Categories

  • Discussions about TNSR

    450 Topics
    1k Posts
    S

    I have a 2 TNSR routers connected to a pair of MLAG connected switches. I also have my own IPV4 subnet that is being announcec by BGP via Interface 1 on the first TNSR device. I have no problems at all right now, all of the servers on my network can access the internet and be accessed via their public IP address.

    What I am struggling with now is segregating clients into VLANs. When I create an access VLAN (22) for my client, I can no longer access the internet. My understanding is that I must create a bridge so that the VLAN22 can access the LAN interface with the gateway IP assigned. Each VLAN client will have a public IP from the single /24 subnet.

    When I followed the instructions for TNSR VLAN, nothing seemed to be problematic, but when I created the bridge things went wonky. Not only do the VLANs not work, but I also lose access to the non-VLAN devices.

    interface bridge domain 10
    flood
    uu-flood
    forward
    learn
    exit

    int Interface1
    bridge domain 10
    enable
    exit
    int Interface1.22
    bridge domain 10
    enable
    exit
    interface loopback bridgeloop
    instance 1
    exit
    interface loop1
    ip address 10.25.254.1/24
    bridge domain 10 bvi
    enable
    exit

    I did try changing the loop1 IP to my gateway IP and removing it from Interface1 but that didn't help. Maybe I am going about this wrong, but I need some guidance if possible.

    Thanks,
    Shawn

    For background:
    On TNSR device1:
    Interface1 is connected to a switch that carries my upstream BGP using a 10.34.14.0/24 address for now.
    Interface2 is the interface that has my gateway IP 23.x.x.x/24 and is also the port connected to the first switch.
    Interface3 is connected to a second switch and has no IP address

    TNSR device2 :
    Interface1 is connected to the switch that carreies the BGP but has no IP address and for all practical purposes is doing nothing

    Interface 2 is connected to the 2nd switch and has no IP address

    Interface 3 is connected to the first switch and has no IP address

    As you can see, the 2nd TNSR device is mostly sitting around doing nothing but eventually should be integrated in via VRRP or whatever I can get working.

  • Discussions about pfSense Software, click a category below

    120k Topics
    762k Posts
    LaxarusL

    @stephenw10 I have never seen this before but the dsl line was dropping it quite frequently maybe 2 or 3 times per minute at the worst case.
    Yeah, the modem-firewall link was up.

  • Discussions about pfSense software packages

    20k Topics
    127k Posts
    M

    Hi,

    I have the following setup:

    device c --> 5G (CGNAT) --> internet <--> pppoe fiber <--> device F

    device F: using pppoe fiber internet, changes public IP's once every week, has a dynamic dns name registered device C: using a 5G connection, behind CGNAT, has no DNS name registered

    These are 2 pfsense installs with a site-to-site link in between.
    Peer config representing device C in device F is configured as dynamic (IP not known / behind CGNAT).
    To handle public IP address changes of device F, I am running a watchdog script on device C that restarts the wireguard service in pfsense on device C when the IP of device F changes (using periodic DNS lookups to detect a change in IP).

    I have noticed though that in some cases, after the wireguard service restart on device C the endpoint address shown for device F is its not the new IP, but its previous IP address.
    In this case, I even tried doing wg set tun_wg0 peer <key> endpoint <newip>:port, which is briefly reflected in the output of wg show but then the peer's IP switches back to the previous (now not valid) IP in the wg show output.
    Obvisouly, in this state, the link is not operable. As expected, neither end shows any recent handshakes.
    Curiously though, on device C, both the sent and received (!!!) size keeps increasing.

    Looks almost like if the wireguard client on device C continued to receive valid wireguard traffic from the old IP address and updated the peer endpoint address automagically.

    No matter if I restart the wireguard service on either end, does not help. The only remedy seems to be restarting the 5G modem itself - possibly triggering some CGNAT state resets.

    Anyone experienced similar behavior? Seems like a broken CGNAT implementation? T-Mobile HU is the carrier.

  • Discuss pfSense in other languages

    43k Topics
    267k Posts
    S

    Bonjour,

    J'ai actuellement déployé 3 "appliances N100" (modèles différents dépendant des chinois) sur des réseaux différent (Famille, ami, moi)

    Sur chacun la structure reste plus ou moins la même :
    Grossomodo
    ETH0 = WAN
    ETH1 = PA. WiFi diffusant SSID "LAN" (non taggé (oui je sais, c'est pas bien), SSID "IoT", ...

    LAN = 192.168.101.1/24
    VLAN IoT = 10.10.101.1/24

    Comme dit, c'est pas fameux mais !!! Sur les 2 autres pare-feu ça fonctionne

    Sur le 3ème par contre.... , il m'est impossible de d'accéder au sous-réseau "IoT" depuis le sous-réseau LAN

    Alors... Quand je dis "impossible" c'est un bien grand mot
    Quand je souhaite accéder à l'interface web des modules domotiques (Shelly), la page ne se charge pas et j'ai le fameux message ERR_CONNECTION_RESET
    Chrome ou Firefox (bien que le message n'est pas exactement le même intitulé) (avec Reset du cache etc), et ce depuis PC ou Andro, même résultat

    Dans "Journaux système" et "Etat" du FW, je vois bien ma requête port 80 du client vers le module

    Le ping fonctionne niquel du PC LAN >> Module domo

    Cependant !!!
    Si je passe par le VPN, bingo j'accède à la GUI.....

    J'ai comparé et rererecomparer les différents paramètres d'un FW à l'autre : RAS.

    J'ai cru tombé sur des vieux topic de 2019 que ça pouvais venir des BIOS à mettre à jour... J'en ai eu de 12/2024...

    Bref si vous avez des pistes de paramètre que j'ai mal comparé/paramétré
    Restant a dispo pour plus de clarté

    Vous remerciant !!!

  • Information about hardware available from Netgate

    2k Topics
    20k Posts
    stephenw10S

    Ah, a bad/failing cable would certainly be a problem!

    If it does persist i would try reassigning LAN to on of the other igc ports. See if the problem follows it.

  • Information about hardware available from Netgate

    44 Topics
    211 Posts
    AriKellyA

    It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

  • Feel free to talk about anything and everything here

    3k Topics
    19k Posts
    L

    @Wylbur Thank you!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
OSZAR »