WEBgui of pfSense to boot the device on the WOL option in there but it does not wake up, also other devices are not waking up, only devices which are still connected to my old legacy LAN adapter will wake up.

        The only thing i can't get to work is that damn WOL :(

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          WoL Magic Packet is an ethernet (mac address) broadcast.

          Also ARP table entries typically have very short time to live and thus expire quickly for systems that are off/stby.

          Two significant factors that need to be taken into consideration when implementing a WoL scheme.

          Static ARP entries can be added in Services: DHCP Server: Edit Static Mapping by selecting the "ARP Table Static Entry" checkbox.
          "Create an ARP Table Static Entry for this MAC & IP Address pair."

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by

            If you create a static ARP enter on each of the VLAN interfaces such as follows, and then send the WoL Magic Packet to the one for the subnet the target system resides on it may work.

            192.168.2.254 ff:ff:ff:ff:ff:ff
            192.168.3.254 ff:ff:ff:ff:ff:ff
            192.168.4.254 ff:ff:ff:ff:ff:ff
            192.168.5.254 ff:ff:ff:ff:ff:ff
            192.168.6.254 ff:ff:ff:ff:ff:ff

            When you tried with the pfSense WebGUI WoL service, did the target system have both the correct interface specified and MAC?

            1 Reply Last reply Reply Quote 0
            • C
              Cletus
              last edited by

              Hi NOYB,

              Thanks for your quick reply. I will test this out in the evening.

              2 questions. Do i need static IP's on the boxes i want to wake?

              Does the 192.168.2.254 imply the gateway or the IP of the box?

              With this ARP static table does that mean that the WOL package on VLAN5 is automatically forwarded to VLAN2 (or whatever you say it will be?)

              Strange thing is that when installing wireshark in that same VLAN i can't find a broadcast WOL package when trying this.

              Will let you know.

              Regards,

              1 Reply Last reply Reply Quote 0
              • C
                Cletus
                last edited by

                So, tried out lot's of things this evening but i seem unsuccesful :(

                Tried adding below addresses but do not know how to forward this then to the correct VLAN.

                Also tried creating firewall rules where i forward the UDP package on port 9 to the other network but don't know if the rule is correctly setup. Also tried forwarding that package from the 255 broadcast address but also unsuccesful, PFSense is generating the WOL packets as wireshark will detect them on the same VLAN but not on others… :(

                I also see them coming in on the firewall logs as destination 192.168.*.255:9 but can't seem to forward it. I'm out of idea's, googled and googles but can't get it to work. Isn't there some kind of proxy? Basically i only need to forward the WOL packets from 192.168.5.0/24 to 192.168.2.0/24

                I see stuff called Multicasting or Subnet Directed Broadcast but i also read that FreeBSD doesnt support that on purpose due to security / DDoS reasons?

                Any help would be greatly appreciated! :)

                1 Reply Last reply Reply Quote 0
                • 2
                  2chemlud Banned
                  last edited by

                  eeehm. there is a bug in 2.2 (32bit), WoL not working. You have to apply a patch manually, than it worked for me again…

                  https://redmine.pfsense.org/issues/4318

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cletus
                    last edited by

                    Hi 2chemlud, Yes i saw that but i use the 64 bits version and that doens't have the bug :)

                    But i've solved it, not that hard in the end and potential security breach but it's internal home LAN anyway :)

                    I've created a brige between the 2 VLAN's and now the package is forwarded and it works fine! :)

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      @Cletus:

                      I've created a brige between the 2 VLAN's and now the package is forwarded and it works fine! :)

                      Sigh… no, that is certainly not a solution.

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB
                        last edited by

                        @Cletus:

                        Do i need static IP's on the boxes i want to wake?

                        No.

                        @Cletus:

                        Does the 192.168.2.254 imply the gateway or the IP of the box?

                        Neither.  Think of it as a software Ethernet broadcast agent.  Anything sent to those IP addresses becomes an Ethernet broadcast (mac address ff:ff:ff:ff:ff:ff)

                        @Cletus:

                        With this ARP static table does that mean that the WOL package on VLAN5 is automatically forwarded to VLAN2 (or whatever you say it will be?)

                        No.  An ARP table entry, that maps IP to MAC, is typically maintained for each machine that is connected to the network and on.  Once the machine is disconnected from the network, such as by being turned off or in standby mode, the ARP table entry for that machine will expire very shortly.  Minute or so is not uncommon.  The static ARP entry keeps the IP to MAC association even when the machine is off or in stand-by mode waiting for WoL Magic Packet.

                        The special static ARP addresses assigned in each of the VLAN's I mentioned earlier are what should get the WoL Magic Packet to its respective VLAN.  Think of them as broadcast agents for their respective subnet.  Any thing sent to those IP addresses is then sent to MAC ff:ff:ff:ff:ff:ff within that Ethernet segment.  Which is an Ethernet broadcast.

