Virtual IP Setup for multiple subnets on one Interface
-
I am attempting to put an Untangle device between pfSense and our Layer 3 HP Switch. I have multiple VLANs that are controlled by the switch.
As you know, Untangle drops all VLAN tags so I cannot simply add VLANs to pfSense and have them pass through to the switch on a tagged port. I have one port from the pfSense device going to Untangle, then one port from Untangle going to our Layer 3 Switch
Here is the setup:
pfSense: 10.10.19.1/24 with DHCP
Virtual IP Address Alias on the same interface: 10.10.20.1/24
Virtual IP Address Alias on the same interface: 10.10.30.1/24Untangle: 10.10.19.2/24
Added ARP Route: 10.10.20.3 to MAC Address of Switch
Added ARP Route: 10.10.30.3 to MAC Address of Switch
Added Static Route: 10.10.20.0/24 to route to 10.10.19.3
Added Static Route: 10.10.30.0/24 to route to 10.10.19.3Switch-HP ProCurve 2910al (Layer 3)
VLAN 19: 10.10.19.3
VLAN 20: 10.10.20.3
VLAN 30: 10.10.30.3
IP Routing Enabled
IP Route 0.0.0.0/0 10.10.19.1I have enabled IP Routing on the switch so that each VLAN is routed back to the pfSense over VLAN 19.
The Good:
Untangle is able to access the internet completely (but it is on the 10.10.19.x subnet)
I can ping from 10.10.20.x to 10.10.19.3 (Switch-VLAN-19)
I can ping from 10.10.20.x to 10.10.19.2 (Untangle)
So my Layer 3 routing seems to be working correctly.The Bad:
I cannot ping from 10.10.20.x to 10.10.19.1 (pfSense)
I cannot ping from 10.10.20.x to external address (web)I believe this comes down to a Firewall rule or NAT rule but I am stuck. Any help is appreciated.
-
It's looks confusing to me.
try this setup:
switch port1 untagle tag vlans 100,119,120,130
switch port2 pfsense tag vlans 119,120,130on untagle, bridge networks in vlans 100 and 119, so every on vlan 100 that need access to vlan 119 must go via untagle
on pfsense configure vlans to fit each network (10.10.19.1/24 10.10.20.1/24 10.10.30.1/24) on it's own interface.
It may be easier to route and could setup vlans to pfsense without loosing untagle bridge.
-
Sorry Marcelloc I am not understanding what you mean.
switch port1 untagle tag vlans 100,119,120,130
switch port2 pfsense tag vlans 119,120,130Perhaps we can stick with 19, 20, & 30 to keep thinks clear. Are you saying don't place Untangle between pfSense and the switch but rather connect both Untangle and pfSense to the switch?
It may be easier to route and could setup vlans to pfsense without loosing untagle bridge.
Would this only use Untangle to filter traffic on VLAN 100?
on pfsense configure vlans to fit each network (10.10.19.1/24 10.10.20.1/24 10.10.30.1/24) on it's own interface.
I have successfully used one interface with multiple VLANs and DHCP from pfSense to the switch. This works very well. The client would also like to use Untangle, but it seems it may not be worth the trouble.
-
Perhaps we can stick with 19, 20, & 30 to keep thinks clear. Are you saying don't place Untangle between pfSense and the switch but rather connect both Untangle and pfSense to the switch?
Yes, tag vlans user must see on untagle and tag vlans pfsense and untagle use on your bridge setup.
on pfsense configure vlans to fit each network (10.10.19.1/24 10.10.20.1/24 10.10.30.1/24) on it's own interface.
I have successfully used one interface with multiple VLANs and DHCP from pfSense to the switch. This works very well. The client would also like to use Untangle, but it seems it may not be worth the trouble.
You want to use untagle between all vlans or just for wan?
can you draw this setup for a better understanding?
-
You want to use untagle between all vlans or just for wan?
can you draw this setup for a better understanding?
I would like to use Untangle for all VLANs when they access external addresses. So internal traffic doesn't need to use Untangle, but I would like all traffic from All VLANs to go out through Untangle and then the WAN of pfSense.
Here is my picture: https://docs.google.com/a/fumcwired.com/drawings/d/1Y5QJwNvJjNwoA4GwgDuUDmpx11qcZkckQXluSB0_YxM/edit?hl=en_US
Quote from: dmitche on Today at 10:24:18 am
Yes, tag vlans user must see on untagle and tag vlans pfsense and untagle use on your bridge setup.Untangle drops all VLAN tags when it rebuilds the packet so I cannot pass and tags to/through it :(
Thanks for your help.
-
Untangle drops all VLAN tags when it rebuilds the packet so I cannot pass and tags to/through it :(
create three new vlans, apply it on pfsense and untagle port
then you can setup this:
workstation –--- vlan19 ------ untagle bridge ----- vlan119 pfsense
workstation ----- vlan20 ------ untagle bridge ----- vlan120 pfsense
workstation ----- vlan30 ------ untagle bridge ----- vlan130 pfsenseassign 10.10.30.1/24 on vlan 130 at pfsense
assign 10.10.20.1/24 on vlan 120 at pfsense
assign 10.10.19.1/24 on vlan 119 at pfsense
