How to get pfSense WAN to accept VLAN 0
-
@schwiing I would suggest using a managed switch. Really is nice to put 3 ports in a separate vlan and get 2 public ip's (or more if you wanted) for a lab setup.
Or even a public server completely separate from your LAN or anything else you would want to do with a public IP. -
It strips it by default. I can't speak to proxmox, but esxi definitely does this.
-
I am considering doing this also...albeit it means buying another switch and some transceivers...trying to figure out which switch would be best for stripping vlan0. I'm leaning mikrotik but I'm horrible at both RouterOS and SwOS. They're not terribly difficult but it's just not intuitive to me.
-
@jarhead said in How to get pfSense WAN to accept VLAN 0:
@schwiing I would suggest using a managed switch. Really is nice to put 3 ports in a separate vlan and get 2 public ip's (or more if you wanted) for a lab setup.
Or even a public server completely separate from your LAN or anything else you would want to do with a public IP.Is there a specific manged switch that you know will do this? Do they all strip VLAN-0 or is this something that only some of them can do?
-
Any managed switch should be able to.
I use Cisco SG-300's but there's plenty of posts on here with suggestions for managed switches.
Any switch that let's you assign vlans will work. -
So, if using mikrotik, how would I set it up if put in between the ONT and PFsense?
What would I change here?
https://www.servethehome.com/wp-content/uploads/2019/12/Mikrotik-CSS326-RM-SW-OS-VLAN.png
-
@schwiing You'd have to go into Vlans first, create a new vlan. Use an obscure vlan that you won't need, like 4094 since it's the last usable vlan. Then use 2 ports, say 9 and 10, and set them both to vlan 4094. Not sure what the "force vlan ID" is but you might need to check that. Set both to enable, and untagged only.
Then plug the ONT into 9 and the WAN into 10. That's it.
If you want another public IP, set another port to that vlan and plug that port into another router's WAN.I've never used Microtik but that would be my guess. The manual would probably tell more if needed.
-
@jarhead Ah, so even the WAN port will be able to see VLAN0 (on port 9 in your example) despite it being VLAN4094? That's the part that always confused me. I didn't know if you had to trunk port 9 to accept VLAN0 or not. If they're both untagged, that makes it MUCH easier!
-
@jarhead
Oh.. One more thing. What do I set for the IP of the switch? -
@schwiing Anything you want on your subnet. That's just for managing it.
Just to be clear. You can then use ports 1-7 (or 8 if only using 9 and 10) for your LAN devices. You don't need a separate switch for this. That's what vlans do. Turns one switch into 2 or more.
-
@jarhead I was planning on putting pfsense on port 10 and the ONT on port 9. I have switches beneath pfsense so I was planning on leaving 1-8 empty. If I use those ports, how would they be routable?
-
@schwiing If you're adding a new switch between pfSense and ONT they won't be.
My point was you don't need to add a new switch if you have enough ports on your existing switch.So I have my ONT going to my port 26, two WAN ports on 25 and 27, and my pfSense LAN port going to 24.
25 -27 are in vlan 4094, then 24 and all other LAN ports are in vlan 442 (my default).
So 1 switch handles my WAN and LAN connections.So you can use ports 9 and 10 for WAN, connect your LAN to port 8, and use 1 - 7 for LAN devices.
-
@jarhead ah I understand now. My downstream switches are mostly full so I figured this would purely serve in between the ONT and Pfsense. But what you're saying makes sense.
-
@jarhead Apologies for asking again, but I'm trying to wrap my head around this before my install. If I set WAN to VLAN 4094, you're saying that will strip the VLAN0 Tag from the ONT. OK.
But for LAN, if that's also set to 4094, how will PFSense see it?
Do I need to set something on the PFsense side to accept 4094?
Does my subnet need to change from .1 to .4094 or, do I have to trunk the connection on PFsense?That's the part I'm confused on. I'm not sure how PFsense will understand how to receive 4094.
EDIT: Or, will my Global IP (That PFsense understands) become x.x.4094.x due to the VLAN tag? Is there anything else I need to set on the WAN Interface tab (or do I leave it as DHCP) or anything else on PFsense?
-
@schwiing 4094 is only a VLAN internal to the switching Netgate devices (1100, 2100, 3100, 7100) and not presented on your external network as that port is untagged on the interface.
-
@rcoleman-netgate @Schwiing And it doesn't go to your LAN, it goes to your WAN but I'm guessing that was a typo.
-
@jarhead True, regardless of the VLAN in those systems - they're all internal to the software and not tagged on the ports out, just untagged so all traffic on those ports (by default) are on that vlan.
-
@jarhead Ah I did mean WAN, not LAN. My mistake.
Thanks. I'll assume the PFsense side will remain default then being configured as "DHCP" and won't be bothered by the 4094 VLAN.
IIRC, my modem's address now (for Comcast, temporary until Frontier is installed) is 192.168.100.1, so on the 100 VLAN. I guess it's a similar concept, but in this case, I'm "choosing" 4094?
EDIT: I assume I did this right?
https://imgur.com/a/DTIkhi7 -
The subnet and VLAN ID used here are completely independent. Though you will often find people set them up to use the same values as it's much easier to read like that.
What I expect to see there is one switch port connected to the ONT and another connected to the pfSense WAN. However you have ports labeled WAN and LAN? It doesn't actually matter what they're labeled of course as long as the WAN traffic is passing through that VLAN4094 segment it will strip the VLAN0 tags.
Steve
-
@schwiing If your going to get the 2g service from frontier to take advantage of it you will need a switch with at least 2.5gb ports.
