Wake on LAN to different VLAN's

Cletus

Hello!

I'm new to pfSense but i like it already! Created different VLAN's on a trunk port etc, all works fine. Some VLAN's do not route, some VLANS can see eachother. Now i have the following issue. I'm using Kodi as media player on some PC's and this can be turned on by Wake on LAN on my remote controlled app on my phone, this worked fine when the machine was in the same subnet as the phone but now i've splitted my WiFi and Ethernet into different VLAN's. Now the WOL packed doens't arrive at my machines, probably because pfSense doesn't route the packet to the correct VLAN. Is there a way to enable this? I've tried searching for Firewall rules but WOL resides in layer 2 right? (not sure if the Firewall only does layer 3) also tried to check if multicast or IGMP proxy is something i can use but not sure if this is the solution.

Google doesnt give me much ansers… Only that UDP helpers or something would help, or that there is an setting called: Subnet Directed Broadcasts is this something pfSense supports or can somebody help me with this issue?

Thanks!

Cletus

Maybe some background information would be handy, :)

I've got 3 NIC's in my pfSense machine,

1 WAN nic on DHCP
1 LAN nic which holds my old legacy LAN (192.168.1.0/24)
1 VLAN nic which hold my new network build

All are Intel NIC's and are VLAN compatible,

Created the following VLANS

VLAN2 192.168.2.0/24
VLAN3 192.168.3.0/24
VLAN4 192.168.4.0/24
VLAN5 192.168.5.0/24
VLAN6 192.168.6.0/24

Where i use VLAN2 for my clients and machine i want to wakeup is in that VLAN
VLAN5 is Wi-Fi VLAN and the device that sends the "magic packet" is in that VLAN

Both VLAN's are routeable to eachother and have communication and internet on them, phone remote control works fine when machine is power on from VLAN5 to VLAN2.

I also tried in the WEBgui of pfSense to boot the device on the WOL option in there but it does not wake up, also other devices are not waking up, only devices which are still connected to my old legacy LAN adapter will wake up.

The only thing i can't get to work is that damn WOL :(

NOYB

WoL Magic Packet is an ethernet (mac address) broadcast.

Also ARP table entries typically have very short time to live and thus expire quickly for systems that are off/stby.

Two significant factors that need to be taken into consideration when implementing a WoL scheme.

Static ARP entries can be added in Services: DHCP Server: Edit Static Mapping by selecting the "ARP Table Static Entry" checkbox.
"Create an ARP Table Static Entry for this MAC & IP Address pair."

NOYB

If you create a static ARP enter on each of the VLAN interfaces such as follows, and then send the WoL Magic Packet to the one for the subnet the target system resides on it may work.

192.168.2.254 ff:ff:ff:ff:ff:ff
192.168.3.254 ff:ff:ff:ff:ff:ff
192.168.4.254 ff:ff:ff:ff:ff:ff
192.168.5.254 ff:ff:ff:ff:ff:ff
192.168.6.254 ff:ff:ff:ff:ff:ff

When you tried with the pfSense WebGUI WoL service, did the target system have both the correct interface specified and MAC?

Cletus

Hi NOYB,

Thanks for your quick reply. I will test this out in the evening.

2 questions. Do i need static IP's on the boxes i want to wake?

Does the 192.168.2.254 imply the gateway or the IP of the box?

With this ARP static table does that mean that the WOL package on VLAN5 is automatically forwarded to VLAN2 (or whatever you say it will be?)

Strange thing is that when installing wireshark in that same VLAN i can't find a broadcast WOL package when trying this.

Will let you know.

Regards,

Cletus

So, tried out lot's of things this evening but i seem unsuccesful :(

Tried adding below addresses but do not know how to forward this then to the correct VLAN.

Also tried creating firewall rules where i forward the UDP package on port 9 to the other network but don't know if the rule is correctly setup. Also tried forwarding that package from the 255 broadcast address but also unsuccesful, PFSense is generating the WOL packets as wireshark will detect them on the same VLAN but not on others… :(

I also see them coming in on the firewall logs as destination 192.168.*.255:9 but can't seem to forward it. I'm out of idea's, googled and googles but can't get it to work. Isn't there some kind of proxy? Basically i only need to forward the WOL packets from 192.168.5.0/24 to 192.168.2.0/24

I see stuff called Multicasting or Subnet Directed Broadcast but i also read that FreeBSD doesnt support that on purpose due to security / DDoS reasons?

Any help would be greatly appreciated! :)

2chemlud

eeehm. there is a bug in 2.2 (32bit), WoL not working. You have to apply a patch manually, than it worked for me again…

https://redmine.pfsense.org/issues/4318

Cletus

Hi 2chemlud, Yes i saw that but i use the 64 bits version and that doens't have the bug :)

But i've solved it, not that hard in the end and potential security breach but it's internal home LAN anyway :)

I've created a brige between the 2 VLAN's and now the package is forwarded and it works fine! :)

doktornotor

@Cletus:

I've created a brige between the 2 VLAN's and now the package is forwarded and it works fine! :)

Sigh… no, that is certainly not a solution.

