Well, I'm no expert but I got it working on my end, esxi 6.7, but using layer 2 'lite' layer 3 switches from Netgear though. I kept the management network on my default LAN, thinking that if there were issues with the VLAN, I want to be able to reach the management network without a fuss. I put two nics on that original vswitch, for the management network, and put the rest on a new port group on a second vswitch that I created for the VLAN. Put it in VLAN 4095 (will probably move it to the right VLAN at some point- 4095 means all VLANS). I then set the Netgear switch ports that came from the VMs in ESXI to the correct VLAN and it's working.

I don't know why it drops, maybe more information as to how it is set? One vswitch with everything in it (management/vlans all in the same vlan) or multiple vswitches..., plus I don't know how your physical switch handles the vlans, I never tried TP Link with vlans before.

Happy to help, I ran pfsense on esxi for many years.. I currently do not have esxi setup here, or any access where I could post screenshots on how it can be done, etc.

But happy to answer questions..

The biggest issues I see new users with multiple routers having is not understanding why they run into problems when they try and have hosts on what ends up being their transit network.

And new users to esxi not understanding how it works with tags, or doesn't work ;)

But when it comes down to it - tag is a tag is a tag.. But tags are only need when you want to carry more than 1 vlan over the same wire.

@tkyead bump. Also, can't edit post, but re-written to shorten and for clarity:

Hi folks,

Having some issues getting VLANs set up. My end goal is to have internet routed through my PFSense box and a Unifi AP and 3 SSIDs connected to different VLANs.

Setup

- WAN -> PF -> Unmanaged switch -> to: - Wired clients - PiHole on the default LAN, for local DNS - WAN -> PF -> Unmanaged switch -> Link port of managed switch - Unmanaged switch -> Unifi AP w/3 SSIDs: - SSID 1 - VLAN 10: trusted (192.168.20.0/24) - SSID 2 - VLAN 30: untrusted smart home network (192.168.100.0/24) - SSID 3 - VLAN 35: untrusted guest network (192.168.200.0/24) - PFSense LAN default network - 192.168.10.0/24

In PFSense, I have all 3 VLANs defined & enabled with DHCP turned on. DHCP is working as when I connect to SSID 1 (trusted network) I'll get e.g. 192.168.20.5. I can also ping the PiHole from all wireless clients. Here's where it gets interesting - nslookups from wireless clients to the PiHole do not work (trusted & untrusted both), nor do I have internet connectivity. I do have port 53 allowed from any internal networks -> PiHole, and I'm not currently seeing any blocked firewall entries that would provide any clues either.

Troubleshooting steps taken

I thought the Unifi AP might be messing things up so I connected managed switch -> an old wireless router's LAN port and set all managed switch ports to VLAN 10 (so all wireless clients on the old router's network would get a 192.168.20.x). This surprisingly also does not work in the same way as above -- I can ping PiHole, I can somehow supposedly ping internet addresses (e.g. 1.1.1.1) but I do not have internet connectivity via e.g. web browser.

I'm not sure what else I can try here. Any help would be greatly, greatly appreciated!

Edited to shorten length & for clarity

I was finally able to get Century Link to come on-site. As it turns out, the PON tap is doing this to my entire neighborhood -- so thankfully this has nothing to do with pfsense. Though, Century Link has no idea what's happening, so I'm not sure If I should be relieved?

The NSA wiretap is probably just malfunctioning and instead of sending copies of our packets back to Fort Meade, they are being sent back down the line to the ONT. Nothing to see here.

Yep. dhcp.png

@sshami I can't ping backup Sync intrerface IP from Master node.

@sokolum said in Isolated VLAN / Private VLAN:

Netgear GS108TV3.

You might want to check the manual to see if that function is supported. You may have to check carefully, as it might not be obvious. For example, with my crappy TP-Link switch, it's called "Multi-Tenant Unit VLAN".

Thanks so much to everybody involved here. I was entirely wrong in my initial suspicion, but the analysis helped me better understand how networks work, so I do not consider this as lost time.

Some revelations:

for incoming traffic, wireshark, tcpdump and packet capture (pfsense) are king for outgoing traffic, ip route get [host ip] helps to see in which direction traffic leaves (or doesn't leave) the host

@derelict Thanks. You made my day. I will try that

Ok thank you. I read about the protocols

Still struggling however. My ultimate goal is isolating IOT via MAC and the consumer grade mesh systems do not support vlan over ssid as you point out.

My problem is replicating your setup as the packets don't seem to get to the IOT device through the access point. I think it is my switch setup for the access point and If you could further explain your setup for the access point that would help me.

In your project above you state

"VLAN 10 -- is trusted devices... wifi devices have their mac address associated with the VLAN tag. It is a mix of wired and wifi devices.

