Interface range setup

johnpoz

@jt40 said in Interface range setup:

this scares me a bit though :D , every time I need to know what IP did it get

Set a reservation - it will always get that IP then.. And to be honest, normally dhcp never changes anyway as long as the device is on like a switch.. It just always renew the same IP it originally got..

Devices only ever change their IP via dhcp is when they have been off and the lease expired and given to some other device.. This rarely happens if your scope is large compared to your number of clients.

Or there was some other issue with the renew, and discover goes out vs a renew. But normally if the client is on, it will just continue to renew that IP.. But if you want to make sure a device gets a specific IP, just set a reservation. Pretty much every dhcp client on my network is via reservation, other than guest devices.

edit: Why dhcp is better than static set on the device. You can change info, like dns, ntp, gateway.. Without having to touch the device. You can even change the IP or even your network space completely - again without having to even touch the device, or at worst just rebooting of it, etc. If your lease time is long and you want the IP to change now, etc.

Its almost always better to set dhcp because it gives you more flexibility.

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

Making a screenshot is a bit of a pain because that machine is isolated

Then don't isolate it while you get setup and actually understand how it works..

Go back to the drawing I provided way back when... Simple lan, access to pfsense, everything on the lan working.. Then move on to adding your vlans and AP with vlans, etc.

Once you have it working you can secure who can talk to pfsense gui, be that some admin console you have only connected directly to the lan port of your pfsense.

You then from your admin box on your lan net admin pfsense, your switch and your AP via their management IPs that would be on your admin/infrastructure vlan..

I'm recluctant to login from other machines :D , they are pretty safe but not the way I want :D . Let me get some screenshot...

Your switch out of the box would be just a dumb switch, everything in vlan 1.. Set its admin IP to be on your lan network and move on from there.. You want your lan net to be your admin network anyway when all set and done. This is the network on pfsense that has an antilock out rule.

What LAN IP? Do you mean the UPLINK interface where the it is connected in PfSense? I don't see other possibilities.

I don't use anymore the antilock out rule, in the worst case I disable the firewall and I fix the issue :D .
I only have the common rule I mentioned: from this LAN/network to ANY.

I have 2 different accesses like that, 2 different physical interfaces (LAN), so I can connect to the firewall from both if I need to, but considering that for some reason every device can go pretty much anywhere, this is not safe, it just works for now...
This is not what I want and I'm trying to figure out how to configure the firewall to stop it from happening without breaking the network...

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

this scares me a bit though :D , every time I need to know what IP did it get

Set a reservation - it will always get that IP then.. And to be honest, normally dhcp never changes anyway as long as the device is on like a switch.. It just always renew the same IP it originally got..

Devices only ever change their IP via dhcp is when they have been off and the lease expired and given to some other device.. This rarely happens if your scope is large compared to your number of clients.

Or there was some other issue with the renew, and discover goes out vs a renew. But normally if the client is on, it will just continue to renew that IP.. But if you want to make sure a device gets a specific IP, just set a reservation. Pretty much every dhcp client on my network is via reservation, other than guest devices.

edit: Why dhcp is better than static set on the device. You can change info, like dns, ntp, gateway.. Without having to touch the device. You can even change the IP or even your network space completely - again without having to even touch the device, or at worst just rebooting of it, etc. If your lease time is long and you want the IP to change now, etc.

Its almost always better to set dhcp because it gives you more flexibility.

Thanks for the tip, good to know :) , I'll set the switch as DHCP then, let me test it.
That's the last device that remains without DHCP.

bingo600

@jt40
My DGS-1100-08's had a tendency of "forgetting their Mgmt IP , if using DHCP.
Kind'a forgot to renew after a while.

That's why i switched to using static, when making the config permanent.

But it could be fixed in one of the updates ... Actually i think it is.

Re: Dlink configs.
You can only have 2 configs saved in the switch.

You can save & restore configs easily to/from a pc.

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40
My DGS-1100-08's had a tendency of "forgetting their Mgmt IP , if using DHCP.
Kind'a forgot to renew after a while.

