Having an issue configuring vlans, looking for some help.

thisiswhatimherefor

@stephenw10

Well, if you look at the guide i posted they did exactly the same thing. their lan is on igb1 and they configured the vlan on igb2.... I want this same scenario so i can have multiple ports share the same gateway (so i can cast from my phone on the wifi to the tv that's connected to the protectli device) without having to do multicast configurations.

https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#figure-vlans-interface-list

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) pfSense Developer Shell
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 1

Valid interfaces are:

igb0   00:08:a2:09:95:b5   (up) Intel(R) PRO/1000 Network Connection, Version -
igb1   00:08:a2:09:95:b6   (up) Intel(R) PRO/1000 Network Connection, Version -
igb2   00:08:a2:09:95:b1 (down) Intel(R) PRO/1000 Network Connection, Version -
igb3   00:08:a2:09:95:b2 (down) Intel(R) PRO/1000 Network Connection, Version -
igb4   00:08:a2:09:95:b3 (down) Intel(R) PRO/1000 Network Connection, Version -
igb5   00:08:a2:09:95:b3 (down) Intel(R) PRO/1000 Network Connection, Version -

Do VLANs need to be set up first?
If VLANs will not be used, or only for optional interfaces, it is typical to
say no here and use the webConfigurator to configure VLANs later, if required.

Should VLANs be set up now [y|n]? y

WARNING: all existing VLANs will be cleared if you proceed!

Do you want to proceed [y|n]? y

VLAN Capable interfaces:

igb0    00:08:a2:09:95:b5   (up)
igb1    00:08:a2:09:95:b6   (up)
igb2    00:08:a2:09:95:b1
igb3    00:08:a2:09:95:b2
igb4    00:08:a2:09:95:b3   (up)
igb5    00:08:a2:09:95:b3   (up)

Enter the parent interface name for the new VLAN (or nothing if finished): igb2
Enter the VLAN tag (1-4094): 10

VLAN Capable interfaces:

igb0    00:08:a2:09:95:b5   (up)
igb1    00:08:a2:09:95:b6   (up)
igb2    00:08:a2:09:95:b1
igb3    00:08:a2:09:95:b2
igb4    00:08:a2:09:95:b3   (up)
igb5    00:08:a2:09:95:b3   (up)

Enter the parent interface name for the new VLAN (or nothing if finished): igb2
Enter the VLAN tag (1-4094): 20

VLAN Capable interfaces:

igb0    00:08:a2:09:95:b5   (up)
igb1    00:08:a2:09:95:b6   (up)
igb2    00:08:a2:09:95:b1
igb3    00:08:a2:09:95:b2
igb4    00:08:a2:09:95:b3   (up)
igb5    00:08:a2:09:95:b3   (up)

Enter the parent interface name for the new VLAN (or nothing if finished): <enter>

VLAN interfaces:

igb2.10     VLAN tag 10, parent interface igb2
igb2.20     VLAN tag 20, parent interface igb2

If the names of the interfaces are not known, auto-detection can
be used instead. To use auto-detection, please disconnect all
interfaces before pressing 'a' to begin the process.

Enter the WAN interface name or 'a' for auto-detection
: igb1

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
: igb0

Enter the Optional 1 interface name or 'a' for auto-detection
: igb2.10

Enter the Optional 2 interface name or 'a' for auto-detection
: igb2.20

Enter the Optional 3 interface name or 'a' for auto-detection
:<enter>

The interfaces will be assigned as follows:

WAN  -> igb1
LAN  -> igb0
OPT1 -> igb2.10
OPT2 -> igb2.20

Do you want to proceed [y|n]? y

Writing configuration...done.
One moment while the settings are reloading... done!

stephenw10

Right but those VLANs would only connect to anything on igb2 in that example. Exactly like you are seeing with the VLANs on igc4.

It sounds like you want the VLAN to be in the same subnet as the untagged LAN?

