Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic First VLAN

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi,

      Have gotten pfSense up and running, and been through the webConfigurator, no problems.  I need some help understanding how to get my first VLAN working.

      Setup:

      pfSense Box
      em0 = WAN: Configured for DHCP but not plugged in yet.
      em1 = LAN: 192.168.1.1/24 –> Switch
      VLAN ID 400 (on em1)
      VLAN: 192.168.2.1/24

      Switch = NetGear GS108T
      LAN: 192.168.1.231/24 (can access switch's web admin on this address)
      Port 1 --> pfSense Box
      Port 8 --> Netbook
      Default Management VLAN = 1 (untagged on all ports)
      VLAN ID 400
      Memberships:
      Port 1 = Untagged
      Port 8 = Tagged

      Netbook = Ubuntu 14.04
      LAN: 192.168.1.101/24
      Gateway: 192.168.1.1

      So far, I can access the webconfigurator on 192.168.1.1 just fine.  When I change the netbook LAN to 192.168.2.101/24 with gateway 192.168.2.1, I try to access pfSense on 192.168.2.1, but get no response (timeout).

      I have added a Pass all rule onto the VLAN adapter on pfSense to prevent the firewall blocking traffic on the VLAN (source * to destination * any protocol).

      I know the switch is functional, but I don't know if I've configured the port memberships right.  If I understand correctly, Port 1 has to be marked as a member for traffic to be allowed at all, but since it handles traffic for both the LAN and the VLAN, it has to be untagged to prevent traffic from being marked as belonging to the VLAN when it may be LAN traffic.  By setting Port 8 as tagged, traffic from my netbook should always be for VLAN 400?  Yet I could use 192.168.1.1 through this port.

      I'm also concerned that I haven't specified any overrides for the MAC addresses, so I assume the adapter defaults are still in use.  I read somewhere this can cause confusion, but I don't know if this applies to VLAN routing.  Should I be specifying unique MAC addresses for each listener?  Is there any recommended pattern to generating MACs?

      Any help is appreciated,
      Rob.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by 

        VLAN ID 400
Memberships:
Port 1 = Untagged
Port 8 = Tagged

        I think you need to swap this to:

        VLAN ID 400
Memberships:
Port 1 = Tagged
Port 8 = Untagged

        The client on port 8 has no built-in VLAN functionality. When it sends an ethernet frame the VLAN switch needs to read the ordinary frame (untagged) and then know that port 8 is part of VLAN 400 and spit the packet out any other ports in VLAN 400. On port 1 it needs to put a VLAN 400 tag and pfSense can recognise that and deal with the packet in the VLAN 400 interface.

        The first scenario works now because it is just using VLAN 1 and that is still broadcasting untagged between all ports, thus acting like a dumb switch. In the end you are also better to use some other VLAN Id for the first subnet, and tag it into pfSense. Using the default management VLAN 1 for real traffic is usually a hassle.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Excellent,

          I now realise that I was applying my understanding of tagged and untagged to inbound packets rather than outbound packets.

          Once I reversed the setup, everything worked as expected.

          (The VLAN 1 is the default Netgear management setup to allow all traffic to work on all ports, it's why I'm trying to switch to a different VLAN).

          Thanks for your help, saved me a lot of head scratching.

          Regards,
          Rob.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Eventually you will discover that you cannot tag vlan 1.

            If you ever want to "trunk" vlan1 across a trunk port with other vlans you will have to change it.  Some gear might allow it, some might not.  The stuff that won't is usually the higher end gear that is actually trying to meet the specifications.

            Once you decide to start tagging any traffic at all in your network, you are better off forgetting vlan1 exists.  In the dot1q environment, it doesn't.

            Using the default management VLAN 1 for real traffic is usually a hassle.

            Using it as a management VLAN is usually a hassle too.  Yes, it's easier out-of-the-box-for-the-typical-frys-customer but it's just, well, suboptimal.  If you have gear that HAS to have it's management VLAN on VLAN 1, you are way better off setting up an untagged port on your real management vlan on a real switch and plugging such gear into it.  Any gear that doesn't let you change the management VLAN from VLAN1 should be discarded.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.