NOYB

@Cletus:

Do i need static IP's on the boxes i want to wake?

No.

@Cletus:

Does the 192.168.2.254 imply the gateway or the IP of the box?

Neither.  Think of it as a software Ethernet broadcast agent.  Anything sent to those IP addresses becomes an Ethernet broadcast (mac address ff:ff:ff:ff:ff:ff)

@Cletus:

With this ARP static table does that mean that the WOL package on VLAN5 is automatically forwarded to VLAN2 (or whatever you say it will be?)

No.  An ARP table entry, that maps IP to MAC, is typically maintained for each machine that is connected to the network and on.  Once the machine is disconnected from the network, such as by being turned off or in standby mode, the ARP table entry for that machine will expire very shortly.  Minute or so is not uncommon.  The static ARP entry keeps the IP to MAC association even when the machine is off or in stand-by mode waiting for WoL Magic Packet.

The special static ARP addresses assigned in each of the VLAN's I mentioned earlier are what should get the WoL Magic Packet to its respective VLAN.  Think of them as broadcast agents for their respective subnet.  Any thing sent to those IP addresses is then sent to MAC ff:ff:ff:ff:ff:ff within that Ethernet segment.  Which is an Ethernet broadcast.

NOYB

When trying to use the pfSense Wake on LAN utility, is the correct interface and MAC address specified for the target machine.  The interface setting must be the one for the network that the target system is on.

I would suggest focusing on getting it to work with the pfSense WegGUI utility first.  Then once that is working return to getting your external utility working.

Cletus

@doktornotor:

@Cletus:

I've created a brige between the 2 VLAN's and now the package is forwarded and it works fine! :)

Sigh… no, that is certainly not a solution.

Can you tell me why this is not a solution?

Thanks!

Cletus

@NOYB:

@Cletus:

Do i need static IP's on the boxes i want to wake?

No.

@Cletus:

Does the 192.168.2.254 imply the gateway or the IP of the box?

Neither.  Think of it as a software Ethernet broadcast agent.  Anything sent to those IP addresses becomes an Ethernet broadcast (mac address ff:ff:ff:ff:ff:ff)

@Cletus:

With this ARP static table does that mean that the WOL package on VLAN5 is automatically forwarded to VLAN2 (or whatever you say it will be?)

No.  An ARP table entry, that maps IP to MAC, is typically maintained for each machine that is connected to the network and on.  Once the machine is disconnected from the network, such as by being turned off or in standby mode, the ARP table entry for that machine will expire very shortly.  Minute or so is not uncommon.  The static ARP entry keeps the IP to MAC association even when the machine is off or in stand-by mode waiting for WoL Magic Packet.

The special static ARP addresses assigned in each of the VLAN's I mentioned earlier are what should get the WoL Magic Packet to its respective VLAN.  Think of them as broadcast agents for their respective subnet.  Any thing sent to those IP addresses is then sent to MAC ff:ff:ff:ff:ff:ff within that Ethernet segment.  Which is an Ethernet broadcast.

I had Wireshark running in my different VLAN's and each VLAN receives an broadcast package in that VLAN with the WOL utility in pfSense when using the correct VLAN. I also tried to use static mappings, tried the commands from the command line : arp -s 192.168.2.254 ff:ff:ff:ff:ff:ff (and all other subnets) but when the package is coming in into VLAN5 it doesnt forward itself to the other subnets, so i'm lost here… :( Also not sure why i cant use bridgeing between VLANS that are internal and for my use only...

doktornotor

@Cletus:

Also not sure why i cant use bridgeing between VLANS that are internal and for my use only…

You can. Considering the entire purpose of VLANs is to separate traffic, you render the VLANs just utterly pointless. Just stick both segments on the same VLAN and be done with it.

NOYB

@Cletus:

I had Wireshark running in my different VLAN's and each VLAN receives an broadcast package in that VLAN with the WOL utility in pfSense when using the correct VLAN. I also tried to use static mappings, tried the commands from the command line : arp -s 192.168.2.254 ff:ff:ff:ff:ff:ff (and all other subnets) but when the package is coming in into VLAN5 it doesnt forward itself to the other subnets, so i'm lost here… :( Also not sure why i cant use bridgeing between VLANS that are internal and for my use only...

What is output of command : arp -a 192.168.2.254
It should be assigned to the VLAN2 interface.  Not the physical interface.

From VLAN5, to what address are you sending the WoL Magic Packet?
Should be sending the WoL Magic Packet to 192.168.2.254

Re: bridge as solution.  What doktormotor said.

2chemlud

Bridging VLANs is like unencrypted IPsec tunnels… :-D

Cletus

@NOYB:

@Cletus:

I had Wireshark running in my different VLAN's and each VLAN receives an broadcast package in that VLAN with the WOL utility in pfSense when using the correct VLAN. I also tried to use static mappings, tried the commands from the command line : arp -s 192.168.2.254 ff:ff:ff:ff:ff:ff (and all other subnets) but when the package is coming in into VLAN5 it doesnt forward itself to the other subnets, so i'm lost here… :( Also not sure why i cant use bridgeing between VLANS that are internal and for my use only...

