Homelab VLAN Setup Help Needed
-
Hello everyone,
I am new to PFsense firewall and setting up vlans. I've setup a simple homelab for testing. The PFsense box has two NICs, so by default igb0 is WAN and igb1 is LAN. The igb0 is currently not in use. The igb1 is connected to my cisco sg300 10-port switch.
PFsense VLAN Configurations
DHCP Server Settings
Firewall Rules
Cisco Switch VLAN Settings
Problem:
My guess is VLAN connections are not working. VLAN or firewall rules are not setup properly. I've follow all steps I've seen in the setup videos and websites.If my laptop IP is configured for the 192.168.9.x subnet and connected to the trunk ports, I can ping all 3 gateways (192.168.9.1, 192.168.18.1, 192.168.28.1). DHCP is always working for the trunk ports for the 192.168.9.1 subnet. but if my laptop is connected to any VLAN port, there is no communication with the pfsense server, regardless of which subnet my laptop is configured; DHCP is also not working.
I am not sure what I missed. Any help is appreciated!
-
@junwen Where are you telling the switch it should be allowing tagged VLANs 18 and 28 on the "trunk" ports?
-
@junwen You need to show the vlan settings and port vlan membership screens.
So basically, if you plug into a trunk port with a pc, you are only connecting to the pvid of that port since your laptop is not tagged with a vlan (unless you did tag it in that case you'll only connect to that vlan), but the good news is you can ping all interfaces so at least they're setup correctly.
The port you have going to pfSense LAN needs to be a trunk, and it needs to have both vlans tagged, 18 and 28, and you can leave the pvid at 1.
Do that and it'll work providing the firewall rules are correct. For now, just copy the default any any from the LAN to both vlan interfaces. Once that works you can adjust them as needed/wanted.
-
Thank you both for the help! That's indeed the issue with the vlan id not tagged in the trunk ports. The cisco video did not show that step for the vlan setup. Everything is working properly now.
-
@junwen said in Homelab VLAN Setup Help Needed:
Thank you both for the help! That's indeed the issue with the vlan id not tagged in the trunk ports. The cisco video did not show that step for the vlan setup. Everything is working properly now.
You only need 1 trunk port. You put an 's' on the end of it. Guessing you left them as in the picture.
Those switches come with all ports set to trunk. Trunks are only used to carry multiple vlans so if the only port that has multiple vlans is the port going to pfSense, set all other ports to access.
It'll still work if they're trunks but it's uneeded and you'll only be accessing the pvid on those ports anyway.Just saying this because you said you added the tagged vlans to the trunk port's'.
-
@jarhead Maybe they have other gear like wireless access points.
-
@derelict said in Homelab VLAN Setup Help Needed:
@jarhead Maybe they have other gear like wireless access points.
Yup, that's why I said this:
@jarhead said in Homelab VLAN Setup Help Needed:
so if the only port that has multiple vlans is the port going to pfSense
-
-
@junwen said in Homelab VLAN Setup Help Needed:
@Jarhead I sure will follow your networking best practice suggestion when I will deploy the system for actual use. I am still playing around with PFsense features such as NAT and firewall rules.
@Derelict Yes, I have an Unifi AP which is going to be connected to my GuestWIFI network (VLAN 18).
If you use the Unifi controller you can use the one AP for all of your vlans. Just trunk the port going to the AP and add the vlans to the controller.
Different SSID's for each vlan. -
@junwen
hey is it working now?
I got about the same setup, similar hardware...
In your cisco settings page:- go to Display mode in the far right upper corner, set it to advanced.
- go to VLAN Management
- go to Interface settings: here make sure to switch your ports to either TRUNK or (the other ones) ACCESS (Trunk is cisco spech for the uplink between router/switch or /switch/switch)
- go to Port VLAN Membership: here choose a port...
...Access Port (iE Port 2 for VLAN 10). Press JOIN VLAN to enter, which VLAN this port should belong to (under Access VLAN ID), leave everything else at it is)
...do this for every needed port. If you do not need all ports, set those not needed in INACTIVE mode (can be done later too)
...Trunk Port (iE Port 1 for Trunk): here everything should be TAGGED (all VLANs) EXCEPT Vlan1 (untagged) - To put a VLAN as either tagged or untagged on an switch interface, got to PORT TO VLAN, here enter (upper field) your VLAN ID, press GO and choose, which Port will either a) carry the given VLAN as tagged b) untagged c) excluded. Make sure (as said) that VLAN 1 on iE Port 1 is untagged, while all others are tagged. For security reasons (later, when everything is running) you can change iE Native VLAN away from VLAN1 and except VLAN 1 (default VLAN) and future native VLAN from any ports.
Make sure to press either the blinking SAFE icon after each step or save under Administration > File Management > File Operations...be patient, it takes a while sometimes.
:)ps: when putting your unifi aps online, they are connected via another trunk port, so the can use multissid to offer wlan for your different vlans (up to 4 out of box), just put them on a trunk. ;)
-
@the-other Thanks for chiming in. Yes, it is working now. The Unifi AP WIFI setup was rather smooth. Not sure if everything in the switch ports setup correctly, but it's working for now. Still trying to figure out the difference between tag and untagged. I have GE1, GE2, GE9, and GE10 setup as trunk ports. GE1 and GE2 are reserved for Unifi APs, and GE9 and GE10 are uplinks to other switches.
This is a fantastic community. I was struggling for 10+ hours before I decided to post here, and I got the solution within minutes!