port forwarding on one-armed router

[bob88]

Hi all,
I'm using a NUC configured as a one-armed router.
I'm having issues with port forwarding. If I create a single rule that is active, WAN connection drops. I can't reach the outside world.
Any special care needed for port forwarding on a one-armed router config?

[bob88]

I have no idea why it's not working.
If I plug the old Linksys router, everything is fine.
If I switch it with the pfsense box, I don't have access to the internet.
I used a simple pfsense install in a one-armed setup. WAN+LAN, static IP on the WAN. nothing complicated. I even disabled all the port forwarding settings. Still no internet.
I cloned the linksys MAC address, I also cycled the provider box (modem), and all other switches from the network.
What's going on?

Strangest thing is, if I put DHCP on WAN, and connect it to the LAN side of the Linksys router, everything is fine. Even port forwarding.
This baffles me.

[johnpoz]

one armed router.. So vlan - what switch are using using that supports vlans?  You don't mention this.

Are you trying to run your public and private network on the same layer 2 network?

[bob88]

Sorry, I forgot to mention this. I'm using a http://www.tp-link.com/us/products/details/cat-41_TL-SG105E.html#specifications
Thing is, it works if I move it on the LAN side of the Linksys router that's currently installed. Port forwarding as well (as long as I don't create any linked rule, just pass everything).

[johnpoz]

So you switch does vlans.. So how do you have your vlans setup?

[bob88]

Well, it's a one armed router. Port 5 is uplink to NUC, port 2 is lan and port 4 is wan. LAN is a VLAN, WAN is another VLAN, uplink is tagged for both. Standard setup, nothing strange.
The thing is, this setup works in my network if I connect the WAN (port 4 of the switch in the one armed setup) to the existing network (LAN side) on DHCP. I have internet while I'm connected behind the one armed router. Port forwarding works as well.
But when I take the wan cable out of the existing setup and put it into my one armed router (wan port on the switch, port 4), I can only access the LAN side of the network, I can access the pfsense webpage, DHCP works, but no internet.
Also, I tried to power cycle all the other gear, I cloned the MAC of the existing router, still nothing (existing router is not cloning any other MAC, I checked that as well). I checked many times, WAN settings are correct.
How do I troubleshoot this? I'll call  the internet provider tomorrow, maybe they have some ideas.

[JKnott]

Well, it's a one armed router. Port 5 is uplink to NUC, port 2 is lan and port 4 is wan. LAN is a VLAN, WAN is another VLAN, uplink is tagged for both. Standard setup, nothing strange.
The thing is, this setup works in my network if I connect the WAN (port 4 of the switch in the one armed setup) to the existing network (LAN side) on DHCP. I have internet while I'm connected behind the one armed router. Port forwarding works as well.
But when I take the wan cable out of the existing setup and put it into my one armed router (wan port on the switch, port 4), I can only access the LAN side of the network, I can access the pfsense webpage, DHCP works, but no internet.
Also, I tried to power cycle all the other gear, I cloned the MAC of the existing router, still nothing (existing router is not cloning any other MAC, I checked that as well). I checked many times, WAN settings are correct.
How do I troubleshoot this? I'll call  the internet provider tomorrow, maybe they have some ideas.

Perhaps I'm missing something, but generally, when using VLANs, you have ot configure the switch ports to be on specific VLANs or trunks.  For example the port connected to the router would be a trunk, as it has to carry multiple VLANs.  You'd then configure the router so that one side is on one VLAN and the LAN side on another.  Then configure the switch, so that those VLANs connect to the appropriate port.  You can probably use the native LAN on the LAN side of the router.

[bob88]

As far as I know, it's configured correcty. Tomorrow I'll explain better once I get into the switch's config page.
The setup works, but connected to the LAN side on the actual setup. It wouldn't have worked if I didn't configure the one armed setup correctly.

[bob88]

Here are my settings.

[johnpoz]

Not sure where you got the idea that you want to turn on MTU??

MTU VLAN (Multi-Tenant Unit VLAN) defines an uplink port which will build up several VLANs with each of the other ports. Each VLAN contains two ports, the uplink port and one of the other ports in the switch, so the uplink port can communicate with any other port but other ports cannot communicate with each other.

