0

I have a firewall (Pfsense). I have a managed switch (TP Link TL-SG108E.) I have a wireless access point (TP Link TL-WA801ND.)

The firewall (Pfsense) has 1 Ethernet port with four sub interfaces.

  1. em0.10 disabled - will be DHCP client after testing
  2. em0.20 192.168.0.1/25 (Network 192.168.0.0/25 [126 host addresses])
  3. em0.30 192.168.0.129/25 (Network 192.168.0.128/25 [126 host addresses])
  4. em0.40 disabled - will be 10.0.0.1/30 (Network 10.0.0.0/30 [2 host addresses]) after testing

The managed switch (TL-SG108E) is configured to operate on 4 corresponding 802.1Q VLANs:

  1. VLAN 10 (INTERNET)
  2. VLAN 20 (PRIVATE)
  3. VLAN 30 (GUEST)
  4. VLAN 40 (PUBLIC)

The wireless access point (TL-WA801ND) is set to Multi-SSID mode with VLANs enabled. There are two SSIDs configured:

  1. SSID-Private - VLAN 20
  2. SSID-Guest - VLAN 30

Here is a list of hardware plugged into the 8 port managed switch (TL-SG108E):

  1. unplugged - will plug in modem after testing
  2. Firewall (Pfsense)
  3. Wireless access point (TL-WA801ND)
  4. Router with successful internet connection.
  5. PRIVATE vlan hosts
  6. PRIVATE vlan hosts
  7. PRIVATE vlan hosts
  8. unplugged - will plug in web server after testing

Here are the VLAN settings for each of the ports on the managed switch (TL-SG108E):

  1. PVID 10 | VLANs: [10-untagged]
  2. TRUNK - PVID 1 | VLANs: [10-tagged], [20-tagged], [30-tagged], [40-tagged]
  3. TRUNK - PVID 1 | VLANs: [20-tagged, 30-tagged]
  4. PVID 20 | VLANs: [20-untagged]
  5. PVID 20 | VLANs: [20-untagged]
  6. PVID 20 | VLANs: [20-untagged]
  7. PVID 20 | VLANs: [20-untagged]
  8. PVID 40 | VLANs: [10-untagged]

Firewall rules have been set to allow all traffic among all interfaces for testing. I'll lock it down after I figure out how to enable Internet access to my guest SSID.

The hosts on the private network (VLAN 20 192.168.0.0/25) have Internet access and hosts on the guest network (VLAN 30 192.168.0.128/25) do not. The Internet facing router is providing DHCP addresses ending in 50-99 to the private subnet and the firewall (Pfsense) is providing DHCP addresses ending in 150-199 to the guest subnet.

I guess it could be NAT, firewall rules, DNS, or something else but I'm thinking it's probably a misconfiguration on my managed switch - but I'm not sure.

Are there any experts in the house?

Improve this question
8
  • what does it give you under (status > interfaces) for the virtual interface em0.30, does it show it as up and moving traffic? also only the first interface designated as lan gets default rules. you may just need to setup a default guest access rule. under firewall > rules > whatever you named em0.30.
    – Tim_Stewart
    Commented Mar 2, 2018 at 3:18
  • em0.30 is showing in/out packets as 3325/1077. I have the same firewall rule set on both em0.20 and em0.30 which is Proto=IPv4, Source=*, SPort=*, Destination=*, DPort=*, Gateway=* Queue=none, Schedule=(none), Description=(none)
    – Rhyknowscerious
    Commented Mar 2, 2018 at 5:56
  • 1
    Which device is configured to act as the NAT for the Guest network? What is the private (LAN-side) IP address of that NAT gateway? When the firewall serves DHCP to the Guest network, what default gateway IP address is it telling those guest devices to use?
    – Spiff
    Commented Mar 2, 2018 at 19:56
  • I have a router (Buffalo Airstation N300 with DD-WRT) 192.168.0.2 plugged into the switch at port 4 (VLAN 20). I assumed it did NAT for all the traffic but maybe it's only providing NAT for the 192.168.0.0/25 subnet. I guess I should also check the Pfsense firewall to see if it has any NAT going on as well. Would it be best to setup NAT for all the internal networks on the DD-WRT router? or just add NAT settings for the guest network on the firewall? I don't have much experience setting up NAT rules - especially for multiple VLANS.
    – Rhyknowscerious
    Commented Mar 2, 2018 at 21:13
  • You would let pfsense(the h/w firewall) handle NAT. On dd-wrt you you go to setup > basic setup > connection type disable. And security > SPI firewall disable. This will turn it into true AP mode, (no routing). I'm not 100% on tp-links definition of a pvid. I looked at a setup guide for that switch using vlans and pvid's and it looked like it was for default port/vlan mapping and it looked like they were matching pvid with vlan. I'm using a very similar setup with my pfsense installations. I used Cisco small business switches though. And just plain port-vlan mappings.
    – Tim_Stewart
    Commented Mar 2, 2018 at 21:36

2 Answers 2

Reset to default
1

Ok, no diagram needed. The answer to your question is in your last comments.

