Interface range setup

bingo600

If it's a D-Link 15xx , there might be some interesting info here
https://community.spiceworks.com/topic/927137-vlans-dhcp-dns-and-routing-on-l2-d-link-switches

I just skimmed it - But it seems that enabling the DHCP server on the switch is asking for trouble.

What i use to do on my 1210's.

1: Create a management vlan , where the switch management ip would end up.
2: Enable pfSense DHCP server on that vlan.
3: Create an untagged port in the management vlan (recovery)
4: Move the switch management to the management vlan.
5: Move the Management PC to the port created in step3 (still using the 10.90.90.xx for the lan if)
6: Login to switch on 10.90.90.90
7: Switch the management interface to use DHCP
8: Switch the PC to use DHCP.
9: Login to switch using the new DHCP management ip assigned to the switch.
10: Save the switch config
11: At that point i usually download and save the config on the pc (Named something like - dgs1210-blank-dhcp).
12: Either move the switch to static ip , or not ..... Save the switch config

Now if i ever get a new switch of the same model , i just connect to 10.90.90.90,
Restore the dgs1210-blank-dhcp config , and it's running like step-11 above.

If anything totally FSCK's up ... Press & hold the reset button until all the Port-LEDS light up.
Then it should boot up as "Factory reset" w. 10.90.90.90

/Bingo

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

this is under the L3 functions on my switch

Thought you said your switch doesn't have L3?

D-Link L2+ switch, it means that it does't have all the L3 functions.

Which is it - what is the model number of this switch.

I need to resolve this but blocking the traffic to the firewall doesnt' help

It's an L2+ switch, it has some of the L3 functionalities, the switch is Dlink DGS-1210-16 , but I don't want to use them.
I only defined 2 IP interfaces with a different range (otherwise I can't) but for me it doesn't make much sense, and in any case is not respected, it takes the IP range of the PfSense interface where it is attached to.

Then your doing it wrong - and sure and the hell do not need a floating rule.. Nobody can help point out what your doing wrong - if you don't actually show us what your doing.

:D , I still need to dig into FW rules in PfSense.
The rules are fixed in that way, unless you love to use the shell to configure them.
Making a screenshot is a bit of a pain because that machine is isolated, same as other devices (in a certain way)
I have just a few options on the UI when I set up FW rules:

• Any
• Single Host or IP alias
• Network
• PPPeE clients
• L2TP clients
• Interface Network (respectively of each interface)
• Interface address (respectively of each interface)

• the classic, protocol, IPV4, etc...
  I see the advanced option of "In / Out pipe", it seems a bit different from what I see above... Or this is the simple outbound/inboud concept??

What are the vlan IDs you set? What are the port configurations of the switch, etc. etc.. What are you firewall rules..

I've set 40-41 as a test on the same port, both in the Switch and in PfSense, + on the AP but as I mentioned it doesn't work at all, I can't get any IP address if I do such thing... It seems to be more related to the new LAN that I create in the AP, more than the VLAN ID itself. I can set the VLAN ID in the AP network but I don't get any IP and the device doesn't join after a few attempts.
The VLANs are currently set both in PfSense and the Switch, but not in the AP, I'm using the default LAN and it doesn't have any VLAN ID on the UI, but maybe it uses 1 as default.

My FW rule for each interface currently is:

• Interface Network (respectively of each interface) to ANY.
• This automatically implies that I have access to any other network, even if another network interface doesn't have an INBOUND rule, this is very weird, it is supposed to be in this way?
  I can ping, ssh, login into the firewall etc from each interface to any other.
  I can't do what I mentioned only if I'm behind the switch when these rules are applied, otherwise I can do even that from the other side (from PfSense interface OUTBOUND to the devices atached to the switch).
  This mismatch is quite weird.

@bingo600 I'll reply to you later, thanks for that.

johnpoz

@jt40 said in Interface range setup:

Making a screenshot is a bit of a pain because that machine is isolated

Then don't isolate it while you get setup and actually understand how it works..