VLAN 30 -- is IoT and those I have to enter the Mac addresses for. All wifi devices."

So my question is how did you configure the switch to allow the vlan traffic to get through the access point?

1- did you set up orbi as an approved mac address to for vlan 10 and 30. This doesn't seem to work for me?
2- did you use pvid for vlan 10 and 30 and plug orbi into that port? I was going to try this next.

Appreciate your thoughts.

The way I am reading the diagram, is that the PFSense device has 4 NICs. One is WAN, one is the wireless, and there are two other NICs connecting to two 'dumb' switches, one of which connects to more switches. Therefore, there are 4 networks here, assuming these are dumb switches and there are no vlans. So traffic passing between any device connected to the 'root switch' that has all the switches below it, and its port on the PFSense, can all 'talk' to each other provided those devices don't have a firewall on them that blocks ports or IP ranges. By default, they would NOT be able to communicate with the wireless devices or the other dumb switch connected to another port on PFSense, by default. This is also assuming that all the switches are functioning properly, and all the cabling is good. They would NOT, for example be able to see wireless devices, or the items on the other switch that isn't connected to 'root switch' with all the switches below it. It would not see that PFSense port either, but their own default gateway port. If using PFSense for DHCP, for example, it would need to be configured for each of those LAN/OPT ports. If only one of those ports is configured on PFSense, only that port will have visibility into the network. So provided this drawing is correct, make sure that you have configured/enabled all the LAN ports, and any DHCP per PORT.
I hope I haven't misread the diagram, but that is what it looks like to me.

@SteveITS After isolating the vlan on the switch, I had to configure a static IP, and now must configure for the WAN access. Would you know anything about this?

I ended up just plugging a Raspberry PI into a port on the N3K-C3172 TOR, and configured the network stack to implement the L2TP pseudowire, so it ends up being the same number of hops, but it would have been nice to implement it either in the switch or the firewall and not have to live with a single function appendage... but that's life in technology.

@johnpoz

Then I was just discussing it. I hadn't actually tried it on pfsense. Today, I thought I would, given I have so much time on my hands with the pandemic. I run openSUSE Linux on my network and it supports VLAN 0. In fact, it's what pops up when you create a VLAN. In my previous experiment with VLANs, I was using VLAN 5, which pfsense supports. I also have VLAN 3 for my guest WiFi.

BTW, I just came across this. In reading it, I get the impression someone doesn't understand what VLAN 0 is for. The "reserved" purpose is for putting the CoS bits on a frame, without having a separate VLAN. That is a VLAN 0 frame should be treated identically to a native frame, other than CoS.

@m200

Yep, many laptops didn't support VLANs.

@duvel

If you have 4 NICs, there's likely not much use with using VLANs. If you want to learn about VLANs, you have to actually set them up and have something at the other end of the wire that can handle them. A managed switch will do that. You can create multiple subnets and put them on individual VLANs. Then use the managed switch to sort them out, so that when you plug a computer into the different ports, it will be on the different subnets. Depending on your WiFi situation, you might get a proper AP and use a VLAN to provide a guest WiFi.

One other thing you can do with a managed switch is create a data tap, so you can monitor a connection with Wireshark. This is very handy when learning about networks.

Again, small managed switches are cheap. Just avoid TP-Link.

@jamesdav It's just a switch. If you must use the switch built into the SG-1100 for this and not an actual external outside switch, you can modify this procedure:

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html

That puts two ports on the same LAN broadcast domain but it will work equally well for VLAN 4090 (WAN).

@derelict & All

Thanks for your help. The issue is resolved.

The problem was the Netgear switch port was being blocked because of STP rules.

Issue Resolved!

I came up with this topology:

210322 Network Diagram.jpg 

I also set took these configuration steps:

set up a bridge between the interfaces corresponding to the LAN and OPT ports in Interfaces→Bridges, set the OPT port to have the IP address 192.168.4.1, set up a DHCP server for the entire 192.168.4.0/24 subnet on the interface corresponding to OPT, with 192.168.4.1 as the gateway address, turned on the Avahi package to route mDNS traffic between the 192.168.4.1/24 and 192.168.1.1/24 subnets, turned off the Velops’ DHCP server, and set the LAN base address to 192.168.4.2, so as to not create a conflict with the OPT port.

The second Ethernet connection on the master Velop node is purely for remote administration purposes. That’s how it communicates to the LinkSys configuration servers.

@Derelict & @teamits : you were both right. Sorry, my bad: it was bad Ubiquity configuration.

If anyone falls in the same trap, the solution is to set "Corporate" + "VLAN". Not "VLAN Only" + "VLAN":

98a25145-0f81-4440-85e0-ab5af871da71-image.png

Thank you both very much!

