Help for vlan configuration

fluca1978

Just in case I miss something, the web configurator of my switch appears as in the attached pictures. Please note that the pfsense machine is connected to the port 4. Now, if my configuration is ok, then I have to try it on another switch.

switch1.png_thumb

switch2.png_thumb

switch3.png_thumb

switch4.png_thumb

GruensFroeschli

Is that correct, that VLAN 4 has no members except the trunk to the pfSense?
How are the PVIDs configured now? (screenshot?)

The screenshots i posted here: http://forum.pfsense.org/index.php/topic,14918.msg78736.html#msg78736
Are for a netgear switch, but you should be able to see the basics out of them and apply to your case.

fluca1978

Thanks for the suggestion, in fact I'm not sure which port must be tagged. The problem is that my switch allows a single untagged vlan on a port, and all the others must be tagged. In you example you have tagged only the pfsense port, while in my switch this is not possible since also the other vlans must be tagged.
So, what I'm going to try is to tag all the ports in all the vlans and see if it works.

jimp

fluca - that is not what you want to do.

You do not want tagging on client ports. You only want a single VLAN for them. And for pfSense, you do NOT want an untagged vlan, only tagged.

So it should be like so:

pfSense port: Tagged 4 and 44
VLAN 4 clients: Untagged 4
VLAN 44 clients: Untagged 44

They do not need untagged access to multiple VLANs, and that is impossible on any managed switch. A port can only have one default VLAN.

fluca1978

No way!
This is what I've done:

created the VLAN 4 and 44 on the switch;
configured the switch port 4 (the one pfsense is connected to) to be Excluded from VLAN1 (default), Tagged 4 and Tagged 44;
configured the port 20 of the switch (the one I'm connected with my laptop) to be Tagged 4 and Excluded from VLAN1 and VLAN44;
created the VLANs on the pfsense box
assigned the LAN interface on the VLAN4;
rebooted the pfsense machine and checked the status of the interfaces (VLAN addresses).

From my laptop I cannot see the pfsense box and the last cannot see any piece of the network (this could be ok since only ports 4 and 20 are tagged for the VLAN4), even my laptop.

Any suggestion?

GruensFroeschli

@fluca1978:

No way!
This is what I've done:

created the VLAN 4 and 44 on the switch;

configured the switch port 4 (the one pfsense is connected to) to be Excluded from VLAN1 (default), Tagged 4 and Tagged 44;

configured the port 20 of the switch (the one I'm connected with my laptop) to be Tagged 4 and Excluded from VLAN1 and VLAN44;

created the VLANs on the pfsense box

assigned the LAN interface on the VLAN4;

rebooted the pfsense machine and checked the status of the interfaces (VLAN addresses).

From my laptop I cannot see the pfsense box and the last cannot see any piece of the network (this could be ok since only ports 4 and 20 are tagged for the VLAN4), even my laptop.

Any suggestion?

Point 3 is wrong.
Port 20 with the laptop connected has to be UNTAGGED.

fluca1978

@GruensFroeschli:

Point 3 is wrong.
Port 20 with the laptop connected has to be UNTAGGED.

Sorry, I've miswritten: port 20 is Untagged (see screenshots).

Now, after a reboot the situation is:
LAN -> nfe0 192.168.4.7 (this is kept up just for let the network working)
VLAN4 -> rl0 192.168.4.6
VLAN44 -> rl0 192.168.44.7

and this is what the pfsense box says:


# ifconfig
rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:19:cb:54:c9:11
        inet6 fe80::219:cbff:fe54:c911%rl0 prefixlen 64 scopeid 0x1 
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
nfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:18:f3:40:38:28
        inet 192.168.4.7 netmask 0xffffff00 broadcast 192.168.4.255
        inet6 fe80::218:f3ff:fe40:3828%nfe0 prefixlen 64 scopeid 0x3 
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
vlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:19:cb:54:c9:11
        inet6 fe80::219:cbff:fe54:c911%vlan0 prefixlen 64 scopeid 0x8 
        inet 192.168.4.6 netmask 0xffffff00 broadcast 192.168.4.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 4 parent interface: rl0
vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:19:cb:54:c9:11
        inet6 fe80::219:cbff:fe54:c911%vlan1 prefixlen 64 scopeid 0x9 
        inet 192.168.44.7 netmask 0xffffff00 broadcast 192.168.44.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 44 parent interface: rl0</full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></up,loopback,running,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>

but if I try to connect from the LAN to the 192.168.4.6 I can't:


# route get 192.168.4.6
   route to: 192.168.4.6
destination: 192.168.4.0
       mask: 255.255.255.0
  interface: nfe0
      flags: <up,done,cloning>recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500      -514 
# ping 192.168.4.6
PING 192.168.4.6 (192.168.4.6): 56 data bytes</up,done,cloning>

and the ping hangs. The firewall logs don't show me any blocked packet on such interface, so the packets are not reaching the interface, and in fact, if I try to ping the machine from the switch I see no packet coming back.
I'm starting being depressed! :-[

switch1.png_thumb

switch2.png_thumb

switch3.png_thumb

GruensFroeschli

You have the same subnet on LAN and VLAN4.
Unless you're bridging them you have to move one of them to a different subnet.

fluca1978

I've changed a subnet so that now interfaces are as follows:


vlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:19:cb:54:c9:11
        inet6 fe80::219:cbff:fe54:c911%vlan0 prefixlen 64 scopeid 0x8 
        inet 192.168.45.6 netmask 0xffffff00 broadcast 192.168.45.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 4 parent interface: rl0
vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:19:cb:54:c9:11
        inet6 fe80::219:cbff:fe54:c911%vlan1 prefixlen 64 scopeid 0x9 
        inet 192.168.44.6 netmask 0xffffff00 broadcast 192.168.44.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 44 parent interface: rl0
nfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:18:f3:40:38:28
        inet 192.168.4.7 netmask 0xffffff00 broadcast 192.168.4.255
        inet6 fe80::218:f3ff:fe40:3828%nfe0 prefixlen 64 scopeid 0x3 
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active</full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast>

but even with such configuration it is not working (I've rebooted the machine to be sure, the switch configuration is the same as in the previous post). The switch says that the links on port 20 and 4 are active, but nothing more than that.

fluca1978

At last I did it!
I used another switch, with the same configuration, so I tagged on each vlan the port to which the pfsense box is connected, and untagged each port belonging to each vlan, and it works. So I guess it could have been not only a misconfiguration problem, but a switch one.

Thanks a lot for the help.