That's why i switched to using static, when making the config permanent.

But it could be fixed in one of the updates ... Actually i think it is.

Re: Dlink configs.
You can only have 2 configs saved in the switch.

You can save & restore configs easily to/from a pc.

/Bingo

You genius! Thanks.

I'm digging into the VLANs issue in these days, I found this article about static VLANs: https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1210_setup_static_vlans

I don't understand why they are not tagged... In my case I tagged all of them in the switch plus PfSense, but the DHCP range is always the same...
I'll refresh that service as I did before, pretty sure nothing will change, are you aware of anything like that?
I don't even need to open Wireshark, the first problem is that I get the wrong IP range, that is the one from the UPLINK interface.
This is valid for each port in the switch, regardless if tagged or not assigned.
I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

bingo600

@jt40 said in Interface range setup:

I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

You have 3 vlan "modes" in the switch
1:
Not a member -
The specific port will NEVER transport that Vlan

2:
Untagged member of Vlan xx (aka PVID or Native vlan) -
The specific port will act as a "Normal Ethernet port used for a PC or other non vlan enabled device", but all data sent/received with no vlan tag , this what a normal PC or other device would do. will (by the switch be "put in" or "gotten from" Vlan xx).
This is what you would use/set for most end devices.
NB: The port can ONLY be member of One untagged Vlan.

3:
Tagged member of Vlan xx
Typically used for "Multi vlan capable devices".
Ie. Other switches , an AP (with multi SSID's) etc ...
You would at some time prob. use this for your UBI AP's.
You might even use both tagged (for SSID's) and untagged (for mgmt)

I gave a brief intro to tagging here and a few posts down:
https://forum.netgate.com/post/944381

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40 said in Interface range setup:

I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

You have 3 vlan "modes" in the switch
1:
Not a member -
The specific port will NEVER transport that Vlan

2:
Untagged member of Vlan xx (aka PVID or Native vlan) -
The specific port will act as a "Normal Ethernet port used for a PC or other non vlan enabled device", but all data sent/received with no vlan tag , this what a normal PC or other device would do. will (by the switch be "put in" or "gotten from" Vlan xx).
This is what you would use/set for most end devices.
NB: The port can ONLY be member of One untagged Vlan.

3:
Tagged member of Vlan xx
Typically used for "Multi vlan capable devices".
Ie. Other switches , an AP (with multi SSID's) etc ...
You would at some time prob. use this for your UBI AP's.
You might even use both tagged (for SSID's) and untagged (for mgmt)

I gave a brief intro to tagging here and a few posts down:
https://forum.netgate.com/post/944381

/Bingo

So you mean the following?

• Untagged (The VLAN ID remains in that device that defines the VLAN) Why I should set this for my PC for example?
• Tagged (The VLAN ID will be included in the packet frames, plus it supports multi VLANs on the same port)
• Not a member (Not even a chance to set a VLAN, right? Or you can set it up but it remains always confined in that device?)

I understood that I always need to use VLAN tag for the following reasons:

1. Well I need VLANs :D
2. I need to use multi VLANs on the same port in most cases
3. This is especially valid in the AP, I'll use multi SSID.

johnpoz

@jt40 said in Interface range setup:

Untagged (The VLAN ID remains in that device that defines the VLAN) Why I should set this for my PC for example?

Because you want whatever plugged into that port to be on vlan X.. And not have to tell that device to tag their traffic.

If you want PC to be on vlan X, the port on your switch you connect the PC would be set to vlan X with a pvid to X.. This tells the switch, hey any untagged traffic you see coming into this port is vlan X. Only send traffic out this port if too vlan X..

Understanding tagging and what a native vlan (untagged) is really step 1 in wanting to use a vlan capable switch and vlans on your network. Until you grasp the concept your not going to make much progress in using vlans on your network.