In that case you would need to bridge the LAN and VLAN interface together,

johnpoz

@stephenw10 said in Having an issue configuring vlans, looking for some help.:

In that case you would need to bridge the LAN and VLAN interface together,

Which would be a horrible idea to be honest..

so i can have multiple ports share the same gateway.

Get a switch if you want multiple ports in the same network..

stephenw10

Yup a switch would be better in almost every way here.

thisiswhatimherefor

@johnpoz

switch doesn't work for my use case because of the moca adapters.

If I get a switch and then create the vifs there, intervlan traffic completely ignores FW rules.

If i put in an l2 switch that receives tagged frames from moca and just forwards it to bridged interfaces on the device, i'm just back to where I am right now. except without having to have a silly configuration of a switch with multiple 6 inch patch cables going to the router.

What I want is basically what I have now.... but with pfsense. if it's not something it's capable of, that's fine. but it should be really.

and if i do the third solution of just having a separate network for the basement ap and tv/ xbox then that just breaks AP roaming, complicates fw rules, and blocks multicast applications like casting from phone etc....

I know it's a unique scenario but it doesn't look like pfsense software can handle an L3 type switch setup.

johnpoz

@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:

my use case because of the moca adapters.

Says who - you can connect into as switch from a moca adapter.. And put it on any vlan you want.. What are you doing running now multiple L3 on the same L2 network?

You can do that too with pfsense.. if you really wanted to - but its a bad idea to ever do that..

doesn't look like pfsense software can handle an L3 type switch setup.

Well its not really a L3 switch.. Not exactly sure what your doing with your moca, but moca is just a way to run over coax.. It then connects into ethernet - that ethernet can be just plugged into any switch.. And put on any vlan on that switch that you would want to put that network..

thisiswhatimherefor

@johnpoz

You can do that too with pfsense.. if you really wanted to - but its a bad idea to ever do that..

I would love to. that's all I find googling is people saying that but never offer any solution to try it lol

Says who - you can connect into as switch from a moca adapter.. And put it on any vlan you want.. What are you doing running now multiple L3 on the same L2 network?

if you look at the diagram all the vlans going over the moca adapter will go to the switch and like i said there are these scenarios

1. moca -> trunk on a switch port that accepts tags -> now, if you host L3 vlan interfaces here the firewall is ignored. solves the issue but then creates another.

2. moca -> trunk on a switch port that accepts tags -> configure multiple ports for each vlan going towards the edge router so port 0 is the trunk, port 1 is vlan 10, port 2 is vlan 20, port 3 is vlan 30... this solution does not scale and i'm physical limited by the amount of ports I have for vlans.

3. moca -> trunk on a switch port that accepts tags ->configure a dumb switch that just forwards all traffic out every port but now I have the issue of my tv+ xbox not being able to tag it's own frames because they need to connect into this device as well. ( because they need to be on the same lan as the wifi for casting etc)

with regular networking gear cisco, juniper, ubuiqiti, etc this is extremely easy and i do it daily. I'd rather not go back to ubiquiti hardware but I guess if that's my last resort

johnpoz

@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:

I would love to.

You want to run multiple Layer 3 on the same Layer 2?? Really - that is horrible idea.. But if you really want to, all you need to do is setup a vip on the interface in whatever other IP range you want to run on that same layer 2. You won't be able to do dhcp for this other L3 but they would be on the same L2..

Not sure where your doing it.. Its not good practice..

Hosting multiple L3 on the same L2 is never a good idea - while it is sometime necessary in the process of migrating to different IP space..

stephenw10

Do you want to filter traffic between the WIFI and wired parts of the network while still having them on the same subnet?

That's about the only time using a bridge is justified.

But you can do it with pfSense even if you don't need to filter and would probably be better using a switch.