That should not be on..   Your port 5 should be tagged for vlan 100 and 10 and then your other ports. Like you have them but you don't need mtu.

There mtu is like a private vlan..  You don't want/need that.. Turn that off and you should be fine..  But these tplink switches are ODD, since you can not remove vlan 1 and its not tagged..  You might want to just leverage that as one of your interfaces.  Since your pvid on your port 5 (trunk/uplink) is 1 currently.

You prob want to change your setup to leverage vlan 1 on these switches and then just create your other ports on the vlan want as untagged an pvid.

[bob88]

Thank you for the answer.
I decided to just get a dual NIC small PC as the application is pretty serious and I don't want to play.
But I will make another one of these at home just to test and play around.

[johnpoz]

I got one of those tplink switches to play with - since they come up on questions quite a bit.  But the can not remove vlan 1 is kind of issue if you ask me.  Nothing can not work around in a setup where you just run an untagged vlan on your uplink and are not worried about any sort of real security issues.

I currently have it in a setup where I run vlan 20 as untagged to this switch, that now becomes vlan 1 for this switch.  And the other ports have their pvid set to what vlan they are suppose to be in, etc.  But anyone could just connect to any port and access the management of the switch.

But if your going to get a new box for pfsense anyway, you might want to think about a different brand of switch that allows you to remove vlan 1 from ports you don't want vlan 1 on

[JKnott]

But if your going to get a new box for pfsense anyway, you might want to think about a different brand of switch that allows you to remove vlan 1 from ports you don't want vlan 1 on

Are you saying if you configure a port for a VLAN that the native LAN is still there?  In my experience, that should only happen on trunk ports with ports configured for a specific VLAN only connecting to that VLAN.

BTW, I also have one of those switches, but I bought it only to set up for port mirroring, so I could use Wireshark to monitor Ethernet connections.  I haven't done anything else with it.  It works OK in that role, though I don't think it should be passing frames from the monitoring computer back into the network.  That was the case with the Adtran switches I used to work with.  With the TP-Link, I had to set up a link local connection, to stop the computer from polluting the traffic.   

[johnpoz]

yes the low end tplink switches there are no way to remove vlan 1 from any interface.  See his screenshots.. All 5 ports have vlan 1 as untagged.  While you can change the pvid of the port.  You can not actually remove vlan 1 from any of the ports.  There have been quite a few threads about it here.

There also seems to be bug, cosmetic only it seems where it marks tagged traffic as bad in the interface counters.  Lots of posts on their forum about it - but no answers from tplink it seems.  And people have brought up the vlan 1 thing to them as well and from my understanding tplink answer was its not an issue and designed that way.

They work in a small setup for sure, and price is very nice.. Like I said I picked one up to be able to play with - got it for like $25 for a 8 porter.. I have it as a downstream switch I connect my pi's too   So its not really a issue for me that can not remove the vlan 1.. It still allows me to put devices on different ports in different vlans.

But I wouldn't really recommend them for anyone that is wanting to actually plan with vlans other than in all but a most basic deployment/home setup.

[JKnott]

I wonder if TP-Link engineers really don't understand VLANs.  I also have a TP-Link TL-WA901ND access point.  It supports multiple SSIDs and VLANs, but the native LAN/SSID leaks into the VLAN/2nd SSID, which makes it useless, as devices on the 2nd SSID often get the wrong config info.  When I complained to their support, the guy I was working with insisted that's the way it's supposed to work.  It was only when I reached 2nd level that they agreed it was a fault.  However, I haven't seen any update to fix the problem.

I currently have my eye on a Cisco 8 port switch that's not fully managed, but does support port mirroring.  I may get it to replace my current Cisco 16 port 100 Mb un-managed switch.

http://www.canadacomputers.com/product_info.php?cPath=27_1045_349&item_id=037370

http://www.cisco.com/c/en/us/products/collateral/switches/small-business-200-series-smart-switches/data_sheet_c78-634369.html

I bet Cisco VLANs work right!