I need to use multi VLANs on the same port in most cases

This not normally true.. The only ports where you would carry multiple vlans would be ports that connect to other switches, or an AP or say a router where you need to carry multiple vlans over a single physical interface. Most devices connected to a switch would only ever be in a single vlan.. Other option where you might need to tag traffic is to say a VM host, where again you need to carry multiple vlan traffic over a single port, and you need something to understand what traffic goes where via the tag, or the lack of a tag.

With unifi AP, the management of that is normally untagged.. They not that long ago did enable the ability to use tagged traffic. But that is so far beyond your current grasp of vlans, save that for another day..

The port connected to your AP for example would carry untagged (native vlan) traffic for the vlan your management IP is in on the AP, and tagged traffic for any SSIDs you want to be in other vlans.

edit: here is a drawing I did many ages ago trying to help someone understand where tag and untagged go on a switch infrastructure.

It is missing the untagged for the management of the AP, and possible any native network you had setup on the pfsense interface where the vlans 50,60, etc. are riding on.

JT40

@johnpoz Thank you, let's see if I understood.
The reason why I said I want to use VLAN tag everywhere, it's because I want every machine to be isolated, maybe in the future I'll ease some protocol but that's it (through FW rules, VLAN doesn't play much in it if the FW allows the traffic), that's the starting point for me.
Does it make sense to tag each interface is this case?

I also know that I need truncate the port where multiple VLANs are tagged, for example the UPLINK interface, but not necessarily if there is only one VLAN tagged there and where others not tagged pass through, is it correct?
In my case, whatever traffic goes to the UPLINK most probably goes on Internet, so I truncate the port and tag everything.

In any case, even if I tag only one VLAN on one port and there is only one end-user device attached to it, what can be the problem? What will stop the traffic? I don't trunkate the port but I'll have a single VLAN there.
The only useful and automated case I can think of is when you want that machine to communicate only in the LAN, precisely only in that network range, basically the default one of the switch, in my case given by the DHCP from the UPLINK/DOWNLINK interface in PfSense.
Hence, I skip the tag here and the traffic can't go on the next network node (PfSense), or eventually not out of that default network range in the LAN...

JKnott

@jt40 said in Interface range setup:

@johnpoz Thank you, let's see if I understood.
The reason why I said I want to use VLAN tag everywhere, it's because I want every machine to be isolated

There are switches that provide such isolation. I think trying to do that with VLANs would be a real mess, if you have many systems.

johnpoz

@jt40 said in Interface range setup:

VLAN tag everywhere, it's because I want every machine to be isolated

WTF does that have to do with tagging everywhere? I don't think you grasp the concept at all..

If you want EVERY machine to be isolated then you need to setup private vlans on your switch.. They would still be in some vlan X, the switch would just keep them from talking to each other.

Did we not already go over this, or was that some other thread. It comes up quite often.

https://en.wikipedia.org/wiki/Private_VLAN

In the wireless world its called AP or Client isolation

whatever traffic goes to the UPLINK most probably goes on Internet, so I truncate the port and tag everything.

What??? The router is what isolates traffic at Layer 3.. Vlans isolate at Layer 2.. Your "uplink" from your router the internet has no need to know anything about any vlan IDS and unless you were getting multiple vlans from your ISP for different things like TV or voip, etc. There is no need to have anything to do with tagging on your pfsense wan interface.

I think your confusing vlans and what routing actually does..

JKnott

@johnpoz said in Interface range setup:

unless you were getting multiple vlans from your ISP

Do ISPs provide VLANs? My IPTV is on the same subnet as my Internet connection. My home phone is connected to the same box, but I don't know the details of what's behind it.

I have seen VLANs from carriers over fibre, where they'll use QinQ, allowing one VLAN level for the customer and one for the carrier to separate customers. However, they'd be providing layer 2 connections, not 3, as you'd get from an ISP. Over IP you'd route the different subnets and not use VLANs.

bingo600

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

bingo600

@jknott
In Europe it's quite normal that your ISP Box has multi-vlans comming in, if using cable or fiber.

