pfSense won't talk to VLAN devices

abtekk · Jul 21, 2023, 10:38 PM

Hi.

I have a switch in the following config:

PORT 1 & 2 untagged in VLAN1 (default)
PORT 1 & 2 tagged in VLAN10
PVID set to 1

My pfSense setup is as follows:

LAN on em0 (10.20.0.0/24 | DHCP Enabled)
VLAN10 on em0 (10.21.0.0/24 | DHCP Enabled)
For testing purposes I have a firewall rule on VLAN10 to allow traffic from any > any.

login-to-view

No devices that are on the VLAN10 switch port (I'm also configuring the VLAN ID in the OS on the devices NIC) can communicate with pfSense. The device will not get an IP address, nor will it ping the pfSense box when a static IP is set.

I have run a packet capture on the LAN interface whilst the device was sending a DHCP Request, however no traffic seems to be getting captured that related to VLANs.

Is there anything I'm missing from my config?

johnpoz · Jul 21, 2023, 10:38 PM

@abtekk said in pfSense won't talk to VLAN devices:

PORT 1 & 2 tagged in VLAN10
PVID set to 1

Well that for sure doesn't seem right.

abtekk · Jul 21, 2023, 10:41 PM

@johnpoz

So the end goal is that I will be able to use my Hypervisor host on port 2, accessible over the LAN, whilst its guests will be put on to VLAN10.

johnpoz · Jul 21, 2023, 10:47 PM

@abtekk What do you have connected to what? So pfsense on on em0 say going to port 1 on the switch. Sure untagged 1 and tagged 10.. But what is on port 2... You have something else that is going to understand the tag.. You mention a hypervisor - so this is doing what with the tags.. How do you have that setup, its esxi - hyperV?

For testing create a port that untagged on 10, and pvid 10 and connect say a laptop. It should get an IP from pfsense dhcp on vlan 10.

abtekk · Jul 21, 2023, 10:50 PM

@johnpoz

Currently:

Switch port 1 goes to pfSense
Switch port 2 goes to laptop in the above config

How it will be implemented, is Switch port 1 > pfSense
Switch port 2 > Hyper-V Host (w/ host on VLAN1, guests on VLAN10)

I'll try your suggestion now.

johnpoz · Jul 21, 2023, 10:58 PM

@abtekk you have to setup the vlan on hyper-v

https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/configure-virtual-local-areal-networks-for-hyper-v

I am not a normal hyper-v guy.. But there is a thread awhile ago where I went over this - let me see if I can dig it up.

edit:
here is the old thread where I did some testing of vlans on hyper-v

https://forum.netgate.com/topic/139891/solve-hyperv-2012-vlans-support-hn0/7?_=1689979106259

It might be of some help..

abtekk · Jul 21, 2023, 11:19 PM

@johnpoz

Thanks. That's fine I can configure the hyper-v side. I'm struggling at the minute to get the switch to accept packets on both VLANS (and subsequently, pfSense handing out the correct IPs).

I was able to get port 2 to communicate over the VLAN10 network by setting a PVID of 10 and tagging port 1 in VLAN1 & 10, but then it will no longer work over VLAN1, which I need my host to be on.

Just in case it wasn't clear, my pfSense box is bare metal, not on Hyper-V.

Am I making sense or am I just losing my mind now?

johnpoz · Jul 22, 2023, 3:19 PM

@abtekk

if your em0 on pfsense is connected to port 1 of the switch then that would be untagged 1, tagged 10.

Where your vlan on pfsense would be set to 10 and parent of em0

See here I have some vlans setup on one of my interfaces.

login-to-view

now some other port your going to connect to your vlan 10, say port 3 were you connect your laptop. This would be vlan 10, pvid 10. Because your laptop has no clue to what vlan its on or tags, etc. Vlan 1 should not be on this port 3 on the switch.

Get that to get an IP from your dhcp you setup on yoru vlan 10. There are no rules required on vlan 10 for that to happen, once you enable dhcp on an interface hidden rules allow for dhcp to happen.

Does that work? If so then you can setup rules on your vlan 10 interface... I would start with just any any rule to until you have that working.. Then you can start to limit/allow what you want.

Your client should be able to ping pfsense IP on your vlan 10.. And anything else, like 8.8.8.8 - when trying to ping stuff on say lan - don't forget any host firewall you might be running on them. But you should with an any any rule on vlan 10 be able for sure to ping pfsense lan ip

That sure looks like a tplink switch.. See here I have one of those behind my tv, and have a pi that sits on vlan 3..

login-to-view

Port 8 is an uplink to another switch.. The switch is really on my lan which is vlan 9 on my other switches.. But to this switch the untagged traffic is just its vlan 1.. That is why port 8 is tagged 3 and untagged 1.

The pi that is on vlan 3 is on port 7.

here is the pvid settings

login-to-view

abtekk · Jul 22, 2023, 3:19 PM

@johnpoz Good news, I now have both VLANs responding w/ 1 being the default & I can force VLAN10 in Windows. DHCP working on both.

Last question, is how easily can I move my current LAN subnet in to VLAN1? Or is it a matter of manually moving the IP addresses over?

Thanks,
Abtekk

johnpoz · Jul 22, 2023, 4:16 PM

@abtekk said in pfSense won't talk to VLAN devices:

& I can force VLAN10 in Windows.

huh?

Your lan is already a vlan, its default vlan 1 on the switch.. Its just untagged on pfsense.. Your wanting to tag it? For what reason?

abtekk · Jul 23, 2023, 12:33 AM

@johnpoz It's fine, all sorted now.

Thank you for your help.