Go back to the drawing I provided way back when... Simple lan, access to pfsense, everything on the lan working.. Then move on to adding your vlans and AP with vlans, etc.

Once you have it working you can secure who can talk to pfsense gui, be that some admin console you have only connected directly to the lan port of your pfsense.

Your switch out of the box would be just a dumb switch, everything in vlan 1.. Set its admin IP to be on your lan network and move on from there.. You want your lan net to be your admin network anyway when all set and done. This is the network on pfsense that has an antilock out rule.

You then from your admin box on your lan net admin pfsense, your switch and your AP via their management IPs that would be on your admin/infrastructure vlan..

JT40

@bingo600 said in Interface range setup:

If it's a D-Link 15xx , there might be some interesting info here
https://community.spiceworks.com/topic/927137-vlans-dhcp-dns-and-routing-on-l2-d-link-switches

I just skimmed it - But it seems that enabling the DHCP server on the switch is asking for trouble.

What i use to do on my 1210's.

1: Create a management vlan , where the switch management ip would end up.
2: Enable pfSense DHCP server on that vlan.
3: Create an untagged port in the management vlan (recovery)
4: Move the switch management to the management vlan.
5: Move the Management PC to the port created in step3 (still using the 10.90.90.xx for the lan if)
6: Login to switch on 10.90.90.90
7: Switch the management interface to use DHCP
8: Switch the PC to use DHCP.
9: Login to switch using the new DHCP management ip assigned to the switch.
10: Save the switch config
11: At that point i usually download and save the config on the pc (Named something like - dgs1210-blank-dhcp).
12: Either move the switch to static ip , or not ..... Save the switch config

Now if i ever get a new switch of the same model , i just connect to 10.90.90.90,
Restore the dgs1210-blank-dhcp config , and it's running like step-11 above.

If anything totally FSCK's up ... Press & hold the reset button until all the Port-LEDS light up.
Then it should boot up as "Factory reset" w. 10.90.90.90

/Bingo

Intially I thought, what kind of approach is that :D .
Few seconds later... Oh yeah :D
Your approach simplifies and automates the switch backup-restore, very good.
This will take me some time, I'll do it as soon as I can make some change.

I have a few observations though:

1. We have the same switch :) , but I can only see 2 configs, where the number 1 is the default and I didn't change it, the second one is my setup. How can you create more versions? There is nothing about it, I'm using the latest firmware. I can't even change the name of the config :D .

2. Oh ok, you asked me to enable DHCP for the management interface only, this scares me a bit though :D , every time I need to know what IP did it get, most probably the first one after the physical interface but what can I say... Currently the VLAN IP range assigned to the UPLINK port in PfSense is not considered, it's considered only the IP range of the network interface, I mean the physical interface, this is valid for each VLAN/Interface, for me the VLANs are not working at all at the moment, but I'll keep your idea in mind. I'm simply still fighting with it.

johnpoz

@jt40 said in Interface range setup:

this scares me a bit though :D , every time I need to know what IP did it get

Set a reservation - it will always get that IP then.. And to be honest, normally dhcp never changes anyway as long as the device is on like a switch.. It just always renew the same IP it originally got..

Devices only ever change their IP via dhcp is when they have been off and the lease expired and given to some other device.. This rarely happens if your scope is large compared to your number of clients.

Or there was some other issue with the renew, and discover goes out vs a renew. But normally if the client is on, it will just continue to renew that IP.. But if you want to make sure a device gets a specific IP, just set a reservation. Pretty much every dhcp client on my network is via reservation, other than guest devices.

edit: Why dhcp is better than static set on the device. You can change info, like dns, ntp, gateway.. Without having to touch the device. You can even change the IP or even your network space completely - again without having to even touch the device, or at worst just rebooting of it, etc. If your lease time is long and you want the IP to change now, etc.