Vlan xx - VoIP
Vlan yy - TV
Vlan zz - Internet

So it can sometimes be "tricky" to get a pfSense to replace the ISP Box.

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

johnpoz

@jt40 said in Interface range setup:

it has also Private VLANs but I didn't test it yet.

Good - I would get just basic vlans working first... Put some devices in vlan X, create your vlan Y or Z or whatever for your wifi.. Get them working.

Then if you don't want pc1 talking pc2 that are in vlan X.. Then play with setting that as a private vlan in your switch.

But with just a couple of vlans you can get the handle on firewall rules allowing or blocking access between vlans, etc..

Once you got the basic setup - you can tweak and edit and config all you want to get it exactly how you want. But you have to learn to crawl before your running in the 400 meter dash for a Olympic gold medal ;)

JKnott

@bingo600 said in Interface range setup:

In Europe it's quite normal that your ISP Box has multi-vlans comming in, if using cable or fiber

Are those actually coming in? Or just created at the box? The normal way would be to route the subnets to the appropriate LAN/VLAN.

For example, I run my guest WiFi on VLAN3. If I desired, I could configure a similar network elsewhere and route between the guest LANs through a VPN, without using VLANs. It's just basic routing. On the other hand, your ISP's box might be configured with different MAC addresses for the different services. So, there could be a few different ways to get those "VLANs" to a customer, without using VLANs directly from their office. Regardless, you don't see VLANs on IP, as they're layer 2, not 3.

johnpoz

@jknott normally this comes into play when user is trying to replace their isp device that handles the vlans from the isp automagically for the user..

The box quite often has a port you plug in your voip phone, and connection for your tv, etc.

Yes normally would split those out with a switch in front of pfsense, etc. And pfsense wan wouldn't have to know anything about the vlan or its tag..

I brought it up only as a point of discussion - trying to point out unless you have a not so common setup, or trying to do something specific based up your isp or wan connection pfsense is connected to. The wan interface has no need for any sort of vlan tag.

But there are some situations where you might want/need to do such a thing... I would bet my left nut none of that has anything to do with the OP setup. This discussion in multiple threads has been on going for what seems like years already ;)

There is a lack of understanding of basic networking concepts going on - what a network is, and how the mask defines that, how routing works, how firewall rules work, what a vlan is, what tag on a vlan is, etc.

It seems the OP has some grand plan in his head that he wants to get to - but doesn't understand the underlying concepts needed to implement it. What I have been trying to do from the get go is for him to get a basic working system. A wan/lan setup on pfsense where his clients can get to the internet ;) And then can move on from there.. But even that has been difficult road..

bingo600

@jt40 said in Interface range setup:

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

Is D-Link calling "private vlan" for Assymetric vlan ??

This smells a bit of "private vlan" , but there's no explanation for the D-Link example

1:
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_how_to_configure_vlan_asymmetric_dgs_1210_series

2:
https://www.techsupportforum.com/threads/solved-d-link-dgs-1210-16.612703/

3:
http://savazzi.net/internet/VLANs_on_DGS-1210.htm
http://savazzi.net/internet/VLANs_on_DGS-1210_2.htm

/Bingo.

JT40

@bingo600 said in Interface range setup:

@jt40 said in Interface range setup:

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

Is D-Link calling "private vlan" for Assymetric vlan ??

This smells a bit of "private vlan" , but there's no explanation for the D-Link example

1:
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_how_to_configure_vlan_asymmetric_dgs_1210_series

2:
https://www.techsupportforum.com/threads/solved-d-link-dgs-1210-16.612703/

3:
http://savazzi.net/internet/VLANs_on_DGS-1210.htm
http://savazzi.net/internet/VLANs_on_DGS-1210_2.htm

/Bingo.

Yes, the explanation on the DLink interface leads to private VLANs (there is a link in localhost with an example), then there is another page where you can set the PVID.
Not sure why there are 2 pages for VLANs and Private VLANs, all in one page was too difficult :D .

I'll reply to the others when I find some time to go deeper into this issue, thanks to everyone for now.