Strange VLAN Behaviour

[Spiky_Gladiator]

Hi,

I have two budget switches, each setup the same way but for some reason I always get the same results. Let me give you an example below.

Let's say VLAN 1 is management and VLAN 4 is a random VLAN.

I insert my RJ45 cable into VLAN 4 port on the switch and when I try to ping VLAN 1, there is no response which is a desired result of using VLANs. However, things change when I do some manual changes for the network card on the PC.

So:

1) While still being connected to VLAN 4 port on the switch, I manually assign IP Address, netmask and gateway to the one of a VLAN 1. To my surprise, I successfully get assigned the available IP Address from VLAN 1 that I selected but DNS for some reason is not picked up.

2) When I try to ping anything on the VLAN 1, I get a response saying "ICMP_Seq=1 Destination Host Unreachable" no matter if there is a device with that IP or not. I can't also access the logon page that's allowed on VLAN 1 which I guess is a good thing.

My questions to this scenario would be:

• Is this how VLANs work behind the scene ?
• Is this what you can call a VLAN Hopping ?
• Is this a result of a misconfiguration on a switch ? 
• Is this behaviour normal ?

I just can't wreck my head around it as from my testing, this seems to happen on many budget switches, irrespectable of the price you paid for the switch.

[WaffleIron]

Hi Spiky,

You are really broaching two topics on your question.  One is VLANs one is subnetting.

If I'm reading the behavior you are seeing correctly it all sounds correct. (see left side of attachment)

In other words, the VLAN 4 ip addres on the switch will only know about/listen for traffic coming from devices in 10.4.4.1-254.  Anything connected to VLAN 4 that does NOT have an IP address in the same subnet will not respond.  This is how subnetting works, period.

On the VLAN side, they are just tags to assign different subnets to.  The layer 3 switch will allow the VLANs to communicate with one another unless ACLs are applied.

To further explain the example (see right side of attachment) the two PCs can communicate but the switch won't be able to talk to them.  And in case you are wondering, the answer is NO, I did not fat-finger PC2's IP address.  Since VLAN 1 knows nothing about these two PCs (because they are connected to VLAN 4 and VLAN 4 is in a different subnet) it doesn't matter what address they have.

I would suggest you youtube a couple subnetting videos.

[Demusman]

1) While still being connected to VLAN 4 port on the switch, I manually assign IP Address, netmask and gateway to the one of a VLAN 1. To my surprise, I successfully get assigned the available IP Address from VLAN 1 that I selected but DNS for some reason is not picked up.

You are not "getting assigned" an IP, you set the IP. DNS won't be "picked up" unless you use DHCP. Since you set a static IP, you would also need to set the DNS statically.

2) When I try to ping anything on the VLAN 1, I get a response saying "ICMP_Seq=1 Destination Host Unreachable" no matter if there is a device with that IP or not. I can't also access the logon page that's allowed on VLAN 1 which I guess is a good thing.

Yes, that should happen since you're on the vlan4 network, but you set an IP in the vlan1 network.
It's the same as you going to your neighbors house, with a static IP from your house, and plugging into their network. You won't get anywhere.

My questions to this scenario would be:

• Is this how VLANs work behind the scene ?

Behind the scene? No, that's how networking works period.

• Is this what you can call a VLAN Hopping ?

Vlan hopping? No, you're on one network with an IP that isn't routable on it.

• Is this a result of a misconfiguration on a switch ? 

Switch seems to be configured correctly.

• Is this behaviour normal ?

Yes.

[Spiky_Gladiator]

You are not "getting assigned" an IP, you set the IP. DNS won't be "picked up" unless you use DHCP. Since you set a static IP, you would also need to set the DNS statically.

I did both, manual one picked a wrong IP address and the automatic didn't picked up DNS IP at all.

Yes, that should happen since you're on the vlan4 network, but you set an IP in the vlan1 network.
It's the same as you going to your neighbors house, with a static IP from your house, and plugging into their network. You won't get anywhere.