Its almost always better to set dhcp because it gives you more flexibility.

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

Making a screenshot is a bit of a pain because that machine is isolated

Then don't isolate it while you get setup and actually understand how it works..

Go back to the drawing I provided way back when... Simple lan, access to pfsense, everything on the lan working.. Then move on to adding your vlans and AP with vlans, etc.

Once you have it working you can secure who can talk to pfsense gui, be that some admin console you have only connected directly to the lan port of your pfsense.

You then from your admin box on your lan net admin pfsense, your switch and your AP via their management IPs that would be on your admin/infrastructure vlan..

I'm recluctant to login from other machines :D , they are pretty safe but not the way I want :D . Let me get some screenshot...

Your switch out of the box would be just a dumb switch, everything in vlan 1.. Set its admin IP to be on your lan network and move on from there.. You want your lan net to be your admin network anyway when all set and done. This is the network on pfsense that has an antilock out rule.

What LAN IP? Do you mean the UPLINK interface where the it is connected in PfSense? I don't see other possibilities.

I don't use anymore the antilock out rule, in the worst case I disable the firewall and I fix the issue :D .
I only have the common rule I mentioned: from this LAN/network to ANY.

I have 2 different accesses like that, 2 different physical interfaces (LAN), so I can connect to the firewall from both if I need to, but considering that for some reason every device can go pretty much anywhere, this is not safe, it just works for now...
This is not what I want and I'm trying to figure out how to configure the firewall to stop it from happening without breaking the network...

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

this scares me a bit though :D , every time I need to know what IP did it get

Set a reservation - it will always get that IP then.. And to be honest, normally dhcp never changes anyway as long as the device is on like a switch.. It just always renew the same IP it originally got..

Devices only ever change their IP via dhcp is when they have been off and the lease expired and given to some other device.. This rarely happens if your scope is large compared to your number of clients.

Or there was some other issue with the renew, and discover goes out vs a renew. But normally if the client is on, it will just continue to renew that IP.. But if you want to make sure a device gets a specific IP, just set a reservation. Pretty much every dhcp client on my network is via reservation, other than guest devices.

edit: Why dhcp is better than static set on the device. You can change info, like dns, ntp, gateway.. Without having to touch the device. You can even change the IP or even your network space completely - again without having to even touch the device, or at worst just rebooting of it, etc. If your lease time is long and you want the IP to change now, etc.

Its almost always better to set dhcp because it gives you more flexibility.

Thanks for the tip, good to know :) , I'll set the switch as DHCP then, let me test it.
That's the last device that remains without DHCP.

bingo600

@jt40
My DGS-1100-08's had a tendency of "forgetting their Mgmt IP , if using DHCP.
Kind'a forgot to renew after a while.

That's why i switched to using static, when making the config permanent.

But it could be fixed in one of the updates ... Actually i think it is.

Re: Dlink configs.
You can only have 2 configs saved in the switch.

You can save & restore configs easily to/from a pc.

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40
My DGS-1100-08's had a tendency of "forgetting their Mgmt IP , if using DHCP.
Kind'a forgot to renew after a while.

That's why i switched to using static, when making the config permanent.

But it could be fixed in one of the updates ... Actually i think it is.

Re: Dlink configs.
You can only have 2 configs saved in the switch.

You can save & restore configs easily to/from a pc.

/Bingo

You genius! Thanks.

I'm digging into the VLANs issue in these days, I found this article about static VLANs: https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1210_setup_static_vlans

I don't understand why they are not tagged... In my case I tagged all of them in the switch plus PfSense, but the DHCP range is always the same...
I'll refresh that service as I did before, pretty sure nothing will change, are you aware of anything like that?
I don't even need to open Wireshark, the first problem is that I get the wrong IP range, that is the one from the UPLINK interface.
This is valid for each port in the switch, regardless if tagged or not assigned.
I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

bingo600

@jt40 said in Interface range setup:

I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

You have 3 vlan "modes" in the switch
1:
Not a member -
The specific port will NEVER transport that Vlan

2:
Untagged member of Vlan xx (aka PVID or Native vlan) -
The specific port will act as a "Normal Ethernet port used for a PC or other non vlan enabled device", but all data sent/received with no vlan tag , this what a normal PC or other device would do. will (by the switch be "put in" or "gotten from" Vlan xx).
This is what you would use/set for most end devices.
NB: The port can ONLY be member of One untagged Vlan.

