我们当前的防火墙已被弃用,我们决定将其与 PfSense 服务器进行交换。在我的测试设置中,我将接口配置如下:
- igb0 = 广域网
- 启用
- igb1 = LAN(应该是 VLAN 中继端口)
- 启用
- 接口ip:192.168.1.1
- VLAN 104
- 启用
- 父接口:igb1
- VLAN 标签:104
在此之后,我VLAN 104 on igb1 0 lan通过“接口分配”分配了接口,并为 vlan 分配了 ip:192.168.104.1/24
我将我们的(Lancon ES-2126)开关配置为:
- 基于标签的组 -> VID = 104
- 成员 -> 端口 1,端口 2
- 未标记 -> 端口 2
- 端口 1(应为 VLAN 中继端口)
- 连接到 PfSense 局域网
- PVID: 104
- 端口 2
- 连接到桌面
- PVID: 104
我像这样配置了vlan防火墙规则(允许所有用于测试目的)
和像这样的lan
当我将桌面直接连接到 PfSense LAN 端口并提供静态 192.168.1.x/24 ip 时,我可以完美地冲浪和访问 PfSense 界面。当我通过交换机将我的 PC 连接到 PfSense(如前所述)并将我的静态 IP 更改为 192.168.104.x/24(或将其保留在 192.168.1.x/24 中)时,我无法访问 Web 界面或互联网.
我做错了什么?我的想法是 PfSense 对 vlan 什么都不做?
更新
config.xml按照要求
<pfsense>
<version>19.1</version>
<lastchange></lastchange>
<system>
<optimization>normal</optimization>
<hostname>bm_pfsense_axxwall01</hostname>
<domain>localdomain</domain>
<dnsserver>8.8.8.8</dnsserver>
<dnsserver>8.8.4.4</dnsserver>
<dnsallowoverride>on</dnsallowoverride>
<group>
<name>all</name>
<description><![CDATA[All Users]]></description>
<scope>system</scope>
<gid>1998</gid>
<member>0</member>
</group>
<group>
<name>admins</name>
<description><![CDATA[System Administrators]]></description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>admin</name>
<descr><![CDATA[System Administrator]]></descr>
<scope>system</scope>
<groupname>admins</groupname>
<bcrypt-hash>$2y$10$jQvXNFjlnw3xT3g3MCQP3uBqSIHeu8sTiG1F5H1hk/M.qTM72S1A2</bcrypt-hash>
<uid>0</uid>
<priv>user-shell-access</priv>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timeservers>2.pfsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<loginautocomplete></loginautocomplete>
<ssl-certref>5ea6ebc012194</ssl-certref>
<dashboardcolumns>2</dashboardcolumns>
<port></port>
<max_procs>2</max_procs>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<disablesegmentationoffloading></disablesegmentationoffloading>
<disablelargereceiveoffloading></disablelargereceiveoffloading>
<ipv6allow></ipv6allow>
<maximumtableentries>400000</maximumtableentries>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<already_run_config_upgrade></already_run_config_upgrade>
<timezone>Europe/Amsterdam</timezone>
<ssh>
<enable>enabled</enable>
</ssh>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<sshguard_threshold></sshguard_threshold>
<sshguard_blocktime></sshguard_blocktime>
<sshguard_detection_time></sshguard_detection_time>
<sshguard_whitelist></sshguard_whitelist>
</system>
<interfaces>
<wan>
<enable></enable>
<if>igb0</if>
<blockpriv></blockpriv>
<blockbogons></blockbogons>
<descr><![CDATA[WAN1]]></descr>
<ipaddr>dhcp</ipaddr>
<dhcphostname>bm_pfsense_axxwall01</dhcphostname>
<alias-address></alias-address>
<alias-subnet>32</alias-subnet>
<dhcprejectfrom></dhcprejectfrom>
<adv_dhcp_pt_timeout></adv_dhcp_pt_timeout>
<adv_dhcp_pt_retry></adv_dhcp_pt_retry>
<adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout>
<adv_dhcp_pt_reboot></adv_dhcp_pt_reboot>
<adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff>
<adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval>
<adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
<adv_dhcp_send_options></adv_dhcp_send_options>
<adv_dhcp_request_options></adv_dhcp_request_options>
<adv_dhcp_required_options></adv_dhcp_required_options>
<adv_dhcp_option_modifiers></adv_dhcp_option_modifiers>
<adv_dhcp_config_advanced></adv_dhcp_config_advanced>
<adv_dhcp_config_file_override></adv_dhcp_config_file_override>
<adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface>
<spoofmac></spoofmac>
</wan>
<lan>
