Enabling Virtual LAN (VLAN) on Pfsense Router's WAN connection
-
Hi,
I want to use Pfsense installed on an old pc becuase of its rich futures and flexibility for my growing network needs.My pfsense box has 3 network cards. I configured pfsense succesfully and it has WAN , LAN and OPT1 interfaces.
Currently I have a Linksys EA7200 Max-Stream Dual-Band WiFi 5 Router. ([https://www.linksys.com/us/support-article?articleNum=316752](link url)).
It has 1 Gigabit Internet port and 4 gigabit Ethernet ports
On the product site it is stated that :
“To establish a connection to the internet, some Internet Service Providers (ISPs) require Virtual LAN (VLAN) to be enabled on your Linksys Smart Wi-Fi Router's WAN connection. VLAN settings configure the router to work with IPTV, VoIP and other services that may be provided by your ISP.”
When I configure such a VLAN on Linksys shown in the figure bellow, my IPTV works (No other configurations needed).
In the above picture whatever ID I enter for (internet Trunk ) does not matter, it works , but Ethernet Id 103 is a must.
I searched google and I could not find any info on how to configure and enable virtual VLAN on WAN connection on pfsense like the one in the above figure (As stated for linksys).
So , what I tried on pfsense to make such a configuration is as fallows:
With above interfaces, a loptop connected to the lan port of pfsense gets an ip adress and has internet access so the basic config is ok.
The steps I took mainly as follows :
-
Created a VLAN (OPT3) with tag 400 on WAN interface and VLAN (OPT4) with tag 103 on OPT1 interface (LAN_103).
-
Enabled OPT3 as PPOE , exactly like I did on WAN interface and renamed it as VLAN_400
-
Enabled OPT4 with a static IP with a different sub net ( 192.168.103.1) and renamed it as VLAN_103.
-
Enabled DHCP server on VLAN_103 interface
-
Enabled IGMP Proxy and add upstream (VLAN_400) and downstream (VLAN_103) interfaces.
-
Lastly added the firwall rules for VLAN_400 and VLAN_103 as “pass any”.
My final interfaces are as follows:
After connecting IPTV box on OPT1 no success. Where do I make a mistake? Or the steps taken are all wrong as a wole and should I fallow a different method ? I don’t know.
I am not from a networking background so I need help , can someone guide me on this please?
Thank you.
-
-
You say it doesn't matter what VLAN ID you set on the WAN in the Linksys? That implies it's not using it.
Also I assume the PPPoE connection you have configured on igb0 dircetly in pfSense is working without the VLAN?
Does the PPPoE on igb.400 connect?Does your ISP actually provide any config details for using your own router?
Steve
-
@stephenw10 Thanks for answering Steve,
Yes VALN ID on the WAN in the Linksys has no effect (I tried 100,150,300.... e.t.c all working).
PPoE Connection on igb0 works vithout VLAN , I tesed it just after the pfsense installation , before creating any other interface.
igb.400 has no connection,
I configured igb.400 just like i did in WAN interface like this
My ISP does not actually refuses to provide any config details countywide Unfortunaletly.
Kubilay.
-
@tshaper said in Enabling Virtual LAN (VLAN) on Pfsense Router's WAN connection:
My ISP does not actually refuses to provide any config details countywide Unfortunaletly.
should be
My ISP actually refuses to provide any config details countywide Unfortunaletly. Sorry for that :).
-
-
@tshaper VLAN’s can be a bit tricky. Think of your current linksys VLAN config as:
Your WAN port is Untagged - which means you are not really using the VLAN identifier - it could be any number. Untagged means your linksys does not transmit packets with a VLAN identifier, and all packets recieved without a VLAN identifier are similarly treatet as belonging to the WAN network on your Linksys (whatever VLAN number is has)
The only difference the VLAN number on WAN makes, is that your Linksys will allow for recieving packets with a VLAN tag 400 and add it to the same WAN network as untagged packets.
Since changing the VLAN number makes no difference, your ISP is not transmitting packet to you with the VLAN400 tag set.
Things are the same on your LAN/Ethernet side with the only difference being that your IPTV box clearly transmits packets with the VLAN 103 Tag. That’s why your Linksys needs to be set to VLAN 103 even though it is running it’s interface untagged. Because otherwise it will discard recieved packets with the VLAN 103 tag.
Where does that leave you:
You do not need the VLAN 400 OPT3 interface on your pfSense. Your current WAN interface setup is enough which is also shown by it connecting and working (it is the untagged VLAN on the physical Igb0 Interface).
Your LAN side is a problem. I’m pretty sure pfSense will not allow an untagged interface to recieve tagged packets because there is no concept of a Native VLAN number (like your linksys), so you cannot replicate the Linksys setup in detail.
What you have done is the “right” solution then - you have made your LAN the Untagged part of the physical em0 interface, and you have made OPT4 the VLAN 103 Tagged part of the physical re0 interface. But it’s now two different networks - on your Linksys it’s the same single IP network. That might cause issues with the IPTV boks since it might expect to recieve packets untagged even though it transmits them tagged - most likely though that’s not the issue. I do notice though your IPTV box does not recieve DHCP address when connected to the OP1 port on your box. That suggests it expects to get a DHCP address untagged…. Just for kicks, try and move the VLAN 103 OPT4 interface to the em0 physical interface (Where LAN is also bound). Then connect your IPTV box to em0 and see if get’s an IP address in LAN or in VLAN103.Anyhow, you might also have real problems with the IGMP proxy. I have never used it, but if you google IPTV, pfsense and IGMP proxy you’ll notice that there are severe problems getting it to behave properly, and people usually find other workarounds to getting IPTV multicast to work.
-
I agree, the WAN side VLAN is doing nothing in this case.
We have seen configurations where the PPPoE session requires a VLAN and TV/VoIP uses DHCP untagged on the parent interface. I could imagine that the other way around.
It definitely won't be two PPPoE sessions though.I would expect to be able to use re0 (OPT1) for the TV if that's what you want. I would expect it to use that VLAN both ways. I have no idea if the Linksys is showing the real situation there. If it's running some ISP specific firmware for example they often don't bother correcting display bugs when it's mostly locked down anyway.
I would be running a pcap on re0 to see when the IPTV client is actually sending. You will be able to see the VLAN tags in use. Otherwise it's just guessing.
Someone else may have done the test work with your ISP already though.Steve
-
@keyser Thank you keyser for your explanatory answer. When i move VLAN 103 on to LAN interface TVbox gets it ip from LAN interface not from VLAN interface (And i did not see any Q tagged frames in pcap also). As you said, since there are IGMP proxy problems , pfsense and IPTV seems not to be a good combo. I will try other ways.
-
@stephenw10 Thank you steve for your answer.