Some devices no internet access (VLAN)

ricoooww

I've setup a pfsense firewall with 2 physical network apdaters.

1 = WAN
2 = LAN

On the LAN interface I have added three VLANs.
VLAN 2 = Home - without captiveportal (172.20.0.0 network)
VLAN 3 = Guest - with Captiveportal (172.21.0.0 network)
VLAN 99 = Test (172.0.0.0 network)

The Accesspoint has for each VLAN one wifi SSID.

When I connect with my Samsung Galaxy S6 device and computers/laptops to one of the three networks, everything works fine. Get the correct IP and the device is successfully connected to the internet. I can browse and ping.

When I connect with a Galaxy S3 mini or Galaxy S3 device to the Guest network of the AP, I get the correct IP but I didn't have internet connection. When I go to the webbrowser and try to browse to google.com, I get the error: this page is not available. Then I go browse to the IP-address of Google ( 8.8.8.8 ) the smartphone tries to refer the CaptivePortal, but it does not.

For the other networks the same problem on the Galaxy S3 (mini) device.

The Galaxy S3 cache is wiped and the phone is restored to the default factory settings.

The same problem with a vm in vmware with a bridged network card. The host works fine, but the vm doesn't. Get the correct IP but no captive portal or internet access.

Anyone a idea?

P.S. Sorry for bad English. I'm a dutch guy.

jahonix

Your VLANs are used in ofSense as separate interfaces, probably Lan, Opt1 and Opt2, right?
Do you have firewall rules allowing traffic for all those separate interfaces?

ricoooww

@jahonix:

Your VLANs are used in ofSense as separate interfaces, probably Lan, Opt1 and Opt2, right?
Do you have firewall rules allowing traffic for all those separate interfaces?

Thanks for your reply Chris.

All of the VLAns used a separate interface, see attach Separate interfaces.
For the VLAN's 2 and 3 I have addedd the following rules to the Firewall, see attaches Vlan2 and Vlan3.

As you can see, DNS, HTTP and HTTPS is forwarded on the Guest (Vlan 3) network. On the home (Vlan 2) network, all ports are forwarded.

![Firewall vlan3.png_thumb](/public/imported_attachments/1/Firewall vlan3.png_thumb)
![Firewall vlan3.png](/public/imported_attachments/1/Firewall vlan3.png)
![Firewall Vlan2.png_thumb](/public/imported_attachments/1/Firewall Vlan2.png_thumb)
![Firewall Vlan2.png](/public/imported_attachments/1/Firewall Vlan2.png)
![separate interfaces.png_thumb](/public/imported_attachments/1/separate interfaces.png_thumb)
![separate interfaces.png](/public/imported_attachments/1/separate interfaces.png)

jahonix

Avoid tagged and untagged traffic on the same interface (RE0_Family & RE0_VLAN2_Family).
Keep it simple, start with a wildcard rule first and make sure it works. Add rules as needed then.

On which pfSense version are you (looks like beta, right)?

@Rico:

I've setup a pfsense firewall with 2 physical network apdaters.

How do you manage RE0_Family and RE1_guest and WAN then?

ricoooww

pfSense version is: 2.2.6-RELEASE

The RE_1_Guest is not in working, no cable plugged.
WAN: For the firewall, I have a temporarily network, this network is default by the provider (192.168.3.0), in the future after tests I'll place the firewall on the front of the network.

How can I avoid tagged and untagged traffic on the same interface?

But it's weird that the Galaxy S6 works fine as well as computers and laptops.

The Galaxy S3 gets the right IP-address as well as DNS-address. In the DHCP leases, I see a lease for this device.

Sorry for my bad English too.

ricoooww

Reload the captive portals did the trick.
All of the cliënts has a network connection.

Thanks for your time.