@mcury Perfect, got it working as expected.

Still curious about what causes the underlying issue wrt routing from the gateway but it's less of a concern since I can address the symptom.

I eventually solved it by using the ISP modem/router for IPTV and but pfSense behind it. It's double NAT but that's ok for now.

I solved the issue a while ago and forgot to answer here.
After entering the IP in Captive Portal / Allowed IP Addresses, everything was perfect.
As my CP is authenticated, so I believe that the question was precisely at that point. The other end had no way to authenticate itself to be able to pass and from the moment I released the IP there, he started to communicate. I even thought about doing a test of this type, taking the CP's authentication to see if it worked directly, but I ended up not having time.

Anyway ... it's resolved.
Thanks to everyone who was willing to try to help.

@rnelsen

Did you configure the VLAN through the switch?

I use VLAN 3 for my guest WiFi. I configured VLAN 3 on pfsense, my Unifi AP and the Cisco switch ports that connect to pfsense and the AP.

@adamsolar The SG-2100 only has two built-in NIC’s

Mvneta0 = WAN
Mvneta1 = LAN (Which is connected to the Built-in switch)

So the 4 “LAN” ports are actually switch ports that switches traffic to/from the 2.5Gbit LAN NIC

If you want VLAN capability on those ports (different VLANs on ports), you need to set up 802.1q mode on the switch:

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html

@lillianroot
Getting Deja Vu, I feel like I've seen this question posted a while back.

(my assumption is that they plugged into the layer 3 switch instead)

I doubt it. They most likely did one of two things... they either spanned the appropriate VLAN out to that switch or put the end-users on a different VLAN and forced them to re-address their equipment.

Are the layer 3 switches allows the VLANS to pass traffic across a trunk through routing but the layer 2 switch can't do that feature?

A layer 3 switch is a switch that also has routing functionality. However, it would need to be configured and implemented properly to actually route traffic. The fact that the switch has layer 3 functionality doesn't necessarily mean it's routing traffic. So, the short answer to your question is no. A layer 3 switch will pass the same VLANs over a trunk that a layer 2 switch will. The difference is layer 3 switches can also do static routing, dynamic routing, etc.

Best practice is for every closet to have unique VLANs. So, if the VLAN you're looking for isn't on the switch, it was probably left off by design. So, someone had to make a decision whether to span that VLAN out to that switch or force the end-users to re-address their equipment on a subnet that exists in that closet.

@swgarland said in VLAN Setup question:

It currently tags all traffic as vlan10 unless it is changed on the switchport.

Well change it if you don't want what you want.. If you want to use just native lan as vlan 10 - then just set the port to connected to lan port of pfsense to not tag vlan 10. So your saying if you put some pc connected to port X, that you have to set the PC to understand the vlan, ie the tag.. PCs sure do not do that out of the box.

@nickh-0 said in Home IP range overlap with Work VPN:

@jknott
Thanks for the reply. usually i would, but being a consultant and working with various clients and projects the risk of running into an overlapping IP is high and need a permanent solution to allow me to "adapt" and was thinking i could have a vlan that i can change as needed rather than continuously changing my home subnet - if that makes sense.

Use 172.31.255.0/24, most of your customers if they have their heads screwed on won't allow split tunnels.

@gwaitsi


the client on vlan20 can ping all switches, routers and the firewall on vlan1 - but not the ipmi port

the routers and the switches can ping all devices including the ipmi port

pfsense can ping all routers, switches and clients - but not the ipmi port

there is no inter-vlan routing on the switches, everything must go through pfsense.

rule specifically allows all protocols / addresses from vlan20 to vlan1 and rule for vlan1 to vlan20 (for eliminating rules as a source)

the test results are also the same if i put the IPMI port into the openwrt with untagged vlan1 port instead of the managed switch

i don't understand why pfsense can't talk to this one device, when it can to all the others on the same network.

** to eliminate all possibilities, i put the ipmi port on the same vlan as the client on a openwrt port set to untagged. It was then able to get a dhcp from the client vlan

@roney-s-mathews

How are you determining that? If you want VLANs, you configure them wherever you need them and you won't be able to see if you get the addresses, without something to connect to the VLAN. Also, did you configure a DHCP server on the VLAN?

@vtglockster

The issue was the OpenVPN client. I needed to add some rules for Outbound NAT.

Once I added the rules the VLANs started working properly.

Yes, adding a new IP range to the port connected to the switch will separate the devices. Then if you want you can do interesting things with rules to isolate or not isolate devices.

Port 1 might have the IP 10.10.220.0/24 and port 2 might be 192.168.100.0/24. The only way they talk is if you allow (the default is to allow) them to talk.