<enable></enable>
<if>igb1</if>
<descr><![CDATA[LAN1]]></descr>
<spoofmac></spoofmac>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
</lan>
<opt1>
<descr><![CDATA[WAN2]]></descr>
<if>igb2</if>
<blockpriv></blockpriv>
<blockbogons></blockbogons>
<spoofmac></spoofmac>
<enable></enable>
</opt1>
<opt2>
<descr><![CDATA[LAN2]]></descr>
<if>igb3</if>
<spoofmac></spoofmac>
<enable></enable>
<ipaddr>192.168.200.1</ipaddr>
<subnet>24</subnet>
</opt2>
<opt3>
<descr><![CDATA[VLAN_104]]></descr>
<if>igb1.104</if>
<enable></enable>
<spoofmac></spoofmac>
<ipaddr>192.168.104.1</ipaddr>
<subnet>24</subnet>
</opt3>
</interfaces>
<staticroutes></staticroutes>
<dhcpd>
<lan>
<range>
<from>192.168.1.10</from>
<to>192.168.1.245</to>
</range>
<failover_peerip></failover_peerip>
<dhcpleaseinlocaltime></dhcpleaseinlocaltime>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<netmask></netmask>
<gateway></gateway>
<domain></domain>
<domainsearchlist></domainsearchlist>
<ddnsdomain></ddnsdomain>
<ddnsdomainprimary></ddnsdomainprimary>
<ddnsdomainkeyname></ddnsdomainkeyname>
<ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm>
<ddnsdomainkey></ddnsdomainkey>
<mac_allow></mac_allow>
<mac_deny></mac_deny>
<ddnsclientupdates>allow</ddnsclientupdates>
<tftp></tftp>
<ldap></ldap>
<nextserver></nextserver>
<filename></filename>
<filename32></filename32>
<filename64></filename64>
<rootpath></rootpath>
<numberoptions></numberoptions>
</lan>
<opt3>
<range>
<from>192.168.104.10</from>
<to>192.168.104.200</to>
</range>
<enable></enable>
<failover_peerip></failover_peerip>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<netmask></netmask>
<gateway>192.168.104.1</gateway>
<domain></domain>
<domainsearchlist></domainsearchlist>
<ddnsdomain></ddnsdomain>
<ddnsdomainprimary></ddnsdomainprimary>
<ddnsdomainkeyname></ddnsdomainkeyname>
<ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm>
<ddnsdomainkey></ddnsdomainkey>
<mac_allow></mac_allow>
<mac_deny></mac_deny>
<ddnsclientupdates>allow</ddnsclientupdates>
<tftp></tftp>
<ldap></ldap>
<nextserver></nextserver>
<filename></filename>
<filename32></filename32>
<filename64></filename64>
<rootpath></rootpath>
<numberoptions></numberoptions>
</opt3>
</dhcpd>
<nat>
<outbound>
<mode>advanced</mode>
<rule>
<source>
<network>192.168.200.0/24</network>
</source>
<sourceport></sourceport>
<descr></descr>
<target></target>
<targetip></targetip>
<targetip_subnet></targetip_subnet>
<interface>wan</interface>
<poolopts></poolopts>
<source_hash_key></source_hash_key>
<destination>
<any></any>
</destination>
<created>
<time>1588068438</time>
<username><![CDATA[admin@192.168.200.11 (Local Database)]]></username>
</created>
<updated>
<time>1588068451</time>
<username><![CDATA[admin@192.168.200.11 (Local Database)]]></username>
</updated>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>127.0.0.0/8</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - localhost to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>127.0.0.0/8</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - localhost to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>::1/128</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - localhost to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>::1/128</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - localhost to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>192.168.1.0/24</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - LAN1 to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>192.168.1.0/24</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - LAN1 to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>192.168.104.0/24</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - VLAN_104 to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>192.168.104.0/24</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - VLAN_104 to WAN1]]></descr>
