I am a noob when it comes to networking stuff but I try to learn from everything.
I got pFSense up and running and decided to create some VLANs for Guests and IOT devices. I setup the rules following the lawrence systems guide but the problem is anything connected to these VLANs can get to some websites and apps, but not others. I have 2 switches and an AP, but I found it does the same thing on the core switch. I can ping the sites from the gateways of the VLANs, but the devices themselves can’t connect to the sites.
I have 2 rules for the guest, one wide open for testing and the other to block the LAN. I have the same thing for the IOT VLAN as well right now and they both have the same issue.
I have the switches setup to support it. Here is a picture of how its setup in the GUI.
VLAN 60 is Guest and 80 is IOT. I have the two other VLANs but haven’t tested them yet. The untagged port is so I could set the PVID for testing.
Guest and IOT are set to only allow the internet. Nothing else. Sites like Youtube and Google work fine, but other streaming sites like Hulu and Netflix don’t work at all. They just timeout. Same with Duckduckgo.
The other switch can see the VLANs as well as the AP. On Wifi I was having the issue originally but decided to trace back to the first switch and the issue is happening there too.
Try removing the ports (except 1) from vlan1 and see if it works. It doesn’t look right to me, you might benefit from inspecting the switch documentation of setting up vlans, it probably requires that you follow a sequence in assigning the ports and then taking it off the default.
So I tried messing around with the tagging and nothing changed. I believe it is correct as it pulls the VLAN IP, and I can get out to the internet, it’s just some sites won’t load with the VLAN. They just timeout. On the LAN they work fine.
If your vlans are correctly setup, the next thing you can inspect are your rules. If your LAN rules are working copy those over and see if your internet access is working, then apply your conditions one by one.
If I understand correctly, you have a switch config problem. Each switch port should be configured to only have 1 VLAN set to untagged egress. In your readout, all ports (1-8) show VLAN ID 1 untagged egress. Then you’ve got VLAN 60 set for untagged egress on port 5, and VLAN 80 set for untagged egress on port 4. Double-check all of the VLAN configuration menus on your switches - I think there’s something unhappy there.
It would also be helpful for you to show a diagram with all switches (along with switch vendor), clients, and the router, similar to what Tom shows in his VLAN video. I don’t think you’ve provided enough info to debug the problem.
As for clients, I have an Unraid server connected directly to the first switch. All other devices are connected to the AP or second switch.
The untagged ports 4 and 5 were for testing the issue from the first switch which is the Trendnet. I did that so I could change the PVID of the port and force the VLAN when I connect a PC to those ports.
Everything on the Unifi switch is default other than setting up the networks. I thought that was the issue originally but I traced it back by testing with the first switch and it’s the same issue.
All of the VLANs have the exact same issue, meaning they can or can’t get to the same exact websites.
I asked around in another thread here [SOLVED] VLANs not working properly in pfsense and was told to run Wireshark and Trace Route on non working sites. I found I get a connection reset or just a timeout.
Can you confirm that this isn’t a DNS issue? I’m assuming that you’re using the DNS resolver in pfsense. If you ping something like www.hulu.com from the guest or IOT networks, you should at least get name resolution to the IP address. If not, then focus debugging efforts the DNS setup.
Rather than looking with wireshark, you can have a look with packet capture on the pfsense box - it’s largely the same. You should be able to see the packets hitting the guest or iot IP address on the router. Likewise, you should be able to see the packets leaving your WAN port.
I figured out what the problem is, now I just need to resolve it. It was the first switch in the loop. Unfortunately I can not find any documentation on Trendnet switches to setup VLANs.