                        1 Reply Last reply Reply Quote 0
                        • N
                          NOYB
                          last edited by

                          When trying to use the pfSense Wake on LAN utility, is the correct interface and MAC address specified for the target machine.  The interface setting must be the one for the network that the target system is on.

                          I would suggest focusing on getting it to work with the pfSense WegGUI utility first.  Then once that is working return to getting your external utility working.

                          1 Reply Last reply Reply Quote 0
                          • C
                            Cletus
                            last edited by

                            @doktornotor:

                            @Cletus:

                            I've created a brige between the 2 VLAN's and now the package is forwarded and it works fine! :)

                            Sigh… no, that is certainly not a solution.

                            Can you tell me why this is not a solution?

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • C
                              Cletus
                              last edited by

                              @NOYB:

                              @Cletus:

                              Do i need static IP's on the boxes i want to wake?

                              No.

                              @Cletus:

                              Does the 192.168.2.254 imply the gateway or the IP of the box?

                              Neither.  Think of it as a software Ethernet broadcast agent.  Anything sent to those IP addresses becomes an Ethernet broadcast (mac address ff:ff:ff:ff:ff:ff)

                              @Cletus:

                              With this ARP static table does that mean that the WOL package on VLAN5 is automatically forwarded to VLAN2 (or whatever you say it will be?)

                              No.  An ARP table entry, that maps IP to MAC, is typically maintained for each machine that is connected to the network and on.  Once the machine is disconnected from the network, such as by being turned off or in standby mode, the ARP table entry for that machine will expire very shortly.  Minute or so is not uncommon.  The static ARP entry keeps the IP to MAC association even when the machine is off or in stand-by mode waiting for WoL Magic Packet.

                              The special static ARP addresses assigned in each of the VLAN's I mentioned earlier are what should get the WoL Magic Packet to its respective VLAN.  Think of them as broadcast agents for their respective subnet.  Any thing sent to those IP addresses is then sent to MAC ff:ff:ff:ff:ff:ff within that Ethernet segment.  Which is an Ethernet broadcast.

                              I had Wireshark running in my different VLAN's and each VLAN receives an broadcast package in that VLAN with the WOL utility in pfSense when using the correct VLAN. I also tried to use static mappings, tried the commands from the command line : arp -s 192.168.2.254 ff:ff:ff:ff:ff:ff (and all other subnets) but when the package is coming in into VLAN5 it doesnt forward itself to the other subnets, so i'm lost here… :( Also not sure why i cant use bridgeing between VLANS that are internal and for my use only...

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                @Cletus:

                                Also not sure why i cant use bridgeing between VLANS that are internal and for my use only…

                                You can. Considering the entire purpose of VLANs is to separate traffic, you render the VLANs just utterly pointless. Just stick both segments on the same VLAN and be done with it.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  NOYB
                                  last edited by

                                  @Cletus:

                                  I had Wireshark running in my different VLAN's and each VLAN receives an broadcast package in that VLAN with the WOL utility in pfSense when using the correct VLAN. I also tried to use static mappings, tried the commands from the command line : arp -s 192.168.2.254 ff:ff:ff:ff:ff:ff (and all other subnets) but when the package is coming in into VLAN5 it doesnt forward itself to the other subnets, so i'm lost here… :( Also not sure why i cant use bridgeing between VLANS that are internal and for my use only...

                                  What is output of command : arp -a 192.168.2.254
                                  It should be assigned to the VLAN2 interface.  Not the physical interface.

                                  From VLAN5, to what address are you sending the WoL Magic Packet?
                                  Should be sending the WoL Magic Packet to 192.168.2.254

                                  Re: bridge as solution.  What doktormotor said.

                                  1 Reply Last reply Reply Quote 0
                                  • 2
                                    2chemlud Banned
                                    last edited by

                                    Bridging VLANs is like unencrypted IPsec tunnels… :-D

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      Cletus
                                      last edited by

                                      @NOYB:

                                      @Cletus:

                                      I had Wireshark running in my different VLAN's and each VLAN receives an broadcast package in that VLAN with the WOL utility in pfSense when using the correct VLAN. I also tried to use static mappings, tried the commands from the command line : arp -s 192.168.2.254 ff:ff:ff:ff:ff:ff (and all other subnets) but when the package is coming in into VLAN5 it doesnt forward itself to the other subnets, so i'm lost here… :( Also not sure why i cant use bridgeing between VLANS that are internal and for my use only...

                                      What is output of command : arp -a 192.168.2.254
                                      It should be assigned to the VLAN2 interface.  Not the physical interface.

                                      From VLAN5, to what address are you sending the WoL Magic Packet?
                                      Should be sending the WoL Magic Packet to 192.168.2.254

                                      Re: bridge as solution.  What doktormotor said.

