Changing from LAN to VLAN

uquevedo

Hi Everyone,

I've configured VLANs for testing in my lab and that is working properly [devices on the various VLANs can see each other], but I'm now trying to get my home production network setup for using VLANs and simply just moving the default gateway IP address from the LAN [non-tagged?] gateway interface to OPT1 [vlan 10] gateway interface isn't working.

As soon as I make the change, the systems on the existing network [192.168.10.0/24] are no longer able to ping the gateway [192.168.10.1] and no traffic gets out to the internet. As soon as I put the gateway IP back on the LAN interface, everything is working again.

The network equipment involved is all Ubiquiti stuff with a Unifi controller running on a Ubuntu VM controlling the switches.

The IP addresses are being assigned through a Kea server on another Linux box on the network.

The VLAN tag IDs are configured in the Unifi controller. I spent way too much time realizing that a new VLAN I added wasn't working because the VLAN tag wasn't replicated to the Unifi controller.

In my case, all of the VLAN tags from both my lab and my home production environment are configured in the Unifi controller. Firewall rules are setup and pretty wide open and not blocking anything at the moment, but I hope to change that in the future.

Any advice on what I should be looking for or have misconfigured to troubleshoot this?

Bob.Dig

@uquevedo said in Changing from LAN to VLAN:

and simply just moving the default gateway IP address from the LAN [non-tagged?] gateway interface to OPT1 [vlan 10] gateway interface isn't working.

Why do you think this is how to do that? Sounds to me you have no actual clue.

[devices on the various VLANs can see each other]

Ok, but why do you use a firewall in the first place.

the other

@uquevedo hey there
I assume you want this:
one LAN that carries your various vlans.

So: configure let's say your LAN port (pfsense) to carry those vlans.
Default vlan 1 is ususally untagged between vlan-capable devices (switch, router, APs) but carrying the (tagged!) vlans.
Those switch ports serving as access ports (clients) must then have a vlan-ID, vlans are usually UNtagged here.

pfsense --------vlan1 untagged, other vlans tagged------switch
switch........vlan10 tagged Port 1, setup VLAN ID 10 here
switch.......vlan 20 tagged Port2, setup VLAN ID 20 here....and so on
switch......vlan 1 untagged, rest tagged on i.E. port 10 (uplink to pfsense)
switch......vlan 1 untagged, rest tagged on i.E: port 9 (uplink to other switch / AP).

Each vlan gets its own /24 network with IPs. Make sure that you have your rules working according to your needs between vlans, LAN and WAN.
:)

uquevedo

@the-other said in Changing from LAN to VLAN:

one LAN that carries your various vlans

Yes, that is what I want to do.

I didn't think I'd need to do anything with the LAN interface since on my test pfsense firewall, the LAN interface has an IP address that isn't the same network schemes as the other interface/VLANs I have configured and isn't even physically joined to the network:
Screenshot 2024-05-12 at 4.01.31 AM.png

The WAN interface is plugged into the same switch as the production network, but the pfsense isolates it from the rest of the network. The VLAN ids are configured on the Unifi controller and I have the switch ports configured for those VLANs.

If I'm understanding you correctly, and now come to think of it, all of the ports that I configured on the switches for the other VLANs for my test environment are set at the port on the switch or on the virtual switch for a VM.

If this is the case, then I need to set all of my ports to be the VLAN ID I want them to be on?

My main goal is to be able to have a few VLANs in production to isolate my IoT devices from my user systems and gain more knowledge on how this all works along the way.

Here are my interfaces on my production pfsense box for reference:
Screenshot 2024-05-12 at 4.18.48 AM.png

I naively thought that this would just "work" since it seemed pretty straight forward in my test environment.

Any other thoughts or advice would be greatly appreciated!

Bob.Dig

@uquevedo said in Changing from LAN to VLAN:

If this is the case, then I need to set all of my ports to be the VLAN ID I want them to be on?

That is a start for sure.

the other

@uquevedo hey there,
first screenshot:
you put your vlans on em2 but do not seem to have a configured em2 interface...?

uquevedo

@the-other said in Changing from LAN to VLAN:

@uquevedo hey there,
first screenshot:
you put your vlans on em2 but do not seem to have a configured em2 interface...?

Yes, and it works which is contrary to everything I’ve seen, but it might be how I have my test environment configured being behind another pfsense.

So it sounds like I need to at least configure the LAN interface with an IP address?

Right now LAN = 192.168.10.1, which is what I want to be VLAN10.

It looks like afterwards I’ll need to configure LAN with a different network and then I configure the VLAN10 [192.168.10.1 for user systems] and VLAN20 [192.168.20.1 for IoT…eventually], and then configure the ports on my switch to mostly be VLAN10 except for the UniFi APs that are vlan aware and put the vlan tags on that interface that I want to access through the AP?

Sorry for my confusion, it was working in a weird way in my test environment which is why I thought I could just change interfaces and things would “just work”. I know better now.

Any other suggestions would be appreciated!

Bob.Dig

@uquevedo said in Changing from LAN to VLAN:

So it sounds like I need to at least configure the LAN interface with an IP address.

Not really. But I hope you get it working this year.