VLANS on PfSense, DHCP clients cannot see internet

danielhoeving2254 · 2014-07-04T16:46:22.000Z

I’ve set up two VLANs on PfSense VLAN 1 LAN and VLAN 2 DHCP Clients.

pfsense_interface_assign.png818×584 38 KB

We’ve been just running on VLAN 1, but now as part of our renovations and expansion we’re moving all of our client machines to VLAN 2.

The PfSense box is also acting as our DHCP server for both VLANs. VLAN 1 works without issue. The port its connected to has VLAN 1 as its untagged (native) VLAN so this isn’t a surprise.

VLAN 2 however the clients can get IP addresses but cannot access the internet. The VLAN is tagged (trunked) on the port so I was assuming that it may be the issue.

I attempted to switch the port to a trunk with the management VLAN untagged and the two data VLANs as tagged, but that blocked all traffic through the firewall (for all of the four pings it took me to reverse it). Here’s the VLAN config on the switch

switch_vlan_config.jpg883×376 93.4 KB

The DHCP scope on the PfSense box will give out addresses, and the clients can ping on the network – but they cannot get out to the internet. So my next thought was that it was a firewall rule for that interface so I essentially allowed any:any:

pfsense_vlan2_firewall_rules.png809×588 45 KB

Here is also the DHCP scope setup

pfsense_vlan2_dhcp_config.png812×886 24.9 KB

I’m still thinking its a problem on the switch side as I can ping the VLAN 1 ip address from the switch but not the VLAN 2 address – though the network is in the routing table

ping_and_routing_table.png883×440 59 KB

Ideas?

dan59491553 · 2014-07-04T18:42:27.000Z

Can your DHCP clients Ping the default gateway just not the Internet? Are they getting the correct default gateway from the DHCP server? Maybe Make sure the routing is correct in PF sense and there’s no incorrect routing settings? System > Routing

caigenliu · 2014-07-04T18:47:51.000Z

I have a impression that in pfSense, if you don’t use default LAN as your LAN, then you have to add more rules in firewall (maybe NAT too) to make your LAN able to access internet.

I can not remember exactly what I did before. But in firewalls for Wan and Lan, maybe NAT, you have to add some rules.

danielhoeving2254 · 2014-07-04T19:07:46.000Z

@Dan – yes the clients can ping anywhere in the VLAN 1 (192.168.10.0/24) network. There are no static routes set up on the firewall at all – just the gateways.

pfsense_system_gateways.png813×586 39.6 KB

pfsense_system_static_routes.png816×587 35.1 KB

@caigelui The LAN is technically the default VLAN, however since the network was originally set up on that VLAN, I created a management VLAN 99 for the switches to use. Are you suggesting that that should be the default VLAN for the LAN interface? I would think that I would need to do a great deal more work to get that functioning…

dan59491553 · 2014-07-04T23:20:55.000Z

Fwiw I followed this tutorial with a basic hp switch config (untagged plus multiple tagged VLANs) and it worked a treat. Shouldn’t matter but I only had 1 wan connection. If you want to post your switch config I’d be happy to take a look.

iceflatline.com

How To Create And Configure VLANs In pfSense | iceflatline

This post describes how to create and configure VLAN support in pfSense. To help explain the steps involved, two static VLANs are created on a cisco 24-port small-business switch and trunked to the LAN interface on pfSense, where further VLAN...

chamele0n · 2014-07-05T05:44:12.000Z

Daniel3993:

@Dan – yes the clients can ping anywhere in the VLAN 1 (192.168.10.0/24) network. There are no static routes set up on the firewall at all – just the gateways.

@caigelui The LAN is technically the default VLAN, however since the network was originally set up on that VLAN, I created a management VLAN 99 for the switches to use. Are you suggesting that that should be the default VLAN for the LAN interface? I would think that I would need to do a great deal more work to get that functioning…

I believe you need a static route from each subnet to the Internet. That is why VLAN1 works, because it was your original VLAN (subnet) and had access to the Internet.

chamele0n · 2014-07-05T05:45:23.000Z

Check out these docs:

http://doc.pfsense.org/index.php/HOWTO_setup_vlans_with_pfSense
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

davidfranzkoch2051 · 2014-07-07T05:54:06.000Z

I have a few Vlans set up on my PFSense box. I can not confirm that a static route is needed for every vlan to the internet

Internet: packets should be forwarded to the default gateway if no matching route exists
To internal network: packets should be forwarded based on the route that is auto generated when you tell the interface it’s IP address. Locally attached networks are “known” to PFSense.

Therefore you should only need additional routes if you need to send packets to a network PFSense does not know about and is not reachable via the default gateway.

I noticed 3 things that might be a problem:

-Your firewall rule for Vlan 2 has allow any TCP set. You might want to allow ANY protocol for testing.

-I never mix untagged and tagged frames in my setup on one interface. All connected internal networks are tag based in my setup. So in your example it would be on the switch: Vlan 1: tagged, Vlan 2: tagged. It could be that using an interface as untagged and adding tagged vlans to it in PFSense breaks some functionality. I don’t know for certain, just a wild guess.

-I don’t know about your type of switch (I only use ProCurve stuff). But I spotted “IP routing”. Is your switch maybe doing things with IP packets it should not?

Sidenote:
If you use ProCurve switches “trunking” does NOT mean the same as in Cisco speak. Procuve “Trunking” refers to bundling interfaces together. You just need to tag and untag ports and disable “trunking” on them if you don’t plan on bundling interfaces together.

As far as I recall I didn’t have to do anything fancy, it “just workded” after setting up the tagged interfaces (including IP address assignment) and firewall rules.

danielhoeving2254 · 2014-07-07T15:48:35.000Z

@DerBachmannRocker The switch is an HP5406zl, I use the “trunking” language because I am by default more a cisco guy. The port involved has VLAN 2 tagged, and VLAN 1 untagged.

The ip routing you see in the screen capture is because I used the command >show running-config | begin ip routing – since there’s nothing in the routing section of the configuration then the VLAN configuration lists next, essentially an easy way of displaying what I want without all the extras.

All the networks that I’m sending and receiving traffic for on the PFsense box are “local” and yes there are auto-generated routes, and traffic is flowing between the firewall and switch, so I’m not really certain that its a routing issue per say.

I attempted to have both VLAN 1 and 2 tagged but that caused all traffic to the firewall to stop.

There is a default route on the switch for all traffic going to the internet to go to the firewall through its VLAN 1 IP address (0.0.0.0/0 192.168.10.250). I think the suggestion about the firewall rule is a good one, I was testing with ICMP packets and that rule likely dropped them…

danielhoeving2254 · 2014-07-07T16:19:10.000Z

So I have to admit my stupidity… I now realized that the problem was exactly what DerBachmannRocker said… the rule was too restrictive. It wasn’t that I couldn’t see the internet it was that DNS is UDP, and thus all DNS requests were being dropped. It wasn’t that I couldn’t see the switch from the client, it was the ICMP packets were being dropped…

It is now working, thank you all for your assistance.

glennpaps · 2017-01-12T02:49:29.000Z

we have the same problem. may be you can help me i allow

allow ANY protocol and still my pc connected to vlan cannot ping the internet