How to set the same VLANs between the switch and PfSense
-
@jknott there are many that do - wish they would stop it!
-
Thanks everyone , below you find the schema and other details.
The modem is a modem/router, even though I was using another router after that, it has to be the same case with PfSense.
There is a fundamental problem with it, the modem/router will remain as such, it can't be set as only modem, even if I disable the WIFI, which is mandatory for one bug inside (just saw it on the website).
At the moment it can accept another router anyway, I'm not concerned about it.With this IP range, the packets don't reach the modem/router, but when I've set the PfSense IP to 192.168.0.50 it worked, I don't get it :D
I removed the VLAN on the Uplink port, so it's a normal uplink port now but it's categorized as WAN, I just don't remember if it was a label or not, but from the networking point of view it should be the same, as long as it's on the LAN.
It seems I can't login anymore on the UI, wrong credentials, any bug as such? :D , I'll need to reset the box in somehow, which is a good thing considered the mess inside, but damn...
I highly doubt I messed the password...
I recovered the password from the backend, nice automated job. -
++ I've set the upstream gateway on the WAN interface at 192.168.0.1 , it seems the correct step to follow...
Still no network. -
@jt40 said in How to set the same VLANs between the switch and PfSense:
There is a fundamental problem with it, the modem/router will remain as such, it can't be set as only modem, even if I disable the WIFI, which is mandatory for one bug inside (just saw it on the website).
What make is it? I haven't yet seen one that couldn't be put in bridge mode, though some can be a pain to do so. Or you may have to call your ISP to have them do it.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott sky
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
I removed the VLAN on the Uplink port, so it's a normal uplink port now but it's categorized as WAN
Well if you put a gateway on it - pfsense is going to think its a WAN..
Your lan interface of pfsense should have NO GATEWAY set on the interface..
Pfsense tells you this when setting it up. And even states it on the gui, etc..
Not sure where your coming up with management IP on pfsense of 192.168.200.1 ? How many nats are you going to do.. So the device you have plugged into pfsense wan is 192.168.0, then behind that you have 192.168.140? (pfsense wan). Are you using some other mask other than /24 on pfsense lan? Is this 192.168.200.1 address another interface, a vip? What?
If your network is 192.168.140/24 and you want to talk to your switch, then put it on the 192.168.140 network.. Or change pfsense lan to be this 10.90.90 network.
Your modem/router (isp device) wan is 192.168.x.x ? If so your ISP is doing nat, not sure why they wouldn't be using cgnat 10.64/10 space? Or do you have some other device in front of what your showing?
I would suggest you get internet working, ability to talk to your switch before breaking out networks/vlans for admin or management, etc.
With a typical isp modem/router setup and pfsense, double nat. Something like this out of the box just works. As long is you didn't setup a gateway on your interface used for lan.
You can use whatever rfc1918 ranges you want as long as they don't overlap
Get devices behind pfsense working, talking to your switch, everything on 1 network.. Then more than happy to walk you through setting up vlans/networks - creating rules for blocking traffic between multiple vlans... But get a working base setup first. Doesn't really matter how many networks in front of pfsense, etc. But pfsense wan and lan can not overlap, etc..
-
@johnpoz Thanks for that, I must have missed it, it wasn't enough to fix it though.
192.168.200.1 is the IP management interface for the WebUI, it doesn't correlate with other IP communications for my knowledge.
I'm using 255.555.0.0 subnet mask on both devices (modem/router and PfSense, it should cover my actual setup, in fact the CIDR validation doesn't fail)
Your modem/router (isp device) wan is 192.168.x.x ? Yes, it's in the diagram, it's 192.168.0.1, but 192.168.140.130 is the IP dedicated to the PfSense, which should act as a gateway with that IP, it seems it doesn't.
Not sure about the NAT, that is a simple modem/router, it can't assign IPs of a range 10.x, so it's a simple internal switch functionality where you can assign different IP ranges, most probably it doesn't give problems until you don't leave the range 192.x.x.x
I don't think that the IP management interface is creating issues with the rest of the network... With overlap you probably mean that it cannot be after 192.168.x.x, is this the overlap you are talking about?
For my understanding, it won't overlap until I don't saturate this IP range, meaning of, until I don't choose the same Ip for 2 things, which won't happen.I'll follow the approach "start easy" and then I let you know.
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
192.168.200.1 is the IP management interface for the WebUI, it doesn't correlate with other IP communications for my knowledge.
That makes no sense - the management IP of pfsense would be its LAN IP.. Or you could manage with any IP on pfsense as long as your rules allow access. Where did you set this 192.168.200.1 address??
255.555.0.0 subnet mask on both devices (modem/router and PfSense
Well that is a PROBLEM.. that means anything 192.168.x.x is the same network.. So 192.168.140 and 192.168.anything else would overlap - you can not do that. and expect anything to actually work.
If your device in front of pfsense is using 192.168.140/16, you have to pick something other than 192.168 for your LAN side network 10.x.x.x network or 172.16-31.x.x network.
Pfsense wouldn't even allow you to actually do that - if you were setting static IPs on both wan and lan. But if wan is dhcp and gets a 192.168/16 network - then yeah that could overlap with your lan network.. 192.168.140 would normally be a 255.255.255.0 or /24 network.. Then you could use any other 192.168.x/24 network or even other masks like /23 or /22 etc.. as long as they do not overlap with the 192.168.140/24 network.