Just create a bridge and add the interfaces you want in the same subnet to it.
https://docs.netgate.com/pfsense/en/latest/bridges/index.html

A long time ago we did a hangout that covered it. Still applies to current pfSense:
Youtube Video

stephenw10

@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:

https://imgur.com/a/2fACUj1

Ok having reviewed that diagram (and got distracted on imgur) are you just trying to make those VLANs available on several ports but share the same subnet?

johnpoz

@stephenw10 said in Having an issue configuring vlans, looking for some help.:

https://imgur.com/a/2fACUj1

Why not get some cheap vlan switch, like a 5 porter for like 30 bucks or something.. put between your moca and pfsense.. Now you can have your AP plugged into that for vlan 10 and 100, and then that other device only on vlan 10..

thisiswhatimherefor

@johnpoz

"good practice" generally means - We recommend this way because if you do it another way you may lose something ( functionality, security, etc) they aren't "hard" rules.

If it was a limitation of the platform, that's fine. I'm ok with that. but to say hosting multiple l3 on the same l2 is not a good idea... is basically saying all L3 switches aren't a good idea which is not true in the least.

For ANYONE in the future (and there are a lot of you through my googling....) I got it to work using the following methodology (vlans below were just testing and not representative of my end state)

---

1. create vlans for each interface you want in the bridge

igc0 (lan 1) -> VLAN_IGC0_200
igc1 (lan 2) -> VLAN_IGC1_200
igc4 (unused port) -> VLAN_IGC4_200

---

2. Go to interface assignments and add your vlans, after they're added go into each one and enable it give it a good description (gui doesn't like the '.' char in descriptions

igc0 -> enable interface -> INTERFACE_igc0.200
igc1 -> enable interface -> INTERFACE_igc1.200
igc4 -> enable interface -> INTERFACE_igc4.200

---

3. Go to bridge, add a bridge and include all your interfaces

Member interfaces -> INTERFACE_igc0.200,INTERFACE_igc1.200,INTERFACE_igc4.200
description -> BRIDGE_VLAN200

---

4. Go back to interface assignements and add BRIDGE_VLAN200, then enable, then give ip address

enable -> description INTERFACE_BRIDGE200 -> ip address 10.10.200.1/24

---

5. go to firewall rules, INTERFACE_BRIDGE200, add rules (i'm doing permit any any for testing)

Because my usecase requires multiple vlans I went ahead and ADDED vlan 110 the same exact way with the same exact ports.

• So now my pfsense device is hosting 10.10.200.1/24 on vlan 200 and 10.10.110.1/24 on vlan 110
• i've ip'd my laptop with 10.10.200.2/24 and 10.10.110.2/24
• in windows I opened 2 commands prompts with ping -t 10.10.200.1 and ping -t 10.10.110.1
• I open network adaptor configurations and I can toggle between vlan 110 and 200 successfully
• I can swap physical ports and still ping

This will allow me to 100% replicate my setup.

The only downside I see to this is the UI is going to get cluttered with ~6 vlans and I think I need to change my names a bit more to be more intuitive but this WORKS.

Do you know if there is a way to "remove" items from the gui? like these extra interfaces. I'll never create rules for the child interfaces so they don't serve a purpose

once I convert everything over I'll do some speed tests.

stephenw10

@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:

Do you know if there is a way to "remove" items from the gui?

Not from things like the firewall rules. They are interfaces, you could add rules to them.

One important thing to note is how the firewall rules are applied to a bridge:
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

So it filters on the bridge member interfaces by default. You would need pass rules on each member interface in the bridge.

If you switch the sysctls referenced there you can put filtering only on the assigned bridge interface. Then you only need pass rules on the bridge and rules there apply to traffic from all member interfaces.

Steve

thisiswhatimherefor

@stephenw10

thanks for the info on the bridge fw rules. As I was planning the migration I realized that I'm still kind of borked because of the basement unmanaged switch. TV / xbox can't be configured with vlan tagging directly and the pfsense can't do a PVID if i'm reading it correctly and especially in my weird bridge situation. so I'll have to put those on their own vlan and figure out how to chromecast between vlans

stephenw10

If you have a spare port you can bridge that to the VLAN to get that device onto it. But otherwise you'd need a VLAN capable switch somewhere, yes.