I understand now. However I'm still puzzled why does my PC still accepts the manual configuration I have entered and the status changes to connected when in fact it didn't connect to OPNSense at all ? Usually when you are connected to a normal router and assign a wrong IP, your connection will disconnect but not in this case for some reason.

Is this behaviour normal and how managed switches work where it will accept any IP address that I inserted in my PC settings even if it's wrong ?

Vlan hopping? No, you're on one network with an IP that isn't routable on it.

I did another test with pinging a device that doesn't exist on the same VLAN and it still shows "Destination Host Unreachable". I may add I can ping the Gateway fine so I presume when a device is connected to the same VLAN I will be able to ping it just fine.

In my example above shouldn't the Ping command not find the device and just hung on the resolved IP since there is no active device ? Shouldn't ping command don't send any packets at all since there's no device rather than displaying  "Destination Host Unreachable"  message ?

Switch seems to be configured correctly.

I know it's a lot of questions but it's my first time setting up VLANs and I'm completely new to OPNSense. I want to correctly configure everything so that VLANs are secured properly. My main question is, how can I test if VLANs work in accordance with my Firewall rules ?

One way I know you can test this is by plugging into each VLAN port then pinging each VLAN Gateway from the currently connected VLAN and see if there's a response. Are there any other tests that people perform to check if VLANs work correctly ? If so, what would you recommend ?


I know this is a bit of a stretch and out of scope of this topic but would you be kind enough to give me another hand in a different thread ? If so, here's the link: https://forum.opnsense.org/index.php?topic=32255.0

Just want to mention that appreciate your and WaffleIron's help on this.

[Demusman]

I did both, manual one picked a wrong IP address and the automatic didn't picked up DNS IP at all.

I think you said that backwards. Manual is a static IP. The pc will accept any address you give it.
What  does "wrong IP" mean? If you plug into vlan4, it should get an IP in the vlan4 subnet. Did it not?

I understand now. However I'm still puzzled why does my PC still accepts the manual configuration I have entered and the status changes to connected when in fact it didn't connect to OPNSense at all ? Usually when you are connected to a normal router and assign a wrong IP, your connection will disconnect but not in this case for some reason.

Is this behaviour normal and how managed switches work where it will accept any IP address that I inserted in my PC settings even if it's wrong ?

Why wouldn't it accept it?? It doesn't know what network you're connecting to. You set a static IP, it can't tell you "hey, you're giving me the wrong IP for that network.", YOU need to be smart enough to know that.
"Connected" doesn't mean connected to opnsense, the pc wouldn't know what type of router you're using. It means it has an active network connection.
I have never seen a pc disconnect when it has the wrong IP assigned. Again, how would it know?? You gave it the IP.

My main question is, how can I test if VLANs work in accordance with my Firewall rules ?

One way I know you can test this is by plugging into each VLAN port then pinging each VLAN Gateway from the currently connected VLAN and see if there's a response. Are there any other tests that people perform to check if VLANs work correctly ? If so, what would you recommend ?

Post pics of your switch config and firewall rules for each interface.
Sounds like the switch isn't configured correctly.

[Spiky_Gladiator]

I think you said that backwards. Manual is a static IP. The pc will accept any address you give it.
What  does "wrong IP" mean? If you plug into vlan4, it should get an IP in the vlan4 subnet. Did it not?

Yeah, I got the correct IP automatically assigned as soon as I plugged into VLAN4.

Why wouldn't it accept it?? It doesn't know what network you're connecting to. You set a static IP, it can't tell you "hey, you're giving me the wrong IP for that network.", YOU need to be smart enough to know that.

"Connected" doesn't mean connected to opnsense, the pc wouldn't know what type of router you're using. It means it has an active network connection. I have never seen a pc disconnect when it has the wrong IP assigned. Again, how would it know?? You gave it the IP.

I got it now.

Sounds like the switch isn't configured correctly.

Can you tell me how you came into this conclusion ? I think there might be some misunderstanding and want to double check.

[Demusman]

Can you tell me how you came into this conclusion ? I think there might be some misunderstanding and want to double check.

I'd have to go through the whole thread again to figure that out, been a while.
What's the problem? Would be easier to just state that.