PFsense and VLAN's

0x3g3n

I am trying to setup PFsense and VLAN's using Cisco AP's and a Cisco switch here at work for a guest network setup. I can get an IP, but I can't do anything else(ping/login to pfsense ect..). I have created the vlan's inside PFsense. We currently have a Nomadix that is dieing and it passes the traffic just fine. Ports are tagged as 802.1Q. The SSID is setup for each Vlan, and we use VLAN1 as a mgmt vlan to access the AP's remotely. Internet comes into re0 and the switch trunkport is plugged into re2. There are more AP's plugged in, just too lazy to type them all in.

Setup:

Internet
  |
  |(re0)
Pfsense(2.0 RC2)
  |(re2)
  |
Cisco 2950(port 1 trunks all vlan's to PFsense)
        |                  |                  |
        |                  |                  |
        |                  |                  |
        (AP1,vlan200)  (AP2,vlan201) (AP3,vlan202)

–--

interface FastEthernet0/1
description To Nomadix Gateway
switchport mode trunk
no ip address
!
interface FastEthernet0/2
description AP 10.59.19.253 lobby
switchport trunk allowed vlan 1,200
switchport mode trunk
no ip address
!
interface FastEthernet0/3
description AP 10.59.19.252 meeting
switchport trunk allowed vlan 1,201
switchport mode trunk
no ip address
!
interface FastEthernet0/4
description AP 10.59.19.251 meeting2
switchport trunk allowed vlan 1,202
switchport mode trunk
no ip address
!

GruensFroeschli

Did you also create firewall rules allowing traffic?
If yes: please show screenshots of your rules.

0x3g3n

I did create rules. I created the vlan's as opt interfaces, and set the rules to allow any to any.

edit: to specify, the vlan's are in the tab they are supposed to be in assign, and I created opt interfaces with the re2_vlan201.

GruensFroeschli

When you say you get an IP:
Do you actually get the IP from the DHCP server configured on the VLAN or do you get it from the DHCP server on the LAN interface?

Is the re2 interface assigned as LAN interface?
You should not mix tagged and untragged traffic on the same physical interface.

I'm not really familiar with the cisco syntax, but it looks like you add vlan1 to all the used ports and allow traffic for this vlan 1.
Is that your intention? Otherwise just simply disable vlan1 and only allow the vlan you're actually using.

0x3g3n

re2 is the LAN interface, with DHCP being handed out from it. I do get an IP from it when connecting from the AP with vlan 201, and when I check PFsense it shows that it handed it to me. All the traffic is tagged with a vlan. With the AP's, we create a non-broadcast ssid with an IP for management purposes.

On the AP

mgmt = vlan1
guest = vlan201

on switch(see the show run above)

GruensFroeschli

You should not use vlan1.

If you're getting an IP from the DHCP server on the LAN interface then traffic is not going to the right vlan.

How i'd do it:
re0: WAN
re2: dont assign it.
vlan99 on re2: LAN
vlan200 on re2: APx (OPT1)
vlan201 on re2: APy (OPT2)
vlan202 on re2: APz (OPT3)
etc.

vlan99 for managment.

Basically stop using VLAN1 and don't use untagged traffic at all.

0x3g3n

Alright, i'll give it a shot. Thanks! :)

0x3g3n

I fixed it all with a simple change…

Made the AP vlan the native vlan(example, vlan200) instead of vlan1.. everything works like a charm now.

Thank you very much for your help :)