Newbie having trouble with vlans & dhcp
-
Well, guess you are right. I'm sorry, just being a little frustrated after being at this for so long. I'll try to be more detailed. This is a much more serious appliance/software than I have used before, hence not grasping all steps required.
My setup is the Netgate-2100, a server running Proxmox, hosting a few VM's where the switch controller being one of them. Proxmox server and the controller VM is on the same vlan#5, so I need to understand two things.
- How I should set up the vlan#5 to server the Netgate's built-in switch port #2
- How I should configure pfSense to present available vlans to the managed switch
I am setting this up offline (no wan) atm while getting familiar with it as I need the working network working. This makes it hard for me to take screenshots, hope that won't be a problem.
Step-by-step what I've done;
- Reset to factory defaults and completed the wizard
- Created a vlan#5 (Interfaces/VLANs/Add)
- Parent IF: LAN
- VLAN Tag: 5
- Went to 'Interface Assignments' and added the new vlan. Configured the following;
- Enable: yes
- Description: vlan#5
- IPv4 Type: Static IPv4
- IPv4 address: 192.168.5.1/29
- Services/DHCP Server;
- Enable: yes
- Set range to: 192.168.5.2 -- 192-168.5.6
- Added a rule for vlan#5 (Firewall/Rules)
- Action: Pass
- Protocol: Any
Here I realized I had rushed passed entering the Netgate as gateway on the laptop I configure with, so... facepalm. After adding that vlan#5 gateway responds to ping. Server on that vlan still don't.
- Going to Interfaces/Switch/Vlans
- Enable 802.1q mode
- Adding a new VLAN tag: 5
- Members: 2,5t (enable vlan#5 on physical port#2 using uplink port#5)
- In Ports;
- For port#2: setting Port VID: 5
I thought this was it, but still no answer from Proxmox on vlan#5 @ Netgate port#2, so guess I have missed something. Laptop goes into Netgate#4, Proxmox is Netgate#2, link and good cables..
Network adapter on Proxmox is set to "vlan aware", as I need different ones for the VMs.
-
@furom said in Newbie having trouble with vlans & dhcp:
a server running Proxmox, hosting a few VM's where the switch controller being one of them
I would take that whole VM thing out of the picture until you grasp setting up vlans at a basic level.. Is your VM natting, is it stripping tags, is doing its own tagging, etc.
And then all the VM stuff can be different. Hyper-V does it different than VMware, etc. With esxi you need to set vlan ID of 4095 on your vswitch if you don't want to strip tags. Or maybe you want esxi to handle all the vlans for your vms, etc..
I would make sure your vlans are working with normal devices before you start bringing any VM host and VMs into it..
The netgate appliances can have a learning curve with setting up the switch ports with vlans..
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
I would suggest you get say 1 port of your switch port working as discrete interface. Then add a vlan on top of that interface where you have tagged vlans going into your switch, etc. And that is working before you throw into the mix the extra complexity that a VM host and doing vlans brings.
-
So your laptop you are testing from is connected to port 4 in the LAN subnet? Not in VLAN5?
You have added port 2 as untagged to VLAN 5 in the switch setup. That means whatever is attached to it should be expecting to use that subnet directly. I.e. no VLAN config in Proxmox or any switches connected. Is that the case?
Steve
-
A couple of things. First off, rules and routes. Your rules have to allow whatever traffic you want and pfsense only knows about routes to directly configured LANs. Anything beyond that, it has to be told about.
Second, how are your managed switches communicating with whatever you're trying to manage them with? Often, they will rely on discovery, which means they have to be on the same LAN, without a router in the way. The way around this is management where the IP address is used to reach them.
-
@stephenw10 Hi,
There may be many mistakes, and I will happily take any pointers I can to learn to better use this fw. I watch much on youtube, sometimes too much perhaps, but are slowly getting the feel for this. I come from Ubiquity where things was handled similarly but different. A lot was done behind the scene, here its more hands on, which is good, but also a bit harder harder.
I do want to use VLANs in Proxmox, and did eventually sort of get it working. The server itself and one of the VMs are on the same (untagged) network, and another VM on the correct (tagged) one. My aim is to have all VMs to use VLAN tags, but have yet to find a way to have one untagged plus all the tagged VLANs available. Perhaps something I need to do in the switch config, not in pfSense? -
@jknott Hi! Good point about the management network. Since I'm just starting with this, and am currently using all the switches, I will have to read up in advance on the requirements. I have seen a reply somewhere that the discovery software should not be necessary, but definitely something to look into. Thanks :)
-
@furom said in Newbie having trouble with vlans & dhcp:
I have seen a reply somewhere that the discovery
Are you using unifi switches - with controller, then to adopt them yeah you need to be on the same L2 for "discovery" and or do L3 adoption, etc.
I know they added vlan tag support for management of their AP a while back, maybe the same with their switches. I only have the one little flex mini to play with, and to adopt it was on my management vlan which is untagged.
Not really a fan of their switches, while the little flex is not bad for the price, and it is so freaking tiny.. It for sure has some use cases it can fill with that price and ability to be powered by poe.. Just overall all their switches are not very feature rich for the price point. And their way of doing vlans is also very limited. Can not prune vlans at the port that caries all the vlans - with the mini, you either have all vlans allowed or just 1, etc.
-
@furom said in Newbie having trouble with vlans & dhcp:
Perhaps something I need to do in the switch config
Possibly in the switch config in pfSense.
You would need to make port 2 a tagged member of VLAN 5 to it available as a VLAN to anything connected there.
You can add port 2 as a tagged member to however many VLANs you need to have available there. Just be sure to have it only ever a member of one untagged.
Steve
-
Well, find out how your management works. Often, with complex networks, a separate management VLAN is used. Discovery relies on multicasts and they generally don't pass through routers. People run into the same issue with printers and other devices. If they're on the same subnet, the computer can learn about them. If not, then they have to be specifically configured or a domain controller used.
As an example, I have a Unifi access point here. When I want to manage it, I connect to the controller, not directly to the AP. The controller is capable of discovering all the supported devices on the LAN it's connected to. In comparison, I would directly access, via IP address, the TP-Link AP I used to use. Same with my Cisco managed switch, which I can access directly, compared to a crappy¹ TP-Link switch that has to be discovered.
- Yeah I know, calling TP-Link gear "crappy" is redundant.
- Yeah I know, calling TP-Link gear "crappy" is redundant.
-
@johnpoz Ah, figures. I am a little hesitant to remove the switches to redeploy them, guess I will have to figure how that management lan should be setup first and have a plan. Still fiddling with setting up the vlans and think it will be more straight forward once the controller and switches are in place. I haven't figured out how to configure the built-in switch to supply all vlans and one untagged yet, but should be possible I hope :)
-
@stephenw10 Agreed. I tried with Vlan tag: 5, Members: 2t,5t, but while that would give the VM its tagged one, the server itself did not get an IP...
-
Got it! I configured it as "2t,5t" and then made Proxmox use the tagged network instead of untagged. Much better. Thanks for the help! :)
