Pfsense - Direct Connection

Hello,

I feel I am about to demonstrate stupidity here, but after hours of troubleshooting, I can’t figure out where I am going wrong.

I have Pfsense installed on a MiniPc in my home network. I have several vlans configured, all are working well (primary, guest wireless, IoT, etc). Currently, my main PC is plugged into a switch and configured to use vlan 10 - this works fine. From the switch, all traffic goes out a trunked port and into an interface on the Pfsense device which is configured to handle all the vlans.

Here is my problem: I would like to directly plug my main pc into the Pfsense device. I know I can no longer easily specify a vlan in Windows, so I am using vlan 1 with the following solution.

1. Create a new vlan (1) on the Pfsense device
2. Associate it with an unused interface, enable it
3. Configure DHCP
4. Create Firewall rules which should allow the vlan\interface to function properly

When I connect to the interface from my PC, I cannot get network connectivity. I feel I am missing something fundamental, in other words, I simply can’t do what I would like to do (or I am making a very stupid error).

why?

You’re making a whole new entirely separate network / subnet. Why involve any VLANs ?

I have to echo @risk here, what are you trying to achieve by connecting your PC directly to the pfsense box when you have a (seemingly) smart switch? To try and answer your question, make sure you have a firewall rule to allow out (or all) for this new network, and check to make sure you have NAT set up for that network as well.

Thinking this through, you are right, why would I create a new vlan?

That being said, I created a new interface, enabled it, can ping it, created a firewall rule to allow all traffic, but when I plug my PC in to the newly configured interface, nothing. I tried using DHCP and configuring a static address on my PC.

To adman-c’s question about why I am doing this - at this point it is more about trying to understand why it is not working. I do not really need it to work, but my intellectual curiosity is driving me to keep trying.

Microsoft keeps hiding stuf.

vlan01213×943 110 KB

vlan11850×931 130 KB

vlan21015×846 90.5 KB

vlan31034×761 90.6 KB

For me, it is grayed out, I cant change it. I believe I looked this up and the option was disabled a few months ago.

the option should be there mayebe an other driver of that network chipset

Perhaps, that being said, when I do not specify a vlan in Pfsense, I am still dead in the water. I feel I am doing something fundamentally wrong but I can’t figure out what it is.

in pfsense, like in openwrt and some others, … the logic is that you’re “assigning physical ports to network interfaces” … word “interface” implies a configuration bundle that’s tied to some physical or virtual interface coming from a driver.

So - go make an interface in pfsense out of an unused port on the mini pc, and configure it, e.g. you should probably rename it to “direct” and give it a subnet, and set up a dhcp service there for convenience.

https://docs.netgate.com/pfsense/en/latest/interfaces/configure.html

Ya, I did this a few times with no success. Let me try again with fresh eyes and make sure I am not forgetting something or have a typo somewhere.

Thanks for your input!

Sorry if I came out too brusque, time was short.

One way to debug this would be to ssh into pfSense and look at it as if it were just another FreeBSD setup. Which, at the end of the day, it kind of is… a thin layer wrapped around FreeBSD that turns a supposedly general purpose os into an appliance - that has a easy backup and upgrade process, and a limited configuration surface area which helps to make it supportable.

When ssh-ed in, run ifconfig -a, look at all the interfaces, try to infer which one is which, what is same, what is different about them, what are the IPs assigned and are they assigned everywhere they should be, what are the interface states up/down/no-carrier, and the associated config in terms of MTU or STP on bridges.

Do packet dumps via tcpdump, look at running processes to find running DHCP servers and their config, look at pfctl -s all or pfctl -sa and try to reverse engineer in your mind how pfSense is structuring the firewall setup.

This last one in particular, firewall rules reading, could take a while, I make sure to have hot tea alongside, and to use highlighter tools and comments in Google docs when I’m doing this, but usually its something simple.

All of this, would at the end of the day inform you what it is you’re “doing wrong” in the pfSense web UI, and you wouldn’t permanently need scripts and things messing with pfSense… it’d just be a sneak peak under the hood - to see for any obvious problems and things missing.

Usually all of this ends with a facepalm, and you could then pole the UI and verify that right changes are being made.

Another way to go about this would be to maybe give us a few screenshots of your config pages, and we could all look for strange stuff, there might be stuff you’d need to censor.

I can’t think of other debug methods (remote hands with strangers on the Internet is stupid in this and probably every other scenario, 0/10 wouldn’t recommend).

Mystery solved - much sad.

Check out this confluence of bad luck\errors.

It turns out I have a bad port on my Pfsense box. Risk. your troubleshooting came in clutch as while I had link lights when plugging in to port 3, it wouldn’t actually come up - “Status - No Carrier”. I only could see this by connecting to wireless so I could be connected to Pfsense via ssh and look at stuff while also being hardwired in. I tried a laptop wired connection and still had the same issue (different cable as well).

I would have figured this out sooner, as I did try two different ports on the Pfsense box. Unfortunately, when I was using different ports, my config was wrong. When I found the right config, I already thought I ruled out ports as the issue, so I stopped swapping them around.

So the issue was two fold, my initial config, using vlan 1 was wrong. After I fixed that issue, I was fighting a bad physical port.

I am now humming along and can put this mystery to bed. Thank you Risk!!!