VLAN IP Address and Device IP Address
-
@steveits I just want to make sure we're talking about the same thing. What I am asking is if I have 3 LAN Interfaces and assign a VLAN to each interface but the IP addresses between the interfaces and VLAN differ -
ex.
LAN 192.168.2.1 | VLAN 192.168.3.1Do the devices behind the VLAN have to have an IP within the VLAN IP address range? The reason I am confused is because a VLAN (from my understanding) is Layer 2 so the IP address being different should not be an issue since the devices are on the same virtual network. The IP issue would arise on the routing end but that should be something I can handle with NAT.
Would this be something that PFSense can handle or would I need to look into other hardware/software for that I am trying to achieve?
Any insight is greatly appreciated.
-
@gospodinl said in VLAN IP Address and Device IP Address:
is Layer 2 so the IP address being different should not be an issue
You want to run multiple layer 3 IP ranges on the same layer 2 - this is bad practice. while you are correct, that vlans are at layer 2.. And you could have multiple IP ranges on this same layer 2. It has always been bad idea to do such a thing.
You normally would assign 1 IP range to the layer 2 network you create with a vlan.
So what your asking sure can be done - you could create a vip on pfsense interface with the different IP range your wanting to use - but I would highly suggest against such a setup.. Just use 1 IP range per vlan..
Why would you want to do such a thing? Curious - is it for a temp say IP range change thing.. if your just going to run multiple layer 3 on the same layer 2 - might as well just use a dumb switch..
Say you wanted to move from 192.168.1/24 to 192.168.2/24 and you have some devices on this network that are static and you have to manually change them.. In such a scenario then sure you change your network in pfsense to 192.168.2/24 create a vip for your old 192.168.1 address. And now from a machine with a 192.168.1 address you could access the static devices and change them to 192.168.2 address - after all done you would normally remove the vip, etc.
-
@johnpoz We are unable to change the IP address of the units being connected due to programming. It was an option being explored but the assigned IP is tied into other devices within for communication amongst each other on what to do.
Here is a drawing of how I am attempting to set this up. I will try the VIP method and see if that works.
Having the ability to change the IP would have been extremely easy, but unfortunately it's something I have to work around. I appreciate your help.
-
@gospodinl You need a router with NAT to separate the 192.168.1.x networks so the higher level routers don't see those addresses.
I don't particularly see how a VLAN is helping you here? For the 3 VLAN boxes on the diagram just use a router with 192.168.1.x on their LAN networks. Also the first (upper left) LAN box can't also be 192.168.1.x. Maybe make the 3 routers 2/3/4 and use 192.168.1.x on their LANs.
Edit: I am short coffee. My point was, something would need to translate the 192.168.4.x network to 192.168.1.x, which means a router.
-
@gospodinl yeah I am with @SteveITS on this - not sure what vlans would help here.. My guess is this is the PLC stuff that has been becoming common around here.
Where you can not change the network on the plc's?? Which is beyond stupid if you ask me... I can see plc maker making a default IP on a common IP range.. But not being able to change it is beyond stupid to be honest.
A cheap simple solution to this issue would be 3 cheap ass 20$ soho router.. So you create 3 networks on pfsense (they could be vlans if you wanted/needed)
Lets call these networks 192.168.4, .5 and .6.0/24 You put in 3 cheap ass soho router, turn off their wifi and just let them nat your same plc networks to the 3 pfsense networks 192.168.4/5/6.0/24
Now if these cheap routers did 1:1 nat that would be best.. I believe if you run ddwrt or openwrt on them you could for sure do that.. Then to get to say plc network A, you would just go to 192.168.4.x, to get to plc on network B you would just go to 192.168.5.x and for plc network C to 192.168.6.x
-
@johnpoz said in VLAN IP Address and Device IP Address:
not being able to change it is beyond stupid to be honest.
You're not wrong, though I have seen at least one other post on this forum make that claim over the years. ยฏ\__(ใ)_/ยฏ
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@johnpoz @SteveITS I agree with the stupid part, it's poor programming on their end and not having access to change it is what is annoying.
I should mention this is on a Router running PFSense with 4 interfaces, one for WAN and the other three for LAN.
Physically the setup will be Router (PFsense) -> Unmanaged Switch -> Device Group. This is the setup over the 3 LAN interfaces.
I wanted to do the VLANs to ensure that the devices would not communicate with each as there are 3 groups of them per interface (total of 9 devices on the network). I am not very good with network setups/networking in general and the searching I did online about VLAN's is why I wanted to use them. However, if I do not have to use them that's one less thing to worry about.
Edit: manufacturer of the PLC allows for network setup/changes. However, the programmers are able to lock access which is what prevents me from changing it and access to their logic. With the way things are going I believe you may have more individuals coming here with similar issues as this.
-
@steveits yeah this topic has come up a few times I believe of late.
its been like 15 years since I worked in a production plant and had any network to do with plcs.. And I do recall them being on a 192.168.1 network.. But these plcs were always isolated to the production line they were being used on, and we never had to network them to the wider network.. It was just a local network the equipment and plcs were on, isolated from the larger network.. So duplicated IPs on different production lines were not an issue.
So I don't ever recalling being asked or tasked with changing the IPs on the plcs -- but it just seems asinine for a company that makes a device that can have an IP not to be able to change it if needed.. Not saying it has to be stupid user friendly, maybe you have to upload a new config via tftp or something.. But it should be able to be done for gosh sakes..
Now I do recall like the PC used to manage the line being multi-homed where it had a leg in the company network, and then another interface it used to talk to the plcs, etc.
-
@gospodinl I think the VLAN will make it overcomplicated.
On pfSense the default on LAN is two rules to allow from LAN to any (IPv4 and 6). On all other interfaces there are no default rules, so "deny all."
On each of your 3 interfaces you can create rules like:
allow from LAN3 to This Firewall port 53 TCP+UDP (for DNS)
reject from LAN3 to This Firewall (blocks logins to pfSense*)
reject from LAN3 to LAN2
reject from LAN3 to LAN
allow from LAN3 to any (allows to Internet)LAN3 then would be your 192.168.6.x, and its router use 192.168.6.2 for its WAN and 192.168.1.x on its LAN.
- you would want access on one network and/or the pfSense WAN of course.
-
Hello,
I have successfully done that.Multiple PLCs with same address static NAT.
I used a couple of Stratix 5700 switch, (which itself is a Cisco Router), One is NAT other routing.
I just want to know if there is a cheaper alternative, those switches don't come cheap.
AICV