-
@johnpoz Thank you, I need to tell you more about it.
After your recommendation to remove the gateway, without gateway the connection works as it is written in the previous graph, despite it's wrong as you say.
I think it's wrong in theory, not in practice, plus I'll be assigning the IPs manually and the DCHP IP point of start won't bother me at all.
Plus, being on the same network doesn't scare my use case, as long as I use VLANs, am I wrong?
I do agree that this is the wrong way to design a network, I'll change it if my modem/router allows a different range, determined by a different subnet mask.I still can't manage the switch connection though... I've set the IP from the switch interface (on Pfsense), but whatever device I plug in, for example with IP manually assigned of 10.9090.91 and beyond, it doesn't work.
Quoting you
192.168.140 would normally be a 255.255.255.0 or /24 network..I have another router sitting on 192.168.5.1, hence why I've chosen 255.255.0.0 mask, am I wrong?
I mean, I need to be able to change x.x.N.x , for that I need 255.255.0.0 mask as far as I know. -
@jt40 if 192.168.0.0/16 is the WAN then you can use whatever address you want in that range, but those devices all need to be in the WAN. Otherwise pfSense won’t know where to route packets.
-
I can't setup an IP range of 172.x.xx. or 10.x.x.x from the modem/router, I precisely tried to reserve that IP address, nothing.
Not sure why, I guess it's a limitation of these crappy ISP devices.
What choice remains?
It seems anything of a range like 192.168.x.x
Well, not even that it's supported :D
I tried 192.169.x.x or 192.166.x.x, it says both are out of range with a mask of 255.255.0.0 -
@jt40 you can use 192.168.x.x for your pfSense WAN just fine. You just can’t also use it on other interfaces.
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
I can't setup an IP range of 172.x.xx. or 10.x.x.x from the modem/router, I precisely tried to reserve that IP address, nothing.
Well use that range on your lan then behind pfsense.
I have another router sitting on 192.168.5.1
And where was that on your drawing? Dude can not help you if get wrong or missing info..
Where and the F does this router sit?? is that some network behind a wifi router doing nat?
Not sure why, I guess it's a limitation of these crappy ISP devices.
What device does not let you change the lan IP address? You can not just change the scope of the dhpc, you have to change its lan IP!
I mean, I need to be able to change x.x.N.x , for that I need 255.255.0.0 mask as far as I know.
What?? Why do you need to change that? Dude You seem to have a REAL mess - none of this stuff was in your drawing - there was no masks set on anything in your drawing, etc. Still haven't answered where you setup 192.168.200.1 on pfsense, etc..
I tried 192.169.x.x or 192.166.x.x, it says both are out of range with a mask of 255.255.0.0
Why would you think that is valid? Maybe its time you do a bit a research on what network is and what the masks actually means.. And what the valid rfc1918 space is 10/8,192.168/16,172.16/12
Your going to have a real hard time getting anything working, especially if your goal is to have multiple vlans/networks without understanding the basic concepts.
-
@steveits Every interface has its own IP, that's for sure.
-
@johnpoz
Ok for the LAN, I'll use something like 192.168.140.130 as it is right now.I didn't represent the other router because it will be removed, I just mentioned it as an example, but in any case it's like that, it's after the modem/router with IP 192.168.5.1, manually assigned in the modem/router, it works fine.
The machines behind have IPs like 192.168.5.2 and so on...I need to clarify that also the IP 192.168.20.1 can't be reserved on the modem/router, which means that I can't reserve anything else, only 192.168.0.x seems faultless, I just wonder how I've set up 192.168.5.1 at this point.....
It keeps saying that the address is out of range.I think I know what do you mean about that range, you mean that I can't set up something like 192.169.x.x, but I can set 192.168.x.x, is it right?
I don't use DHCP at the moment to avoid complexity.
I've set up 192.168.200.1 on my Pfsense on a dedicate port for management (pfsense management or WebUI).
This IP doesn't have anything to do with the rest of the production network, I have direct access to it, that's how I manage the Pfsense box, as well as any other if I need to.
I just assigned this custom address for the management, sorry for the confusion.
Do you see anything bad here? -
@jt40 said in How to set the same VLANs between the switch and PfSense:
I'll use something like 192.168.140.130 as it is right now.
You can't, if the WAN is 192.168.anything.anything/16. In that config pfSense "knows" anything in that subnet is on the WAN so it will get confused if traffic is also on any other interface. So you can't use 192.168.200.x or anything else, on other interfaces.
192.169.x.x is a public IP block.
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
need to clarify that also the IP 192.168.20.1 can't be reserved on the modem/route
What, what device make and model is this device.. There is no freaking way they do not let you change the lan IP and force a /16 mask... Just no freaking way.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
need to clarify that also the IP 192.168.20.1 can't be reserved on the modem/route
What, what device make and model is this device.. There is no freaking way they do not let you change the lan IP and force a /16 mask... Just no freaking way.
Sky Hub, 2 ethernet ports.
-
-
@johnpoz Thanks mate, I know it :D
But it says that it's out of range.
Let me post you the current config.
