Vlan tagging not working (from dlink switch)
-
D'oh.
I missed that part about the same subnet.
In this case you would have to bridge the VLANs on the pfSense (which i personally find kind of ugly).For me it comes back to: "why can't you do the client separation on the switch itself?"
-
I see what your both saying and I will rectify these problems (though I dont think i'm mixing tagged and untagged traffic, all tagged traffic is going down one line to pfsense).
I just wonder if theres more configuration to do on vlans in pfsense. All I can see is the option to assign a vlan to an interface. In terms of setting the vlans IP, how could I do that? I cant even see how I can set firewall rules per vlan?
I'm beginning to wonder if the switch i'm using is just too crap to do anything proper. The way I have to set vlans is by creating the vid and selecting what ports I want to be tagged (going to a vlan capable device), untagged (going to an end user) or not a member. I can have 1 port with multiple tagged vlans (trunk) but I cant have multiple untagged vlans on a port.
So, for example, on the switch, if I set up vlan 2 and assign it the port for client 1 untagged, and then also set the port going to pfsense untagged in the same vlan, it works, and that client can see only pfsense and no other clients off that switch. However, if I then want client 2 in vlan3 to see pfsense I need to get the trunk going. So I set up the pfsense (trunk) port as having vlan 2 and 3 tagged. Though the clients still cant see eachother, neither can see pfsense.
I apologize if my examples are a little lame, but as you've probably noticed, i'm fairly new to this.
Thanks again for the help
-
Might help http://pfsense.comuf.com/mysetup/index.html
-
K i'm being pretty stupid. Just realised I hadnt created additional interfaces and assigned them vlans on fw!
Had a play around with it and sure enough it works like a charm!!!
But… I now have another question:
Is it possible to do inter vlan routing on the firewall? I just need some clients on a vlan to see one client on another. (i bet your getting sick of me now ;)
-
@311w3nt:
Is it possible to do inter vlan routing on the firewall? I just need some clients on a vlan to see one client on another. (i bet your getting sick of me now ;)
Yes, pfSense will do this without any special configuration. You just need to create rules to allow the traffic.
There are additional complications if you want Windows networking etc. to work since broadcast traffic won't cross the firewall.
-
Cool, i think i've got everything how i want it now. Thanks all for your help. Time to put it live! ;D
-
I essentially have the same configuration as 311w3nt. I am still having trouble with the pfSense configuration of my VLANs.
Here is my setup:NICS Interface Addresses Gateways
- rl1 –> LAN --> 192.168.11.0/24 --> 192.168.11.254
- rl1 --> VLAN3 --> 192.168.12.0/24 --> 192.168.12.254
- dc0 --> WAN --> 1.2.3.4 (example address) --> 10.1.2.3
- rl0 --> DMZ --> (not yet configured) --> (not yet configured)
I have a number of hosts on various switches connected to untagged VLAN3 ports. Each switch that has at least one untagged VLAN3 port also has once tagged VLAN3 port to "trunk" it to the next switch in the chain. Eventually, the final switch in the chain connects to the pfSense LAN / VLAN3 port as a tagged VLAN3 port.
Communication between all VLAN3 devices is working fine, but none of them can see the pfSense box at all.
I have attached images showing my VLAN and firewall settings. The firewall is opened up for the moment to make sure it is not the problem, but I wonder if my issue lies in the VLAN3 Interface screen...?Image 1 - Initial VLAN setup and ID
Image 2 - Assigning VLAN3 to LAN interface on "rl1"
Image 3 - VLAN setup screen. (This is where I might be misunderstanding the settings...)
Image 4 - Firewall rule allowing any traffic to enter VLAN3
Image 5 - Firewall rule allowing any traffic out of VLAN3I would be grateful for any assistance you can provide. Thank you.
-
As was stated earlier it is bad idea to have untagged LAN and tagged VLAN3 on the same physical interface. Nevertheless it should work.
What do you mean "none of them can see the pfSense box at all", how do you check? -
Eugene,
Thanks for your reply. I do not have any available PCI slots in the box I am using to add another NIC, otherwise I would use it. My main goal was to make sure I was configuring the VLAN3 interface properly, see "3.jpg". I have been able to ping the pfSense box now after I changed "TCP" to "Any" on the VLAN3 interface in the firewall, but I cannot get out to the Internet.
Any further thoughts?
Thanks again!
-
If you have Internet from firewall itself then check NAT.
-
Ok, I've got it working. It ended up not being a NAT issue after all, it was the way I was setting up my VLAN3 interface.
In the "IP Configuration" section I had entered the pfSense WAN address in the "Gateway" field. As it turns out I needed to leave that field blank to allow traffic in and out.
See the attached image details…
Thanks again for helping me out.