3:
Tagged member of Vlan xx
Typically used for "Multi vlan capable devices".
Ie. Other switches , an AP (with multi SSID's) etc ...
You would at some time prob. use this for your UBI AP's.
You might even use both tagged (for SSID's) and untagged (for mgmt)

I gave a brief intro to tagging here and a few posts down:
https://forum.netgate.com/post/944381

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40 said in Interface range setup:

I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

You have 3 vlan "modes" in the switch
1:
Not a member -
The specific port will NEVER transport that Vlan

2:
Untagged member of Vlan xx (aka PVID or Native vlan) -
The specific port will act as a "Normal Ethernet port used for a PC or other non vlan enabled device", but all data sent/received with no vlan tag , this what a normal PC or other device would do. will (by the switch be "put in" or "gotten from" Vlan xx).
This is what you would use/set for most end devices.
NB: The port can ONLY be member of One untagged Vlan.

3:
Tagged member of Vlan xx
Typically used for "Multi vlan capable devices".
Ie. Other switches , an AP (with multi SSID's) etc ...
You would at some time prob. use this for your UBI AP's.
You might even use both tagged (for SSID's) and untagged (for mgmt)

I gave a brief intro to tagging here and a few posts down:
https://forum.netgate.com/post/944381

/Bingo

So you mean the following?

• Untagged (The VLAN ID remains in that device that defines the VLAN) Why I should set this for my PC for example?
• Tagged (The VLAN ID will be included in the packet frames, plus it supports multi VLANs on the same port)
• Not a member (Not even a chance to set a VLAN, right? Or you can set it up but it remains always confined in that device?)

I understood that I always need to use VLAN tag for the following reasons:

1. Well I need VLANs :D
2. I need to use multi VLANs on the same port in most cases
3. This is especially valid in the AP, I'll use multi SSID.

johnpoz

@jt40 said in Interface range setup:

Untagged (The VLAN ID remains in that device that defines the VLAN) Why I should set this for my PC for example?

Because you want whatever plugged into that port to be on vlan X.. And not have to tell that device to tag their traffic.

If you want PC to be on vlan X, the port on your switch you connect the PC would be set to vlan X with a pvid to X.. This tells the switch, hey any untagged traffic you see coming into this port is vlan X. Only send traffic out this port if too vlan X..

Understanding tagging and what a native vlan (untagged) is really step 1 in wanting to use a vlan capable switch and vlans on your network. Until you grasp the concept your not going to make much progress in using vlans on your network.

I need to use multi VLANs on the same port in most cases

This not normally true.. The only ports where you would carry multiple vlans would be ports that connect to other switches, or an AP or say a router where you need to carry multiple vlans over a single physical interface. Most devices connected to a switch would only ever be in a single vlan.. Other option where you might need to tag traffic is to say a VM host, where again you need to carry multiple vlan traffic over a single port, and you need something to understand what traffic goes where via the tag, or the lack of a tag.

With unifi AP, the management of that is normally untagged.. They not that long ago did enable the ability to use tagged traffic. But that is so far beyond your current grasp of vlans, save that for another day..

The port connected to your AP for example would carry untagged (native vlan) traffic for the vlan your management IP is in on the AP, and tagged traffic for any SSIDs you want to be in other vlans.

edit: here is a drawing I did many ages ago trying to help someone understand where tag and untagged go on a switch infrastructure.