What is output of command : arp -a 192.168.2.254
It should be assigned to the VLAN2 interface.  Not the physical interface.

From VLAN5, to what address are you sending the WoL Magic Packet?
Should be sending the WoL Magic Packet to 192.168.2.254

Re: bridge as solution.  What doktormotor said.

Okay, i understand the part about the bridge, but i'm only learning as i'm new with setting up VLANs. I'm an IT manager and want to understand these things when people ask me about it :) also it's simple internal LAN only so doesnt matter in this particular case if brigde is unsafe, but i rather not use the bridge and do this the proper way

So what i tried is i placed it in the ARP table via the GUI on the DHCP server (on VLAN2) or should i place it in VLAN5 (the static ARP of 192.168.2.254 - ff:ff:ff:ff:ff:ff) on the DHCP server because it's now on VLAN2.

When i issue the command ARP -a 192.168.2.254 it gives:

[2.2-RELEASE][root@pfsense]/root: arp -a 192.168.2.254
usage: arp [-n] [-i interface] hostname
       arp [-n] [-i interface] -a
       arp -d hostname [pub]
       arp -d [-i interface] -a
       arp -s hostname ether_addr [temp] [reject | blackhole] [pub [only]]
       arp -S hostname ether_addr [temp] [reject | blackhole] [pub [only]]
       arp -f filename
[2.2-RELEASE][root@pfsense]/root:

When i check arp -a

amongst the lines below line is also there.

? (192.168.2.254) at ff:ff:ff:ff:ff:ff on em2_vlan2 permanent [vlan]

and when i check the ARP table in the GUI it's also in there.

I'm sending the WOL package to the MAC address of the box i want to wakeup, not on ff:ff:ff:ff:ff:ff or IP, but WOL is not connected to IP right? It's MAC based only?

NOYB

@Cletus:

When i check arp -a

amongst the lines below line is also there.

? (192.168.2.254) at ff:ff:ff:ff:ff:ff on em2_vlan2 permanent [vlan]

and when i check the ARP table in the GUI it's also in there.

Okay ARP entry looks good on VLAN2.  Sorry about the bad arp -a hostname syntax.  I must have gotten confused with Linux.

@Cletus:

I'm sending the WOL package to the MAC address of the box i want to wakeup, not on ff:ff:ff:ff:ff:ff or IP, but WOL is not connected to IP right? It's MAC based only?

This is where the problem appears to be.  Because WoL Magic Packet is MAC based (layer 2, Ethernet) it cannot be routed from VLAN5 to VLAN2.  However this is the purpose of the special static ARP entry.  If you send the WoL Magic Packet to that special IP address it should be routed to that VLAN and since that IP addresses' MAC address is all f's it ends up being put out on to that subnet as an Ethernet broadcast.  Clear as mud?

So.  Provide the MAC address of the machine that is to be awakened to the tool, but tell the tool to send it to the special IP address (192.168.2.254).

NOYB

@Cletus:

I'm an IT manager and want to understand these things when people ask me about it

Wikipedia has some good WoL info.  Probably some good VLAN info. too.
http://en.wikipedia.org/wiki/Wake-on-LAN

Cletus

@NOYB:

@Cletus:

When i check arp -a

amongst the lines below line is also there.

? (192.168.2.254) at ff:ff:ff:ff:ff:ff on em2_vlan2 permanent [vlan]

and when i check the ARP table in the GUI it's also in there.

Okay ARP entry looks good on VLAN2.  Sorry about the bad arp -a hostname syntax.  I must have gotten confused with Linux.

@Cletus:

I'm sending the WOL package to the MAC address of the box i want to wakeup, not on ff:ff:ff:ff:ff:ff or IP, but WOL is not connected to IP right? It's MAC based only?

This is where the problem appears to be.  Because WoL Magic Packet is MAC based (layer 2, Ethernet) it cannot be routed from VLAN5 to VLAN2.  However this is the purpose of the special static ARP entry.  If you send the WoL Magic Packet to that special IP address it should be routed to that VLAN and since that IP addresses' MAC address is all f's it ends up being put out on to that subnet as an Ethernet broadcast.  Clear as mud?

So.  Provide the MAC address of the machine that is to be awakened to the tool, but tell the tool to send it to the special IP address (192.168.2.254).

Ah it's starting to make sense to me now :)

Because it's been sent to that special IP it will go to the ff:ff:ff:ff:ff:ff and therefore it will be broadcasted to the correct subnet right? The tool i'm using is only using MAC's and i cannot put in an IP in on that remote control. But see below screenshot. In this case i need to send it to subnet 192.168.2.255 or 192.168.2.254.

This weekend i'm loaded with other obligations, i will test out asap. Thanks for the dummy explaination :)