Interface range setup

JKnott

@jt40 said in Interface range setup:

@johnpoz Thank you, let's see if I understood.
The reason why I said I want to use VLAN tag everywhere, it's because I want every machine to be isolated

There are switches that provide such isolation. I think trying to do that with VLANs would be a real mess, if you have many systems.

johnpoz

@jt40 said in Interface range setup:

VLAN tag everywhere, it's because I want every machine to be isolated

WTF does that have to do with tagging everywhere? I don't think you grasp the concept at all..

If you want EVERY machine to be isolated then you need to setup private vlans on your switch.. They would still be in some vlan X, the switch would just keep them from talking to each other.

Did we not already go over this, or was that some other thread. It comes up quite often.

https://en.wikipedia.org/wiki/Private_VLAN

In the wireless world its called AP or Client isolation

whatever traffic goes to the UPLINK most probably goes on Internet, so I truncate the port and tag everything.

What??? The router is what isolates traffic at Layer 3.. Vlans isolate at Layer 2.. Your "uplink" from your router the internet has no need to know anything about any vlan IDS and unless you were getting multiple vlans from your ISP for different things like TV or voip, etc. There is no need to have anything to do with tagging on your pfsense wan interface.

I think your confusing vlans and what routing actually does..

JKnott

@johnpoz said in Interface range setup:

unless you were getting multiple vlans from your ISP

Do ISPs provide VLANs? My IPTV is on the same subnet as my Internet connection. My home phone is connected to the same box, but I don't know the details of what's behind it.

I have seen VLANs from carriers over fibre, where they'll use QinQ, allowing one VLAN level for the customer and one for the carrier to separate customers. However, they'd be providing layer 2 connections, not 3, as you'd get from an ISP. Over IP you'd route the different subnets and not use VLANs.

bingo600

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

bingo600

@jknott
In Europe it's quite normal that your ISP Box has multi-vlans comming in, if using cable or fiber.

Vlan xx - VoIP
Vlan yy - TV
Vlan zz - Internet

So it can sometimes be "tricky" to get a pfSense to replace the ISP Box.

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

johnpoz

@jt40 said in Interface range setup:

it has also Private VLANs but I didn't test it yet.

Good - I would get just basic vlans working first... Put some devices in vlan X, create your vlan Y or Z or whatever for your wifi.. Get them working.

Then if you don't want pc1 talking pc2 that are in vlan X.. Then play with setting that as a private vlan in your switch.

But with just a couple of vlans you can get the handle on firewall rules allowing or blocking access between vlans, etc..

Once you got the basic setup - you can tweak and edit and config all you want to get it exactly how you want. But you have to learn to crawl before your running in the 400 meter dash for a Olympic gold medal ;)

JKnott

@bingo600 said in Interface range setup:

In Europe it's quite normal that your ISP Box has multi-vlans comming in, if using cable or fiber

Are those actually coming in? Or just created at the box? The normal way would be to route the subnets to the appropriate LAN/VLAN.

For example, I run my guest WiFi on VLAN3. If I desired, I could configure a similar network elsewhere and route between the guest LANs through a VPN, without using VLANs. It's just basic routing. On the other hand, your ISP's box might be configured with different MAC addresses for the different services. So, there could be a few different ways to get those "VLANs" to a customer, without using VLANs directly from their office. Regardless, you don't see VLANs on IP, as they're layer 2, not 3.

johnpoz

@jknott normally this comes into play when user is trying to replace their isp device that handles the vlans from the isp automagically for the user..

The box quite often has a port you plug in your voip phone, and connection for your tv, etc.

Yes normally would split those out with a switch in front of pfsense, etc. And pfsense wan wouldn't have to know anything about the vlan or its tag..

I brought it up only as a point of discussion - trying to point out unless you have a not so common setup, or trying to do something specific based up your isp or wan connection pfsense is connected to. The wan interface has no need for any sort of vlan tag.

But there are some situations where you might want/need to do such a thing... I would bet my left nut none of that has anything to do with the OP setup. This discussion in multiple threads has been on going for what seems like years already ;)

There is a lack of understanding of basic networking concepts going on - what a network is, and how the mask defines that, how routing works, how firewall rules work, what a vlan is, what tag on a vlan is, etc.

It seems the OP has some grand plan in his head that he wants to get to - but doesn't understand the underlying concepts needed to implement it. What I have been trying to do from the get go is for him to get a basic working system. A wan/lan setup on pfsense where his clients can get to the internet ;) And then can move on from there.. But even that has been difficult road..

bingo600

@jt40 said in Interface range setup:

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

Is D-Link calling "private vlan" for Assymetric vlan ??

