Newbie having trouble with vlans & dhcp
-
@furom said in Newbie having trouble with vlans & dhcp:
a server running Proxmox, hosting a few VM's where the switch controller being one of them
I would take that whole VM thing out of the picture until you grasp setting up vlans at a basic level.. Is your VM natting, is it stripping tags, is doing its own tagging, etc.
And then all the VM stuff can be different. Hyper-V does it different than VMware, etc. With esxi you need to set vlan ID of 4095 on your vswitch if you don't want to strip tags. Or maybe you want esxi to handle all the vlans for your vms, etc..
I would make sure your vlans are working with normal devices before you start bringing any VM host and VMs into it..
The netgate appliances can have a learning curve with setting up the switch ports with vlans..
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
I would suggest you get say 1 port of your switch port working as discrete interface. Then add a vlan on top of that interface where you have tagged vlans going into your switch, etc. And that is working before you throw into the mix the extra complexity that a VM host and doing vlans brings.
-
So your laptop you are testing from is connected to port 4 in the LAN subnet? Not in VLAN5?
You have added port 2 as untagged to VLAN 5 in the switch setup. That means whatever is attached to it should be expecting to use that subnet directly. I.e. no VLAN config in Proxmox or any switches connected. Is that the case?
Steve
-
A couple of things. First off, rules and routes. Your rules have to allow whatever traffic you want and pfsense only knows about routes to directly configured LANs. Anything beyond that, it has to be told about.
Second, how are your managed switches communicating with whatever you're trying to manage them with? Often, they will rely on discovery, which means they have to be on the same LAN, without a router in the way. The way around this is management where the IP address is used to reach them.
-
@stephenw10 Hi,
There may be many mistakes, and I will happily take any pointers I can to learn to better use this fw. I watch much on youtube, sometimes too much perhaps, but are slowly getting the feel for this. I come from Ubiquity where things was handled similarly but different. A lot was done behind the scene, here its more hands on, which is good, but also a bit harder harder.
I do want to use VLANs in Proxmox, and did eventually sort of get it working. The server itself and one of the VMs are on the same (untagged) network, and another VM on the correct (tagged) one. My aim is to have all VMs to use VLAN tags, but have yet to find a way to have one untagged plus all the tagged VLANs available. Perhaps something I need to do in the switch config, not in pfSense? -
@jknott Hi! Good point about the management network. Since I'm just starting with this, and am currently using all the switches, I will have to read up in advance on the requirements. I have seen a reply somewhere that the discovery software should not be necessary, but definitely something to look into. Thanks :)
-
@furom said in Newbie having trouble with vlans & dhcp:
I have seen a reply somewhere that the discovery
Are you using unifi switches - with controller, then to adopt them yeah you need to be on the same L2 for "discovery" and or do L3 adoption, etc.
I know they added vlan tag support for management of their AP a while back, maybe the same with their switches. I only have the one little flex mini to play with, and to adopt it was on my management vlan which is untagged.
Not really a fan of their switches, while the little flex is not bad for the price, and it is so freaking tiny.. It for sure has some use cases it can fill with that price and ability to be powered by poe.. Just overall all their switches are not very feature rich for the price point. And their way of doing vlans is also very limited. Can not prune vlans at the port that caries all the vlans - with the mini, you either have all vlans allowed or just 1, etc.
-
@furom said in Newbie having trouble with vlans & dhcp:
Perhaps something I need to do in the switch config
Possibly in the switch config in pfSense.
You would need to make port 2 a tagged member of VLAN 5 to it available as a VLAN to anything connected there.
You can add port 2 as a tagged member to however many VLANs you need to have available there. Just be sure to have it only ever a member of one untagged.
Steve
-
Well, find out how your management works. Often, with complex networks, a separate management VLAN is used. Discovery relies on multicasts and they generally don't pass through routers. People run into the same issue with printers and other devices. If they're on the same subnet, the computer can learn about them. If not, then they have to be specifically configured or a domain controller used.
As an example, I have a Unifi access point here. When I want to manage it, I connect to the controller, not directly to the AP. The controller is capable of discovering all the supported devices on the LAN it's connected to. In comparison, I would directly access, via IP address, the TP-Link AP I used to use. Same with my Cisco managed switch, which I can access directly, compared to a crappy¹ TP-Link switch that has to be discovered.
- Yeah I know, calling TP-Link gear "crappy" is redundant.
- Yeah I know, calling TP-Link gear "crappy" is redundant.
-
@johnpoz Ah, figures. I am a little hesitant to remove the switches to redeploy them, guess I will have to figure how that management lan should be setup first and have a plan. Still fiddling with setting up the vlans and think it will be more straight forward once the controller and switches are in place. I haven't figured out how to configure the built-in switch to supply all vlans and one untagged yet, but should be possible I hope :)
-
@stephenw10 Agreed. I tried with Vlan tag: 5, Members: 2t,5t, but while that would give the VM its tagged one, the server itself did not get an IP...
-
Got it! I configured it as "2t,5t" and then made Proxmox use the tagged network instead of untagged. Much better. Thanks for the help! :)
