Same Networks in different VLANs

dotdash

@heper
Plenty of routers let you use multiple routing tables. FreeBSD itself supports this (see the man page for setfib), but this is not currently supported in pfSense. I'd guess the amount of people who really need this feature does not justify the amount of work needed to support it. The simple answer for the OP is to use a different subnet.

viragomann

@lucderheld said in Same Networks in different VLANs:

Hi,

i want to configure different VLANs with same ip configurations. But pfsense does not let me to configure: IPv4 address 10.0.0.1/24 is being used by or overlaps with: LAN (10.0.0.1/24)

I configured VLAN 2 on VTNET2 and VLAN 3 on VTNET3. So this should be independed interfaces. Why does it not let me save the configuration?

pfSense is a router, but routing between identical networks is not possible at all.

However, if you need both interfaces within the same subnet (layer 2) you can bridge them.
Doing so you only need to add IP settings to one of the bridge member or even to the bridge itself.

bingo600

@lucderheld

Judging from your post, i take you are not FIB/VRF aware.
And then the thought of different Vlans with the same ip range makes no sense.

Just "let it go" ....

If you need more physical interfaces in the same vlan, spend the $40 to get a Managable (Vlan-aware) 8-Port switch.

Or "Misuse" an additional pfSense Lan interface, and "Bridge it" as @viragomann mentioned above ....

/Bingo

JKnott

@lucderheld

You cannot have the same subnet on multiple interfaces. Routing is determined by the address and if you have the same on 2 or more, a router won't know where to send a packet.

lucderheld

@viragomann
Hmm, I want to keep the networks separated from each other. Is this possible too?

JKnott

@dotdash

Multiple routing tables on the same device? Never heard of it.

Assume you have a packet coming in on interface A for 10.0.0.15 and you have two interfaces both with the 10.0.0.0 /whatever subnet. How does the router know which interface to choose? Imagine you're looking for an apartment and you're standing in front of two buildings with the same street address. Which building do you go into, to find that apartment? There's also the possibility that the apartment number you're looking for is in both buildings. Which way do you go?

JKnott

@lucderheld

Yes. You give them different subnets and perhaps use VLANs.

lucderheld

@jknott said in Same Networks in different VLANs:

@dotdash

Multiple routing tables on the same device? Never heard of it.

Assume you have a packet coming in on interface A for 10.0.0.15 and you have two interfaces both with the 10.0.0.0 /whatever subnet. How does the router know which interface to choose? Imagine you're looking for an apartment and you're standing in front of two buildings with the same street address. Which building do you go into, to find that apartment? There's also the possibility that the apartment number you're looking for is in both buildings. Which way do you go?

Oh that’s easy: the subnets have different vlan tags.

lucderheld

@jknott

Ok but it is not possible to have for example a vlan 10 for customer 1 and a vlan 20 for customer 2, then route wan requests from vlan 10 and vlan 20 to wan and let the customer use whatever networks they wanna use?

In my understanding this is one of the benefits of vlan to reuse ip ranges.

viragomann

@lucderheld
Bridging interfaces is basically only recommended if there is no other option, i.e. if your really need both sides to be in the same L2 network. From your upper post, I was thinking you're looking for this.

@lucderheld said in Same Networks in different VLANs:

@viragomann
Hmm, I want to keep the networks separated from each other. Is this possible too?

Yes, you can still filter on member interfaces after they are added to a bridged.

In System > Advanced > System Tunables there are two tunes which control the filtering typ:

• net.link.bridge.pfil_member
• link.bridge.pfil_bridge

By default filtering on interface member is enabled.

JKnott

@lucderheld said in Same Networks in different VLANs:

Oh that’s easy: the subnets have different vlan tags.

Routers filter on address, not VLAN tag. A VLAN is no different than another interface in this respect. You're still back at the point of deciding which way to go when standing in front of the two apartment buildings.

JKnott

@lucderheld

You can have as many VLANs as you want. You can't have the same subnet on them, if you expect routing to work.

lucderheld

@jknott said in Same Networks in different VLANs:

@lucderheld said in Same Networks in different VLANs:

Oh that’s easy: the subnets have different vlan tags.

Routers filter on address, not VLAN tag. A VLAN is no different than another interface in this respect. You're still back at the point of deciding which way to go when standing in front of the two apartment buildings.

Hmm. Two different Interfaces and two different vlans. This should be somehow doable.

In your apartment example you would have two apartments with the same number in two different buildings.

If this is not possible at the moment hopefully someone will build it. Like QinQ is doing it with vlans.

lucderheld

@viragomann

Sounds interesting! I will give it a try, but for now start with different subnets. Thanks for your input.

JKnott

@lucderheld said in Same Networks in different VLANs:

Hmm. Two different Interfaces and two different vlans. This should be somehow doable.

There is no way pfSense or any other router can have the same subnet on more than one interface/VLAN. It just won't work!

dotdash

@jknott
Not pfSense, correct, but any enterprise router has support for multiple routing tables. With Cisco, you can group interfaces by VRF- each VRF has a separate routing table. As I mentioned before FreeBSD supports this, and a feature request to put support in pfSense was submitted and ignored years ago. For more information, see the man page https://www.freebsd.org/cgi/man.cgi?query=setfib&apropos=0&sektion=0&manpath=FreeBSD+12.3-stable&arch=default&format=html

johnpoz

@dotdash said in Same Networks in different VLANs:

but any enterprise router has support for multiple routing tables

Not sure I would say any ;) But sure most enterprise layer 3 switches or actual routers most likely do have support for VRF.. Those normally come with a pretty hefty price tag as well..

You could do it in TNSR I do believe

https://docs.netgate.com/tnsr/en/latest/routing/route-tables.html#virtual-routing-and-forwarding

Which is more their actual "enterprise" level product... While sure there are many enterprises using pfsense.. if your to the point where your needing to use VRFs.. Are you going to be running pfsense on some DIY box?

You could for sure have multiple networks with the same IP ranges in your network, you just can not currently route them on the same "router" VRF is a virtual router.. So its like running more than 1 router on the same hardware, etc.

You might be able accomplish what your after on the same hardware, by running different pfsenses as VMs on the hardware your wanting to use.

Where we use VRFs is for customer isolation, where we share hardware between customers in the DC, etc. Normally this hardware is pushing a lot of packets.. If was looking to replace one of those boxes it would most likely need to run TNSR just to be able to push the packets.

dotdash

@johnpoz
I don't have any need for multiple fibs in pfSense, and think the OP should just use different networks for the vlans. I was just replying the original statement that you can't have duplicate or overlapping networks on ANY router. I've dealt with VRFs mostly with Cisco gear, but I remember Extreme switches supported it and well as Juniper, etc. I'd make the argument that a router with multiple routing tables is just that and not actually several routers, so I stand by my original statement.

johnpoz

@dotdash said in Same Networks in different VLANs:

multiple routing tables is just that and not actually several routers

We could debate semantics I guess ;)

To "me" VRF is actual another router.. Since it is a whole set of new routing tables, and sure other interfaces.. Even if they are "virtual"

"Virtual routing and forwarding (VRF) is an IP-based computer network technology that enables the simultaneous co-existence of multiple virtual routers (VRs) as instances or virtual router instances (VRIs) within the same router."

think the OP should just use different networks for the vlans

We agree here ;)