PFSense VLan
-
Hope someone can point me in the right direction with a very annoying problem that i have been trying to figure out for the last week.
I have setup pfsense to test before adding it to my network, I have the below setup
Internet<----- Router<-----Internal Network <------PFSenseBox<-----Test Network
The Internal Network has the ip range 192.168.0.0/24
The PFSense WAN address is 192.168.0.2
The PFSense LAN address is 192.168.10.1
I have a machine on the Internal Network with IP Address 192.168.0.99 which i have allowed through the PFSense WAN interface
I have setup rules to allow access to and from the Internal Network to the Test networkI am able to ping from both sides and reach any machine
I am able to browse the internet from the Test networkThe issue I am having is trying to set up vlans using a Dlink DES-1210-52 managed switch and making it work with the PFSense box.
I have followed the configuration from the below link
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_how_to_configure_vlan_asymmetric_dgs_1210_series#:~:text=%20How%20to%20configure%20Asymmetric%20VLAN%20in%20DGS-1210,button.%208%20Click%20802.1Q%20VLAN%20PVID.%20More%20
I have the PFSense LAN plugged into Port 15 of the DLink Switch and a pc plugged into Port 1 of the DLink switch
I have added both ports as untagged to VLan ID 10 on the DLink switch
I have setup a VLAN on the pfsense box with vlan tag 10 and assigned it to the LAN interface with an IP range of 192.168.100.1
I have setup DHCP for the VLAN to hand out addresses in the range 192.168.100.10 - 192.168.100.40
I have setup DHCP for the test network to hand out addresses in the range 192.168.10.50 - 192.168.10.60
When i try to renew the ip address for the test pc in the test network while it is connected to Port 1 of the DLink switch, it wont get an address
If i plug the test pc into any other port and renew the ip address i get an address in the 192.168.10.0 range as expected.Can anyone see from the above if there is something simple that has been missed?
-
@gazza77 The port going to pfsense needs to have the vlan tagged.
-
Thanks Jarhead, that sorted it.
I had read in so many places that you cant have tagged and untagged ports on the same VLAN i tried both tagged and both untagged but not just port 15 untagged.
Thanks again
-
@gazza77 said in PFSense VLan:
tagged and untagged ports on the same VLAN
You can have ports on switch untagged in a vlan, this would be like where you connect say a PC. But if your going to have more than 1 vlan/network on the same physical port then "1" of these vlans can be untagged, the rest would have to be tagged. Or there is no way to sort out what traffic is what.
Lets say you have networks X,Y and Z. X is the network on interface igb1 on pfsense. This is an untagged network and most likely would just be the default vlan 1 on your switch.
Now you want to add vlans Y and Z, these will also be on interface igb1 on pfsense. You can leave X untagged (just native on the interface).. But Y and Z would have to be tagged. And you would have to setup your switch so that Y and Z are tagged on the port that connects to igb1
Now you want to connect your pc to different port on the switch and you want it to be on vlan Y, this port would have Y untagged. And you have another PC on another port on this switch in Z, this would also be untagged.
You can have "ONE" untagged network on an interface. If your going to carry more than 1 network over the physical port then the other networks/vlans have to be tagged.
-
@gazza77 said in PFSense VLan:
I had read in so many places that you cant have tagged and untagged ports on the same VLAN
You probably mean you shouldn't have tagged and untagged traffic on the same port. And that is partially true. It's certainly possible to tagged and untagged traffic on the same port and it should work fine. It's just better to avoid it if you can because it's much easier to make a config error and get unexpected traffic on the untagged interface that way. There have also been cases of badly behaved switches doing that even when configured as expected.
Steve
-
@stephenw10 said in PFSense VLan:
much easier to make a config error
While that might be true for someone that doesn't actually understand how vlans work ;) Or how their switch works ;) hehehe
There is no actual technical reason that you can not run 1 untagged and other tagged vlans.. Is specially called the "native" vlan in cisco..
Normally the native vlan is the default vlan (ie 1) but native vlan can be any vlan ID..
-
Thanks for the extra information both.
Just so i can get this right in my head.
The tagged port on the switch is the port that connects to the PFSense (Is this also known as the trunk port?)
All the switch ports that are set on a specific vlan should be Untagged?
i.e.
ports 1,2,3 on the switch are untagged on vlan10 (connected to pc`s)
ports 4,5,6 on the switch are untagged on vlan 20 (connected to printers)
port 8 on the switch is tagged on both vlan 10 and 20 (connected to pfsense igb1) -
Yes, that's correct.
Additionally, in some switches, you need to set the PVID on the untagged ports to match the VLAN you are accessing. Some switches set that for you when you set a port untagged on a particular VLAN.
Steve
-
@stephenw10 said in PFSense VLan:
Some switches set that for you when you set a port untagged on a particular VLAN.
While true - from the entry level smart switches I have played with from netgear, dlink and tplink this not the case.. More fully managed switch do set the pvid for you.
I would validate the pvid is set..
Example - I plugged in netgear gs108eV3 I had on the shelf testing something for another thread.
I put port 6 untagged into vlan 9 - it did not change the pvid.
Now when I tried to remove vlan 1 I did get a warning..
Which is good... But that it let me put port 6 untagged both in vlan 1 and vlan 6 in the the first place is bad..
So yeah validate the ports you put untagged in vlan X, that the pvid has also been set to X and that there is only 1 untagged vlan on the port..