It is missing the untagged for the management of the AP, and possible any native network you had setup on the pfsense interface where the vlans 50,60, etc. are riding on.

JT40

@johnpoz Thank you, let's see if I understood.
The reason why I said I want to use VLAN tag everywhere, it's because I want every machine to be isolated, maybe in the future I'll ease some protocol but that's it (through FW rules, VLAN doesn't play much in it if the FW allows the traffic), that's the starting point for me.
Does it make sense to tag each interface is this case?

I also know that I need truncate the port where multiple VLANs are tagged, for example the UPLINK interface, but not necessarily if there is only one VLAN tagged there and where others not tagged pass through, is it correct?
In my case, whatever traffic goes to the UPLINK most probably goes on Internet, so I truncate the port and tag everything.

In any case, even if I tag only one VLAN on one port and there is only one end-user device attached to it, what can be the problem? What will stop the traffic? I don't trunkate the port but I'll have a single VLAN there.
The only useful and automated case I can think of is when you want that machine to communicate only in the LAN, precisely only in that network range, basically the default one of the switch, in my case given by the DHCP from the UPLINK/DOWNLINK interface in PfSense.
Hence, I skip the tag here and the traffic can't go on the next network node (PfSense), or eventually not out of that default network range in the LAN...

JKnott

@jt40 said in Interface range setup:

@johnpoz Thank you, let's see if I understood.
The reason why I said I want to use VLAN tag everywhere, it's because I want every machine to be isolated

There are switches that provide such isolation. I think trying to do that with VLANs would be a real mess, if you have many systems.

johnpoz

@jt40 said in Interface range setup:

VLAN tag everywhere, it's because I want every machine to be isolated

WTF does that have to do with tagging everywhere? I don't think you grasp the concept at all..

If you want EVERY machine to be isolated then you need to setup private vlans on your switch.. They would still be in some vlan X, the switch would just keep them from talking to each other.

Did we not already go over this, or was that some other thread. It comes up quite often.

https://en.wikipedia.org/wiki/Private_VLAN

In the wireless world its called AP or Client isolation

whatever traffic goes to the UPLINK most probably goes on Internet, so I truncate the port and tag everything.

What??? The router is what isolates traffic at Layer 3.. Vlans isolate at Layer 2.. Your "uplink" from your router the internet has no need to know anything about any vlan IDS and unless you were getting multiple vlans from your ISP for different things like TV or voip, etc. There is no need to have anything to do with tagging on your pfsense wan interface.

I think your confusing vlans and what routing actually does..

JKnott

@johnpoz said in Interface range setup:

unless you were getting multiple vlans from your ISP

Do ISPs provide VLANs? My IPTV is on the same subnet as my Internet connection. My home phone is connected to the same box, but I don't know the details of what's behind it.

I have seen VLANs from carriers over fibre, where they'll use QinQ, allowing one VLAN level for the customer and one for the carrier to separate customers. However, they'd be providing layer 2 connections, not 3, as you'd get from an ISP. Over IP you'd route the different subnets and not use VLANs.

bingo600

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

bingo600

@jknott
In Europe it's quite normal that your ISP Box has multi-vlans comming in, if using cable or fiber.

Vlan xx - VoIP
Vlan yy - TV
Vlan zz - Internet

So it can sometimes be "tricky" to get a pfSense to replace the ISP Box.

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

johnpoz

@jt40 said in Interface range setup:

it has also Private VLANs but I didn't test it yet.

Good - I would get just basic vlans working first... Put some devices in vlan X, create your vlan Y or Z or whatever for your wifi.. Get them working.

Then if you don't want pc1 talking pc2 that are in vlan X.. Then play with setting that as a private vlan in your switch.

But with just a couple of vlans you can get the handle on firewall rules allowing or blocking access between vlans, etc..

Once you got the basic setup - you can tweak and edit and config all you want to get it exactly how you want. But you have to learn to crawl before your running in the 400 meter dash for a Olympic gold medal ;)