Strange issue with specific Vlan internet connectivity

wadec · April 20, 2024, 4:57am

Wanted to post and see if anyone has experienced this.

I have a a pfsense 2100 with Unifi 48 port port switch using local cloud key. I have about 8 Vlans and they are all working. I had an issue today as I was updating new pc’s for the client that I don’t recall seeing. I had previously installed 2 new pc’s on lets say Vlan2. I had not issues, grabbed Ip and was able to get out to the internet. I was updating a few today and noticed that I could not get internet access. Same Vlan2. I could pull an Ip from dhcp with the correct DNS entries but was never able to get Inet access. I tried connecting my laptop and same issue. I then tried connecting directly to the switch on the dedicated vlan2 ports and same issue. Got Ip with correct dns settings but no Inet. Tried with pc and laptop. I can traverse internally fine.

I believe I did an update to the switch after the initial 2 pc install but cant be certain.

So here is what I noticed.

On the switch, I can connect the pc to any other vlan and it works. I can also change the vlan2 ports on switch to another vlan and it works. Change back to vlan2 and same issue. I can release the ip of an existing pc and renew on vlan2 or remove cable/replace and it works fine. It seems any new device connecting to vlan2 is not being allowed Inet access.

Firewall set to allow vlan2 traffic to all but !RFC_1918

Router, Switch and Ck are all on latest firmware.

Steps taken:

Rebooted Router, switch, Ck. Stopped/started dhcp server. I am on the Kea Dhcp but have had no issues. Ip scope is a 26 bit mask. More than enough for my pc’s. Disabled/Enabled the Vlan interface. Reset tcp stacks on pc’s. Nat is set correctly as the 2 new pc’s and existing are working fine. Vlans are tagged correctly. Everything has been working fine. Only thing I have not done is delete the vlan and reset it back up. I also have not reverted back to last Ck backup

thoughts?

Thanks,
Wade

LTS_Tom · April 20, 2024, 10:16am

If you are blocking all RCF1918 traffic you need a rule about to allow access to the gateway IP as that is usually what provides DNS.

wadec · April 20, 2024, 2:57pm

Tom,
Ty for the reply. I understand the logic of your response but I can access the local gateway. If that were the case none of my other networks should be able to get out as well. I have the rule set as the last rule to pass and then invert on the rfc alias. I have the same rule applied to all networks but wan/lan and I haven’t had any issues since fist setup 2 years ago. It’s just this one particular network all of a sudden. I will remove the alias on that network and open it up completely and see what happens. I’m leaning on it being an issue with the interface. I can move between vlans on the switch and have no issue but when reconnecting back to the vlan in question, I get proper IP and settings, just not getting to Inet. Below is a SS of rule settings.

Thanks.
Wade

wadec · April 23, 2024, 2:07am

Tom,

Wanted to provide an update as I was able to locate the issue. It turned out being NAT. I had made an update to that subnet a while back and moved from /27 to /26 on the interface. I also updated the scope in dhcp to align. After testing other win 10 machines I thought I narrowed it to Win11 and the realtech driver. Strange thing was I was able to get Inet access ofer Wifi on that same network. So after looking at the NAT outbound rules, I noticed that the mask for that network did not update and was still @ /27. The ip ranges I would get on the new machines were above that. I thought the mask on the LAN outbound would have automatically updated when I changed on the interface but it did not. Once I changed that to /26, I was able to get Inet access. Weird issue to troubleshoot but good learning exp.

Thanks,

Wade