Set up Vlans
-
In my pfsense box, i've made some new interfaces (vlans) so that ip management is easier for me and to configure some stuff (eg : access to internet, internal sites, …)
LAN (RE0) = 10.0.0.1
PRIVATEWIFI (VLAN 2 on RE0) = 10.1.0.1 (have access to everything)
PUBLICWIFI (VLAN 3 on RE0) = 10.2.0.1 (only internet access)
TRUSTEDWIFI (VLAN 4 on RE0) = 10.3.0.1 (only internet access)
SERVERS (VLAN 10 on RE0) = 10.10.0.1 (for my servers and VPS'es at home)
VOIP (VLAN 11 on RE0) = 10.11.0.1 (ip range for my voip stuff)
DISKS (VLAN 12 on RE0) = 10.12.0.1 (ip range for my LAN disks)Right now i don't use privatewifi, publicwifi and trustedwifi because...my AP hasn't arrived yet. Wireless Internet goes via a linksys wrt54gl with dd-wrt on it (wan IP = 10.1.0.2, lan IP = 192.168.100.1 on SSID 01 or 192.168.200.1 on SSID 02)
Now i've set a Voip ATA on ip 10.11.0.2 and i notice that it it hasn't internet access, nor can i reach it from my LAN interface. I think it will be a firewall problem (first experience with VLAN's).
To be sure that my config looks OK, i've put it online at http://krisken.dommel.be/pfsense/config.xml
Would be nice if someone could help me with it :)
Thanks!
-
Would be nice if someone could help me with it :)
It is not recommended that an interface be used for both VLAN and non-VLAN traffic. This has been discussed in these forums recently. Therefore it would be better to add another physical interface and use it only for VLANs.
Now i've set a Voip ATA on ip 10.11.0.2 and i notice that it it hasn't internet access, nor can i reach it from my LAN interface. I think it will be a firewall problem (first experience with VLAN's).
Default pfSense configuration allows LAN to acess internet and blocks other interfaces. Therefore you need to add firewall rules to each of your VLAN interfaces to specify what they are allowed to access and on LAN to specify what it is allowed to access.
-
Would be nice if someone could help me with it :)
It is not recommended that an interface be used for both VLAN and non-VLAN traffic. This has been discussed in these forums recently. Therefore it would be better to add another physical interface and use it only for VLANs.
I have a Atom D510 (http://nexus404.com/Blog/wp-content/uploads2/2009/12/Atom-D510-D410-CPUs.jpg)as motherboard for my pfsense box. It only has one PCI slot, which is taken by the 4-in-1 LAN card (PCI) where my 2 ISP's are connected.
-
I have a Atom D510 (http://nexus404.com/Blog/wp-content/uploads2/2009/12/Atom-D510-D410-CPUs.jpg)as motherboard for my pfsense box. It only has one PCI slot, which is taken by the 4-in-1 LAN card (PCI) where my 2 ISP's are connected.
You have a 4 port LAN card? And a LAN on motherboard. That seems to leave a spare port for the VLANs.
You have a VLAN capable switch?
If you want or need to specify a gateway in the firewall rules I expect you will also need firewall rules for traffic routed to a "local" network. In particular, if you want to allow traffic from VOIP net to LAN you wouldn't be using BELGACOM as the gateway so you should add a rule to the VOIP interface with destination IP LAN subnet and gateway * .
Firewall rules are processed on input to an interface. Rules are processed top down and processing stops on the first match.
-
It is indeed a 4 port LAN card :
1 port for Belgacom
1 port for Dommel
1 port for a 3rd, yet to come, ISP (payed by my girlfriends work ;-) - they always use Telenet)
1 port is still freeFor the VoIP vlan, it isn't necessary that my LAN can access that vlan. But for IP telephony, the Belgacom Interface (ISP) must be used. So every voip traffic from my ata's and IP phones must use the Belgacom VDSL line. I tought it was OK like that?
-
For the VoIP vlan, it isn't necessary that my LAN can access that vlan.
OK, but you mentioned LAN to VOIP wasn't "working" so I presumed that maybe you wanted at least some traffic from VOIP subnet to LAN subnet.
For the sake of illustrating the general principle lets assume you want to allow TCP traffic from LAN subnet to VOIP ATA because the ATA has a web GUI for configuration and management. Then you would need to add a firewall rule to the LAN interface to allow traffic to VOIP subnet (or ATA) and with gateway * (this traffic shouldn't go to BELAGCOM or DOMMEL).
Why doesn't the ATA have internet access? There are many possible explanations. Is its link to the switch UP? Is the switch correctly configured? Does the ATA get an IP address through DHCP? Where is the DHCP server? Is it correctly configured? Does the pfSense firewall log show the ATA internet access attempt blocked? etc etc.
-
Hi Wallabibob,
First of all, i want to thank you for your help in this case! I hope that it will work soon.
Is its link to the switch UP? Yes, i see the led blinking
Is the switch correctly configured? it isn't a switch with vlan support, just a normal switch. The only reason why i want to set it up with vlans is that the ip management is easier for me, and within a few months i want to set up a switch with vlan support.
Does the ATA get an IP address through DHCP? No, it has a fixed ip ==> 10.11.0.2, subnet 255.255.255.0, gateway 10.11.0.1
Where is the DHCP server? For the VoIP range, there is no DHCP server
Is it correctly configured? There is no DCHP server
Does the pfSense firewall log show the ATA internet access attempt blocked? NoI've set up my laptop on it, with ip 10.11.0.10, and it isn't working also. So i guess that there is a problem (misconfiguration) in the pfsense.
Eg, from my wired LAN (10.0.0.1 = pfsense), i can ping 10.11.0.1 (pfsense on the voip vlan), but i can't ping 10.11.0.2 (ata).
Kris
-
I just reconfigured the linksys PAP2T (the voip ata) as DHCP, so it gets a LAN ip (10.0.0.109 in this case) and tadaaa : voip does work. When i give it a fixed IP (10.0.0.99), it also does work great in both directions. But using IP 10.11.0.2 and gateway 10.11.0.1 gives problems. So i think that that i've misconfigured something in pfense.
-
I can't find an answer to my question asking if you have a VLAN capable switch. If you don't have a VLAN capable switch, then you have to configure your ATA to VLAN tag its interface if you are expecting it to work on VLAN 11. I have no idea if that configuration is possible.
-
I can't find an answer to my question asking if you have a VLAN capable switch. If you don't have a VLAN capable switch, then you have to configure your ATA to VLAN tag its interface if you are expecting it to work on VLAN 11. I have no idea if that configuration is possible.
Like i said in an earlier post:
Is the switch correctly configured? it isn't a switch with vlan support, just a normal switch. The only reason why i want to set it up with vlans is that the ip management is easier for me, and within a few months i want to set up a switch with vlan support.
Well … i tought that it was possible like i did it. So the only solution to make sure that i can create a new ip range for disks, servers, voip, ... stuff is buy a switch with vlan support, add a new nic for it (not possible) or set pfsense as 10.0.0.1/8. Bummer :-)