<created>
<time>1588064403</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
</outbound>
</nat>
<filter>
<rule>
<id></id>
<tracker>1588067865</tracker>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<address>192.168.104.0/24</address>
</source>
<destination>
<any></any>
</destination>
<descr></descr>
<updated>
<time>1588067865</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</updated>
<created>
<time>1588067865</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</created>
<disabled></disabled>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr><![CDATA[Default allow LAN to any rule]]></descr>
<interface>lan</interface>
<tracker>0100000101</tracker>
<source>
<network>lan</network>
</source>
<destination>
<any></any>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
<interface>lan</interface>
<tracker>0100000102</tracker>
<source>
<network>lan</network>
</source>
<destination>
<any></any>
</destination>
</rule>
<rule>
<id></id>
<tracker>1588069360</tracker>
<type>pass</type>
<interface>lan_interfaces</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<any></any>
</source>
<destination>
<any></any>
</destination>
<descr></descr>
<updated>
<time>1588069360</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</updated>
<created>
<time>1588069360</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</created>
</rule>
<rule>
<id></id>
<tracker>1588065927</tracker>
<type>pass</type>
<interface>opt2</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<network>opt2</network>
</source>
<destination>
<any></any>
</destination>
<descr></descr>
<created>
<time>1588065927</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</created>
<updated>
<time>1588065945</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</updated>
</rule>
<rule>
<id></id>
<tracker>1588064726</tracker>
<type>pass</type>
<interface>opt3</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<network>opt3</network>
</source>
<destination>
<any></any>
</destination>
<descr></descr>
<created>
<time>1588064726</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</created>
<updated>
<time>1588065382</time>
<username><![CDATA[admin@192.168.1.11 (Local Database)]]></username>
</updated>
</rule>
<separator>
<lan_interfaces></lan_interfaces>
<opt3></opt3>
<opt2></opt2>
<lan></lan>
</separator>
</filter>
<rrd>
<enable></enable>
</rrd>
<revision>
<time>1588142281</time>
<description><![CDATA[admin@192.168.200.11 (Local Database): /system_advanced_admin.php made unknown change]]></description>
<username><![CDATA[admin@192.168.200.11 (Local Database)]]></username>
</revision>
<gateways></gateways>
<ifgroups>
<ifgroupentry>
<members>lan opt2 opt3</members>
<descr><![CDATA[Internal lan interfaces]]></descr>
<ifname>lan_interfaces</ifname>
</ifgroupentry>
<ifgroupentry>
<members>wan opt1</members>
<descr><![CDATA[WAN interfaces]]></descr>
<ifname>wan_interfaces</ifname>
</ifgroupentry>
</ifgroups>
<vlans>
<vlan>
<if>igb1</if>
<tag>104</tag>
<pcp></pcp>
<descr><![CDATA[axx_intra]]></descr>
<vlanif>igb1.104</vlanif>
</vlan>
<vlan>
<if>igb1</if>
<tag>100</tag>
<pcp></pcp>
<descr><![CDATA[AxxCloud test network]]></descr>
<vlanif>igb1.100</vlanif>
</vlan>
</vlans>
</pfsense>