This smells a bit of "private vlan" , but there's no explanation for the D-Link example

1:
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_how_to_configure_vlan_asymmetric_dgs_1210_series

2:
https://www.techsupportforum.com/threads/solved-d-link-dgs-1210-16.612703/

3:
http://savazzi.net/internet/VLANs_on_DGS-1210.htm
http://savazzi.net/internet/VLANs_on_DGS-1210_2.htm

/Bingo.

JT40

@bingo600 said in Interface range setup:

@jt40 said in Interface range setup:

@bingo600 said in Interface range setup:

@jt40
Could you please tell what D-Link switch model(s) you are using ?

/Bingo

I think I mentioned it previously, DGS-1210-16 , it has also Private VLANs but I didn't test it yet.

Is D-Link calling "private vlan" for Assymetric vlan ??

This smells a bit of "private vlan" , but there's no explanation for the D-Link example

1:
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_how_to_configure_vlan_asymmetric_dgs_1210_series

2:
https://www.techsupportforum.com/threads/solved-d-link-dgs-1210-16.612703/

3:
http://savazzi.net/internet/VLANs_on_DGS-1210.htm
http://savazzi.net/internet/VLANs_on_DGS-1210_2.htm

/Bingo.

Yes, the explanation on the DLink interface leads to private VLANs (there is a link in localhost with an example), then there is another page where you can set the PVID.
Not sure why there are 2 pages for VLANs and Private VLANs, all in one page was too difficult :D .

I'll reply to the others when I find some time to go deeper into this issue, thanks to everyone for now.

JT40

The adventure with DHCP on the switch just started :D

• I tried to delete the previous IP interfaces from the switch, all of them plus the management, I can't access anymore the switch, it died in that way :D
  I did it because I could not activate DHCP for the management interface, it was saying that I need to remove all the IP interfaces defined, 2 of them were for testing, the last one was the one auto-created by the switch, in fact it had assigned the IP for the management interface.
  Just to remind you, my switch has a few L3 capabilities, as basis, obviously IP based stuff.

• I factory reset the switch, loaded the previous config, no error message and it was successful, but nothing changed.

  • I rebooted, nothing changed
  • I reloaded again the config, saved as the config 2, nothig changed.
  • I changed the boot profile n.2, rebooted, nothing changed.
  • In this specific topic, it must be a bug with the switch...

This is blocking my current VLAN setup, I don't want to re-setup again all from scratch, moreover, I need to discover what's wrong with this restore process, it has to work, in the future it can be extremely useful and I will almost depend from it.
The issue could be a conflict with the fact that I wasn't able to remove the last IP management interface. I didn't receive any error message though...
For the moment, the easy way to avoid it is to set up DHCP prior any change.

On the other side, after the factory restore every device got a new IP, including the AP and the subsequent devices. At least one positive news :) .
I'll test the same again changing just a few things and making a new backup restore... Just to see if the IP config was the only hidden conflict.

johnpoz

@jt40 said in Interface range setup:

loaded the previous config

Why.. Dude just reset the thing to factory.. Now it should come up as dumb switch everything in vlan 1, the default vlan. Plug it into your 1 network on pfsense.. Everything working all on the same LAN network.

Now set the management IP on the switch to be in your LAN network..

Get everything working this way.. Then an only then move towards adding a vlan..

Create the vlan on pfsense, assign this vlan to your lan interface on pfsense. Set this vlan up IP, dhcp, etc. firewall rules on the interface. I would start with any any until you got things working - you can then restrict your rules.

Now on your switch create your vlan with the ID you set in pfsense. Set the port that connects lan of pfsense to switch with your vlan TAGGED (often called trunk mode). So default vlan will be untagged and your new vlan will be tagged).. Now on the switch set a port to be in this vlan, untagged (normally called access mode).

Now connect a device, laptop, pc to this vlan port you setup on your switch - you should get dhcp from pfsense that you setup when you setup this vlan, etc.

Baby steps!! Get that working.. Now you know how to create vlans, and how to get them working on your switch. Now you can move on to your AP and setting up SSIDs on different vlans, etc.

JT40

@johnpoz said in Interface range setup:

Set the port that connects lan of pfsense to switch with your vlan TAGGED (often called trunk mode). So default vlan will be untagged and your new vlan will be tagged).. Now on the switch set a port to be in this vlan, untagged (normally called access mode).

Thanks, ok I'll follow the easy way for now.
Can you re-phrase it please? :)
You told me to do the following:

1. Create a VLAN in PfSense
2. Create the same on the switch, TAGGED
3. Assign the VLAN to the uplink port as UNTAGGED

I think that you wanted to say the following:

1. Create a 2 VLANs in PfSense
2. Create the same on the switch, one UNTAGGED for default traffic and the other TAGGED
3. Assign the VLANs to the uplink port, UNTAGGED and TAGGED respectively

Then test the UNTAGGED and TAGGED mode.