The reason the second sub-net has no access is because pf-sense doesn't actually have internet access. You have your DD-wrt ISP connection plugged into VLAN 20, which means that DD-wrt is most likely serving DHCP and putting itself as the gateway to all clients.

According to PF-sense there is no internet connection. This is Because VLAN-20 is a LAN interface, not a designated WAN interface. clients need to have DHCP from Pf-sense pointing to Pf-sense as their gateway. (because it will be doing both routing and NAT for all virtual LAN interfaces.)

So here is what you need to do,

Choose two new sub-nets for VLANS 20 & 30,

I personally use Class-a private ranges that match the VLAN they are associated with.

The reason you may want to do this will be apparent after the example.

Example;

VLAN-10 = WAN (UN-tagged on port-10) [em0.10 DHCP WAN will be in the 192.168.0.0 /25]
(Later it will be the public IP from your ISP)

VLAN-20 = 10.10.20.0 /24 (Private LAN) [em0.20 IP=10.10.20.1 /24]

VLAN-30 = 10.10.30.0 /24 (Guest LAN) [em0.30 IP=10.10.30.1 /24]

VLAN-40 = 10.10.40.0 /24 (Extra LAN) [em0.40 IP=10.10.40.1 /24]

I usually do this for simplicity, sometimes its easier to trouble shoot IP/VLAN issues on the LAN if you can look at the IP and immediately know what VLAN it belongs to. but if you already have drive shares and other things setup i would understand leaving your current scheme as is

plug your LAN side Ethernet from the DD-wrt router to port one (vlan10) go to your web interface and enable em0.10, give it a sec then check under status > interfaces and see if the WAN connection has retrieved an IP address.

All LAN interfaces at this point should have access to the ISP, as long as you have default rules setup.

Now setup DHCP pools for the PF-sense virtual LAN interfaces. I would recommend at this stage taking a computer setup for DHCP and plug it into each individual VLAN except for 10 on the switch. make sure you're getting DHCP from PF-sense on each interface and make sure they each now have a connection to the internet.

When you are ready to ditch the DD-wrt router, just remove it and put a Ethernet from the ISP going straight to the switch on port 1, refresh the WAN interface DHCP lease and you should be good to go.

Let me know if you have issues.

Improve this answer
0

Thanks for all the ideas Tim. But what I ended up doing was this:

On Pfsense, I created a Gateway 192.168.0.2 (DD-WRT's LAN port address) and assigned it as the default gateway for the private interface.

I enabled automatic NAT, (which I guess just translates the loopback and guest subnet addresses to the firewal's private interface address 192.168.0.1.)

I thought that I could utilize Pfsense's DNS servers (system > general setup > DNS server settings) for the guest subnet by enabling either the DNS forwarder service or DNS resolver service. and setting up Pfsense's DHCP server service to assign Pfsense's guest subnet ip address 192.168.0.129 as the DNS server for guest network hosts.

But because, 1. either I mis-configured something again or, 2. I didn't wait long enough for the settings to apply, I disabled both DNS forwarder and DNS resolver services and just set up the DHCP service to explicitly assign my private DNS servers to the guest subnet.

Improve this answer
8
  • And they tell you in many Pfsense forums not to use gateways on private networks. Pffffft, amatures!
    – Rhyknowscerious
    Commented Mar 3, 2018 at 16:55
  • 1
    You have pfsense routing nothing then, and I now have no idea what you are trying to do. It's neither a firewall or router in this configuration. The reason they tell you not to do things like this is because you seem to be trying to use a security appliance as some sort of bridge, it's a router. And without it acting as such there will be NO security. No traffic rules for the vlans, and really no benefit to using vlans. Most likely you will have trouble with it later, and possibly expose your clients to the wild.
    – Tim_Stewart
    Commented Mar 3, 2018 at 17:46
  • I figured I'd learn how to get an Internet connection working on the WiFi only guest VLAN. Then I'll know how to allow Internet for the other VLANs. DDWRT is routing between the internet and the private network and Pfsense will be routing among the 4 VLANs when the router is replaced. Now I plan to enable VLAN 10 & 40 and setup firewall rules: 1) allow one way outbound Internet access from VLANs 20 and 30 2) allow 2-way Internet access on VLAN 40 for Web server - only port 80 or 443 inbound 3) block anybody from VLAN 20 4) block everybody except private hosts from the guest network.
    – Rhyknowscerious
    Commented Mar 3, 2018 at 18:15
  • The only reason I posted this question was to get help enabling Internet access to the guest network. I figured I could do the rest if I could just get help with this piece of the puzzle. You gave me some really good suggestions and actually helped a lot so thank you.
    – Rhyknowscerious
    Commented Mar 3, 2018 at 18:18
  • The way you get it working properly is in the instructions I wrote last night. When you have your connection going to VLAN 10 and pfsense routing the vlans, it's as simple as going to that interface in firewall > rules. And if you don't want connection s to the other vlans right now just leave a block all rule on that virtual interface. This really shouldn't be difficult. But you deffinately DONT want pfsense bridging vlans, that's more of a hack and it won't leave you with traffic control.
    – Tim_Stewart
    Commented Mar 3, 2018 at 18:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .