Unless I have some strange config on pfsense where I have problems with vlans and ipv6?
For pfsense configuration, there is absolutely no difference between an interface and a VLAN interface. All a VLAN does is add an extra 4 bytes to the frame for the VLAN tag. The only problem I've had with VLANs is when I had an TP-Link access point, which didn't handle VLANs properly.
and I use an reverse proxy to serve them over 443.
Ok - why is that a problem then? Your reverse proxy works just fine like that be it you nat reflect or hit it directly locally. Or if you ran your reverse proxy on pfsense, no need for nat reflection or host override, etc.
Yes okay though is it then possible to still say to the mobile branche office (vlan)subnet, if only this specific subnet wants to go to the outside world (to contact the extern hosted ip-phone-provider), it needs to make use of the ipsec ?. (while the other subnet traffic who want to surf the internet go straight from 4G to its 4G-internet service provider).
There is no such rule. VLANs are at L2 and the filters work at L3. What you do is configure the interfaces with VLANs when you need them. For example I have VLAN3 enabled on my LAN interface to support my guest WiFi. Also, my understanding is the Netgate gear does something different with VLANs. I haven't worked with Netgate equipment, so I can't help with that.
Well, I'm no expert but I got it working on my end, esxi 6.7, but using layer 2 'lite' layer 3 switches from Netgear though. I kept the management network on my default LAN, thinking that if there were issues with the VLAN, I want to be able to reach the management network without a fuss. I put two nics on that original vswitch, for the management network, and put the rest on a new port group on a second vswitch that I created for the VLAN. Put it in VLAN 4095 (will probably move it to the right VLAN at some point- 4095 means all VLANS). I then set the Netgear switch ports that came from the VMs in ESXI to the correct VLAN and it's working.
I don't know why it drops, maybe more information as to how it is set? One vswitch with everything in it (management/vlans all in the same vlan) or multiple vswitches..., plus I don't know how your physical switch handles the vlans, I never tried TP Link with vlans before.
@tkyead bump. Also, can't edit post, but re-written to shorten and for clarity:
Having some issues getting VLANs set up. My end goal is to have internet routed through my PFSense box and a Unifi AP and 3 SSIDs connected to different VLANs.
- WAN -> PF -> Unmanaged switch -> to:
- Wired clients
- PiHole on the default LAN, for local DNS
- WAN -> PF -> Unmanaged switch -> Link port of managed switch
- Unmanaged switch -> Unifi AP w/3 SSIDs:
- SSID 1 - VLAN 10: trusted (192.168.20.0/24)
- SSID 2 - VLAN 30: untrusted smart home network (192.168.100.0/24)
- SSID 3 - VLAN 35: untrusted guest network (192.168.200.0/24)
- PFSense LAN default network - 192.168.10.0/24
In PFSense, I have all 3 VLANs defined & enabled with DHCP turned on. DHCP is working as when I connect to SSID 1 (trusted network) I'll get e.g. 192.168.20.5. I can also ping the PiHole from all wireless clients. Here's where it gets interesting - nslookups from wireless clients to the PiHole do not work (trusted & untrusted both), nor do I have internet connectivity. I do have port 53 allowed from any internal networks -> PiHole, and I'm not currently seeing any blocked firewall entries that would provide any clues either.
Troubleshooting steps taken
I thought the Unifi AP might be messing things up so I connected managed switch -> an old wireless router's LAN port and set all managed switch ports to VLAN 10 (so all wireless clients on the old router's network would get a 192.168.20.x). This surprisingly also does not work in the same way as above -- I can ping PiHole, I can somehow supposedly ping internet addresses (e.g. 184.108.40.206) but I do not have internet connectivity via e.g. web browser.
I'm not sure what else I can try here. Any help would be greatly, greatly appreciated!
I was finally able to get Century Link to come on-site. As it turns out, the PON tap is doing this to my entire neighborhood -- so thankfully this has nothing to do with pfsense. Though, Century Link has no idea what's happening, so I'm not sure If I should be relieved?
The NSA wiretap is probably just malfunctioning and instead of sending copies of our packets back to Fort Meade, they are being sent back down the line to the ONT. Nothing to see here.
You might want to check the manual to see if that function is supported. You may have to check carefully, as it might not be obvious. For example, with my crappy TP-Link switch, it's called "Multi-Tenant Unit VLAN".
I ended up just plugging a Raspberry PI into a port on the N3K-C3172 TOR, and configured the network stack to implement the L2TP pseudowire, so it ends up being the same number of hops, but it would have been nice to implement it either in the switch or the firewall and not have to live with a single function appendage... but that's life in technology.
Then I was just discussing it. I hadn't actually tried it on pfsense. Today, I thought I would, given I have so much time on my hands with the pandemic. I run openSUSE Linux on my network and it supports VLAN 0. In fact, it's what pops up when you create a VLAN. In my previous experiment with VLANs, I was using VLAN 5, which pfsense supports. I also have VLAN 3 for my guest WiFi.
BTW, I just came across this. In reading it, I get the impression someone doesn't understand what VLAN 0 is for. The "reserved" purpose is for putting the CoS bits on a frame, without having a separate VLAN. That is a VLAN 0 frame should be treated identically to a native frame, other than CoS.
If you have 4 NICs, there's likely not much use with using VLANs. If you want to learn about VLANs, you have to actually set them up and have something at the other end of the wire that can handle them. A managed switch will do that. You can create multiple subnets and put them on individual VLANs. Then use the managed switch to sort them out, so that when you plug a computer into the different ports, it will be on the different subnets. Depending on your WiFi situation, you might get a proper AP and use a VLAN to provide a guest WiFi.
One other thing you can do with a managed switch is create a data tap, so you can monitor a connection with Wireshark. This is very handy when learning about networks.
Again, small managed switches are cheap. Just avoid TP-Link.
set up a bridge between the interfaces corresponding to the LAN and OPT ports in Interfaces→Bridges,
set the OPT port to have the IP address 192.168.4.1,
set up a DHCP server for the entire 192.168.4.0/24 subnet on the interface corresponding to OPT, with 192.168.4.1 as the gateway address,
turned on the Avahi package to route mDNS traffic between the 192.168.4.1/24 and 192.168.1.1/24 subnets,
turned off the Velops’ DHCP server, and
set the LAN base address to 192.168.4.2, so as to not create a conflict with the OPT port.
The second Ethernet connection on the master Velop node is purely for remote administration purposes. That’s how it communicates to the LinkSys configuration servers.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.