Assuming that the above is correct, I have a question about the VLAN assignment on the UPLINK port.
Do I need to assign each VLAN in PfSense and the switch on the same respective port (UPLINK - DOWNLINK)?

The following is only an observation, the UPLINK port should only let the traffic through, so I guess it should be only a VLAN UNTAGGED or without VLAN at this point, but the other ports should have the VLAN setup, what do you think?

johnpoz

@jt40 said in Interface range setup:

Assign the VLAN to the uplink port as UNTAGGED

I never said any such thing..

I have no freaking idea where you would of gotten that from what I stated. Your lan network would not be a vlan in pfsense, and yes it would be untagged. This is the native vlan on your switch, vlan 1

Create a 2 VLANs in PfSense

NO!!! just use the native network.. If you try to start tagging shit and blocking access to untagged - your going to freaking lock yourself out that is for damn sure! If you want to at some latter point go a tagged vlan on pfsense - do that later!!

For now get your network LAN working without any taggs!! create 1 new vlan with and ID, and add that and get that working on your switch..

A network created directly on an interface is not a VLAN to pfsense, its just an untagged network.

See the yellow - those are all native networks, there are no tags.. The green are vlans to pfsense and are tagged, and they ride on a physical interface igb2 in my case

Your lan network out of the box on pfsense would just be native - untagged! This would match up with your switch default vlan 1 (untagged default in a switch)..

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

Assign the VLAN to the uplink port as UNTAGGED

I never said any such thing..

I have no freaking idea where you would of gotten that from what I stated. Your lan network would not be a vlan in pfsense, and yes it would be untagged. This is the native vlan on your switch, vlan 1

Create a 2 VLANs in PfSense

NO!!! just use the native network.. If you try to start tagging shit and blocking access to untagged - your going to freaking lock yourself out that is for damn sure! If you want to at some latter point go a tagged vlan on pfsense - do that later!!

For now get your network LAN working without any taggs!! create 1 new vlan with and ID, and add that and get that working on your switch..

A network created directly on an interface is not a VLAN to pfsense, its just an untagged network.

See the yellow - those are all native networks, there are no tags.. The green are vlans to pfsense and are tagged, and they ride on a physical interface igb2 in my case

Your lan network out of the box on pfsense would just be native - untagged! This would match up with your switch default vlan 1 (untagged default in a switch)..

My network was already working, but without VLANs.

So are you telling me to simply create an untagged VLAN on the switch and assign it to the UPLINK port?
In that case, it has to have a tag anyway on PfSense, between 1-4094.
Even though 1 is the default tag, it's always a tag...
My switch also uses 1 as default tag, as probably every switch out there, so is this what you mean for UNTAGGED VLAN?

In fact the VLAN 1 is used by the switch by default, UNTAGGED on each port..................................
I think that it means the following, it has to have a VLAN ID but the VLAN ID has nothing to do with UNTAGGED or TAGGED, that's the way VLANs can't or can stay on the same port.

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

loaded the previous config

Why.. Dude just reset the thing to factory.. Now it should come up as dumb switch everything in vlan 1, the default vlan. Plug it into your 1 network on pfsense.. Everything working all on the same LAN network.

Now set the management IP on the switch to be in your LAN network..

Get everything working this way.. Then an only then move towards adding a vlan..

Create the vlan on pfsense, assign this vlan to your lan interface on pfsense. Set this vlan up IP, dhcp, etc. firewall rules on the interface. I would start with any any until you got things working - you can then restrict your rules.

Now on your switch create your vlan with the ID you set in pfsense. Set the port that connects lan of pfsense to switch with your vlan TAGGED (often called trunk mode). So default vlan will be untagged and your new vlan will be tagged).. Now on the switch set a port to be in this vlan, untagged (normally called access mode).

I'm at this point now, but there is a problem, the switch requires 2 or more ports for truncate port, what you are asking is to truncate only the UPLINK port because it needs to have multiple VLANs, TAGGED and UNTAGGED.
The switch forces me to setup 2 minimum and max 8, but the switch has 16 ports... Not a big problem now, maybe later.

I've just setup UPLINK port and another random not in use to be truncate ports, I lost access to the switch and the network didn't work anymore...

Going to restore and I'm again at the same point.
Can you clarify better the following steps?

1. Create a VLAN in PfSense with VLAN ID 1
2. Create the same on the switch, UNTAGGED (it's already there with VLAN ID 1)
   What would you do now?
   The previous experiment didn't go well :)

I tried again, I only truncated 2 ports and I didn't lose access to the switch, good, it must have been the VLAN setup previously...

