I finally broke down and got a TP-Link SG108E Smart Switch that allows me to create VLANs and I managed to fumble my way into successfully creating a VLAN on my network. I did this primarily to put all my IoT devices on, but what I’m trying to first resolve is the inability to reach a webserver that I sat on my VLAN which is ran on a Raspberry Pi.
Currently, I have a Private LAN of 192.168.1.1. The VLAN I created is 192.168.69.1 with pfSense configured as the DHCP with an IP Range of 192.168.69.100 to 192.168.69.200.
When I connect the Raspberry Pi into Port 7 on the TP-Link SG108E it successfully gives it the 192.168.69.100 ip address and I’m able to ping it from my Private LAN.
When I try to access my webserver, it doesn’t load the page at all. I’m really unsure how to troubleshoot this and suspect that maybe my issue lies in Port 80 needing to be open, but am not entirely sure. Any help would be greatly appreicated!
Your first firewall rule to allow DNS to the PFSense needs to be UDP not TCP.
After this, enable logging for your third rule (Edit Rule, and then check the box for Log under Extra Options), and then watch the logs (Status > System Logs > Firewall) as you try to connect to it. If you don’t see it in the log then also enable logging of the default drop rule (gear icon to the upper right of the firewall logs, then enable “Log packets matched from the default block rules in the ruleset”). If you still don’t see it, then it isn’t being blocked by the firewall (or maybe is being blocked by some rule you haven’t shared a screenshot of), which generally means you are doing something else wrong that isn’t related to firewall rules.
I also enabled logging for the third rule and attempted to reach the webserver and didn’t see anything in the Status > System Logs > Firewall (Albeit, I have literally no idea what to look for here). I went in to enable the “Log packets matched from the default block rules in the ruleset” but it was already enabled.
One thing I did notice when I connected my Laptop to the VLAN network was I couldn’t reach any websites at all. I’m not sure what’s going on there and think it very well may be related.
A bit tricky to troubleshoot your setup but it looks like you need to have fewer rules rather than more, it’s exactly how I started out and then it wasn’t easy to work out what’s going wrong. The approach I finally ended up with was to define several vlans by their subnet ISP-192.168.20.0 IoT-192.168.60.0 etc. and put these in an alias. Then in the rules I refer to the alias and either allow or reject. Once you have the vlans setup just add devices and make sure you can ping between networks. If that works then apply rules to do manipulate the traffic as required. Just take it step by step.
“ping 8.8.8.8”:
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 33ms, Maximum = 43ms, Average = 35ms
“ping google.com”:
Ping statistics for 172.217.9.78:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 33ms, Maximum = 36ms, Average = 34ms
I did now notice that I can reach websites while connected to the VLAN, I’m stumped as to why it wasn’t working in my initial testing.
I just wanted to also add the fact that I have port 80 forwarded for the Raspberry Pi Webserver. Not entirely sure it’s needed but I am trying to make this Webserver accessible on my network and on the internet.
Alright, possibly before your computer was trying to use a different DNS server which you had blocked. Windows sometimes doesn’t seem to get a new IP via DHCP, I think it happens because it recognizes the gateway’s MAC hasn’t changed when moving between networks and therefore thinks what it has is fine. Even though that’s wrong in a case where moving to a different VLAN means everything changed except the gateway’s MAC.
Anyway, do you still have your other issue of not being able to reach the webserver? If so, please tell us more about the situation. The webserver is in the new VLAN? Can you access is from within the VLAN using its local IP? Can you access it from your LAN using its local IP? Do you have a port forward set up for it?
I managed to figure it out! While investigating some things you said I found that the Raspberry Pi was getting an ip address of 192.168.69.101, despite the range supposedly starting out at 192.168.69.100 to 192.168.69.200. So I’m thinking it’s me not understanding how an ip range works (ie. If I wanted the first device connected to get the .100, I should have started the range @ 192.168.69.99 on the switch) or this switch is doing it’s own thing, and with me being a complete noob at all this, I’d say it’s the former
I really appreciate your help brwainer! Thank you so much!
The point of the DHCP range is it should only be used for devices were you don’t really care what IP they have, you just want them to have internet. For something like a webserver you should either create a static/reserved lease, which ties a MAC to an IP, or program the device to use a static IP which means it won’t use DHCP at all. Static lease is done via PFSense, static IP is done on the device itself. Either way it should be outside of the DHCP range.