                                      Okay, i understand the part about the bridge, but i'm only learning as i'm new with setting up VLANs. I'm an IT manager and want to understand these things when people ask me about it :) also it's simple internal LAN only so doesnt matter in this particular case if brigde is unsafe, but i rather not use the bridge and do this the proper way

                                      So what i tried is i placed it in the ARP table via the GUI on the DHCP server (on VLAN2) or should i place it in VLAN5 (the static ARP of 192.168.2.254 - ff:ff:ff:ff:ff:ff) on the DHCP server because it's now on VLAN2.

                                      When i issue the command ARP -a 192.168.2.254 it gives:

                                      [2.2-RELEASE][root@pfsense]/root: arp -a 192.168.2.254
                                      usage: arp [-n] [-i interface] hostname
                                             arp [-n] [-i interface] -a
                                             arp -d hostname [pub]
                                             arp -d [-i interface] -a
                                             arp -s hostname ether_addr [temp] [reject | blackhole] [pub [only]]
                                             arp -S hostname ether_addr [temp] [reject | blackhole] [pub [only]]
                                             arp -f filename
                                      [2.2-RELEASE][root@pfsense]/root:
                                      

                                      When i check arp -a

                                      amongst the lines below line is also there.

                                      ? (192.168.2.254) at ff:ff:ff:ff:ff:ff on em2_vlan2 permanent [vlan]
                                      

                                      and when i check the ARP table in the GUI it's also in there.

                                      I'm sending the WOL package to the MAC address of the box i want to wakeup, not on ff:ff:ff:ff:ff:ff or IP, but WOL is not connected to IP right? It's MAC based only?

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        NOYB
                                        last edited by

                                        @Cletus:

                                        When i check arp -a

                                        amongst the lines below line is also there.

                                        ? (192.168.2.254) at ff:ff:ff:ff:ff:ff on em2_vlan2 permanent [vlan]
                                        

                                        and when i check the ARP table in the GUI it's also in there.

                                        Okay ARP entry looks good on VLAN2.  Sorry about the bad arp -a hostname syntax.  I must have gotten confused with Linux.

                                        @Cletus:

                                        I'm sending the WOL package to the MAC address of the box i want to wakeup, not on ff:ff:ff:ff:ff:ff or IP, but WOL is not connected to IP right? It's MAC based only?

                                        This is where the problem appears to be.  Because WoL Magic Packet is MAC based (layer 2, Ethernet) it cannot be routed from VLAN5 to VLAN2.  However this is the purpose of the special static ARP entry.  If you send the WoL Magic Packet to that special IP address it should be routed to that VLAN and since that IP addresses' MAC address is all f's it ends up being put out on to that subnet as an Ethernet broadcast.  Clear as mud?

                                        So.  Provide the MAC address of the machine that is to be awakened to the tool, but tell the tool to send it to the special IP address (192.168.2.254).

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          NOYB
                                          last edited by

                                          @Cletus:

                                          I'm an IT manager and want to understand these things when people ask me about it

                                          Wikipedia has some good WoL info.  Probably some good VLAN info. too.
                                          http://en.wikipedia.org/wiki/Wake-on-LAN

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            Cletus
                                            last edited by

                                            @NOYB:

                                            @Cletus:

                                            When i check arp -a

                                            amongst the lines below line is also there.

                                            ? (192.168.2.254) at ff:ff:ff:ff:ff:ff on em2_vlan2 permanent [vlan]
                                            

                                            and when i check the ARP table in the GUI it's also in there.

                                            Okay ARP entry looks good on VLAN2.  Sorry about the bad arp -a hostname syntax.  I must have gotten confused with Linux.

                                            @Cletus:

                                            I'm sending the WOL package to the MAC address of the box i want to wakeup, not on ff:ff:ff:ff:ff:ff or IP, but WOL is not connected to IP right? It's MAC based only?

                                            This is where the problem appears to be.  Because WoL Magic Packet is MAC based (layer 2, Ethernet) it cannot be routed from VLAN5 to VLAN2.  However this is the purpose of the special static ARP entry.  If you send the WoL Magic Packet to that special IP address it should be routed to that VLAN and since that IP addresses' MAC address is all f's it ends up being put out on to that subnet as an Ethernet broadcast.  Clear as mud?

                                            So.  Provide the MAC address of the machine that is to be awakened to the tool, but tell the tool to send it to the special IP address (192.168.2.254).

                                            Ah it's starting to make sense to me now :)

                                            Because it's been sent to that special IP it will go to the ff:ff:ff:ff:ff:ff and therefore it will be broadcasted to the correct subnet right? The tool i'm using is only using MAC's and i cannot put in an IP in on that remote control. But see below screenshot. In this case i need to send it to subnet 192.168.2.255 or 192.168.2.254.

                                            This weekend i'm loaded with other obligations, i will test out asap. Thanks for the dummy explaination :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.