From what I understood, it remains only to include one TAGGED VLAN (as a test) to the UPLINK port in the switch, that should give me the updated IP address, because it will match with the VLAN IP range configured in PfSense.
That may require to put down and up the VLAN, as I've seen for the physical interfaces to get a new IP, the restart of DHCP didn't help, it helped only to clear the leases.
Well, it wasn't positive anyway :D .

I lost access to the switch in doing so + I don't receive any IP address, from the tagged or not tagged ports...
I can't access anymore the switch.
Going for a reset again :D .

The issue for now sits on what I do on the switch.

Now connect a device, laptop, pc to this vlan port you setup on your switch - you should get dhcp from pfsense that you setup when you setup this vlan, etc.

Baby steps!! Get that working.. Now you know how to create vlans, and how to get them working on your switch. Now you can move on to your AP and setting up SSIDs on different vlans, etc.

johnpoz

@jt40 said in Interface range setup:

In fact the VLAN 1 is used by the switch by default, UNTAGGED on each port

Duh!!

I think that it means the following, it has to have a VLAN ID but the VLAN ID has nothing to do with UNTAGGED or TAGGED, that's the way VLANs can't or can stay on the

I have no idea what that is suppose to mean. Yes it has a vlan ID 1, this is native to the switch it uses for its internal isolation of vlans. Vlan 1 is almost NEVER tagged ever..

You can not run more than one vlan UNTAGGED on a port - you can't there is no way to identify which what traffic is what.

If you had a working network - why have you not stated this, and why are you reloading configs on your switch to break shit?

So you currently have a working network (default no nothing setup on the switch) Plugged into what on your pfsense. What network did you setup.. All your devices plug into any port on the switch and get an IP from your dhcp server on pfsense LAN? What IP did you configure for your switch? So you can manage it via gui or ssh, etc.

If that is the case, as I already stated.. Move to creating a vlan - create the vlan on pfsense.. Assign it to your interface that is connected to your switch. Setup its IP, setup its dhcp server, etc. Setup the firewall rules on its interface.

Now on your switch setup this vlan with the ID you used in pfsense.. Lets say it was 10, and your network is 192.168.10.0/24 and your lan network is 192.168.1.0/24

So you create a vlan 10 on your switch. You then tag vlan 10 on the port connected to pfsense. It will also carry your lan traffic (which is untagged and vlan 1 for the switch but pfsense doesn't need to know this ID because it untagged traffic).

Now create a port on your switch and assign just vlan 10 to this port, untagged, pvid would be 10 as well. Normally the switch will auto do that for you.

Plug in a pc/laptop to this port.. Does it get an IP from pfsense dhcp server in this 192.168.10 network? There you go - you have now your first vlan up and running.

Vlan 10 traffic leaving pfsense port will be tagged, since it a vlan in pfsense. The switch will see this tag and say oh that is vlan 10.. I can only send it to ports that are in vlan 10.. Oh its for mac xyz.. That is on port X on my switch, yup its in vlan 10 -- switch will send that traffic out that port untagged. Your device will see this traffic - not knowing or caring what vlan it is - to this device its just the network its on.

Now when your device sends traffic it will enter the switch, hey traffic coming into this port is vlan 10 traffic.. I can only send it out other ports that are vlan 10.. Oh that is going the mac on the port connected to pfsense.. oh vlan 10 is tagged here - and it will send it out the port connected to pfsense tagged with 10.. Pfsense will see this and say hey that is for my vlan 10 vlan interface.. And processes it..

JT40

@johnpoz I'll follow again the steps above.
In the moment you replied, I wrote a comment above, you may find an eventual mistake there, it's definitely pointing on what I did on the switch.

Looking at the last message instead, I'd say that I should not create a VLAN with ID 1 on PfSense...

johnpoz

@jt40 said in Interface range setup:

I'd say that I should not create a VLAN with ID 1 on PfSense...

No you wouldn't do that - again vlan 1 is almost never tagged ever.. Some switches won't even let you set that.. I am even surprised that pfsense will let you create a vlan with ID 1.. Most likely for some odd use case..

edit:
I knew there were some great words of wisdom from admin and just overall guru for all things pfsense and network in general

https://forum.netgate.com/post/736714
Just run away from tagging vlan id 1. Run away.

There is more in the post, that was way back in 2017.

edit2: as stated in that post, its not actually forbidden. But never in 30 some years have the business have I ever seen it actually done.. And I know there has been threads where users tried to do it - but their switch wouldn't even let them.. Is the more sane stance on that ;)