vlan routing

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Right now I've got two vlans setup

vlan 1 (default) (10.0.1.x)
vlan 20 (faculty)(10.0.2.x)

I currently have 2 ssids:
WolfPack PSK which uses vlan 1
Faculty which uses vlan 20

Currently, I can access both ssids and get an IP address in the range I expect.
When I am on the wolfpack ssid using the default vlan, I have complete, unfettered access to all internet services (http/https/smtp/etc). However, when I join the Faculty ssid, I receive an IP in the 10.0.2.x range but only have access to http on port 80...no 443, no email. Nothing other than plain web browsing.

My AP330s are connected to a pair of AeroHive SR2024 switches, which in turn are connected to HP Procurve 2848 switch which is acting as the default gateway at IP 10.0.1.3.

The HP Procurve then forwards traffic on to a PFsense firewall/router at 10.0.1.1 which also has our outside IP.

I'm a complete novice at routing and vlans (but somebody has to do it). If i do a portscan of the Procurve at 10.0.1.3 (or at 10.0.2.1 as is its ip on the faculty vlan), I see that only ports 23, 80, 1506, and 1513 are open.

If I portscan my pfsense box at 10.0.1.1 (my firewall/router for external IP), I see that 80, 443, etc are open.

This feels to me like a firewall routing problem, but if so, I don't understand why everything on the default vlan flows as expected but traffic on vlan 20 is severely blocked.

Anybody have any ideas? I am genuinely stumped.

Christopher
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes

Posted 5 years ago

  • 1
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
heya Chris - there a few more things I recommend we check first. First thing - doing a port scan of a specific host, such as your Procurve at 10.0.1.3, will only give you the ports open *to* that device (so it allows management via telnet, HTTP, and I think the 1506 is one of the NTP ports or something like that). So let's take a step back.

In your Aerohive config - did you happen to use any of the stateful firewall capabilities available to you in HiveOS? For example, choosing "Internet Only" or "Guest Access" when creating the Faculty SSID? Could you possibly post your configuration from one of the APs here (don't worry, all passwords are already obscured in the config)?

If there is no firewall on in HiveOS, let's move to the ProCurve. Is the Procurve also doing the DHCP? Is it the default gateway for VLAN 20 also? Do you have any sort of configuration on the procurve that may be limiting access to HTTP only?

Third thing to check - on the firewall itself, let's make sure there isn't a rule in place blocking traffic except on port 80. It's been a while since I've touched pfsense, but I think there should be a Logs tab that shows if packets are being dropped. Depending on the version you're running, if you see a log where traffic was dropped, it may even be able to display which rule is blocking it.

Start with those three ideas and if those don't work, lets get a little more info and we can continue troubleshooting :-)
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Thanks for the response, Abby.

As far as I can tell, I do not have any stateful firewall settings enabled. I checked over both SSIDs (Wolfpack-PSK with Default User Profile/VLAN 1 and Faculty with Faculty User Profile VLAN 20) and every single configuration option, except for the VLAN number, is identical.

DHCP is being provided by my MacServer at 10.0.1.251. It is providing DHCP for the default vlan (10.0.1.x) and VLAN 20 (10.0.2.x). It appears to be functioning normally as I get a valid ip in the range I expect when I connect to each SSID.

I'll check for a pfsense log now.

By the way...for anyone reading these things: I cannot emphasize how amazingly friendly and helpful the community here and the aerohive support portal have been.
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Abby,

It's definitely a pfsense problem someplace.

I'm getting firewalled someplace. Unfortunately, I didn't configure the firewall so I'm at a loss. Grrr, says the ad hoc network admin by default.



Traffic to any port on the inside/10.0.1.x interface is passing, but any traffic on the 10.0.2.x interface other than 80 is getting stopped.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
No worries! This is how some of our best admins get started ;-). If you click on that little red X on the lefthand side, does it tell you what rule blocked you? I know that feature exists in pfsense, but not sure where it is. Try that red X and let me know if it pops up with info about the rule.
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Thanks for the heads up on the PFsense logs. Once I found the logs and clicked on the red X I was able to see that my traffic was hitting a default block rule. It took me about 1/2 an hour to track down the proper way to setup my pass rules and now I've got 4 vlans on 4 ssids segregating my IP addresses and traffic the way I need them to.

Next up, getting a working RADIUS config on my 10.8/10.7 network so that I can use 802.1X authentication to parse out my user profiles that way and then I've only got 1 SSID in the air.

I'm really starting to like this stuff.

Thanks again for the heads up and the encouragement.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
You're welcome! Good luck!! :-)