Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Setup of pfSense.

    HA/CARP/VIPs
    3
    4
    10.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dlstrout
      last edited by

      ???Proof of concept - can this be done ???

      The customers scenario:

      They have a pfS box with four interfaces (fxp0-3)
      fxp0=WAN (static)
      fxp1=LAN (192.168.1.0/24)
      fxp2=DMZ (10.1.1.0/24)
      fxp3=WLAN (192.168.2.0/24)
      Everything works well and very reliably, but I have two new networks (VLAN'd w/ Cisco switches) that need access to the internet and DMZ based servers through the pfS platform.  I can not add another NIC (or dual NIC) to the pfS box as I am out of PCI slots and there is no other option, hardware wise, for this platform.

      VLAN setup on customer network:

      VLAN100=management net
      VLAN101=LAN NET (192.168.1.0/24)
      VLAN201=KIOSK NET (192.168.100.0/24)
      VLAN301=LAB NET (192.168.200.0/24)

      As of today these VLANs/networks (201 & 301) are segmented/isolated and have their own DHCP servers and have dead ended default gateways IPs of said DHCP server .. another words they go nowhere when requesting addresses other than the attached IP space.  I do not have the option of changing the address space of these networks as they are managed by different business units and they are adamant that they will not re-ip their networks.  The LAN NET VLAN101 is the only one that has exposure to the internet and they use pfS for DHCP, DNS FWD & default gateway.

      So here is my thinking … I am thinking that I can present the pfS box with a Cisco trunk that will carry VLANs 101, 201 & 301 and feed it to the fxp1 interface of the pfS box.  I can prune and do all that I need to limit the exposure of all VLANs to the pfS box no problem.  But the real question is how to provide default gateway addresses and DHCP service to these three dissimilarly IP'd networks when there is really only one physical NIC.  I can see in the interface section were to create the tagging and assign NICs to a tagged VLAN, but I am unclear as to assigning the IP of the dissimilar networks to one NIC, is this the "virtual IP address" section?  Assuming it is and I assign VIPs to the fxp1 interface like this (physical=192.168.1.1, VIP1=192.168.100.1, VIP2=192.168.200.1) then how could I provide DHCP and DNS service to all three networks from pfS?  The managers want to remove the DHCP servers from each of the two additional networks and rely on pfS for DHCP and resolution to the net and DMZ.  [ thereby putting all the management of these nets on me … oh whoopee :-( ]

      I may be reaching here and maybe this can not be done with pfS.

      Suggestions VERY welcomed !!!

      1 Reply Last reply Reply Quote 0
      • P
        Perry
        last edited by

        You setup vlans like any other nic
        http://pfsense.hotserv.dk/hmm.htm

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • B
          Bredys
          last edited by

          I think you create vlans only… but you must add this vlan as new interface (in Interfaces: Assign)
          Then you can set IP for this interfaces, set rules and dhcp... etc

          1 Reply Last reply Reply Quote 0
          • D
            dlstrout
            last edited by

            @Perry:

            You setup vlans like any other nic
            http://pfsense.hotserv.dk/hmm.htm

            VERY, VERY helpful … thanks bunches!!  I have it up and running now with little difficulty thanks to this great presentation.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.