VLAN Hell
-
Hi All,
Firstly I am a bit new to Vlans but I did read up and I have a good working knowledge of IP networking but Vlans is a bit of a grey area and I'm trying to educate myself a little but I think I have hit a wall and cant figure out what I'm doing wrong.I am trying to end up with 3 subnets WAN1 - WAN2 - and LAN1, I have a QNAP acting as host for my PFsense with 2 gigabit connections (em0 192.168.4.1) (em1 192.168.1.2) both supporting VLAN's, 1 BT Router (set to static IP 192.168.4.254) an Asus Router (with 4G Modem) 192.168.11.254) and a TP-Link TP-GS108e smart switch (192.168.1.3) I also have a TP-Link TL-WR1043ND Router but this is simply acting as a wireless access point but I believe it also has some VLAN ability using DD-WRT firmware.
PFsense em0 - WAN1 (bt router)
PFsense em1 - port 1 on TL-SG108e (rest of the LAN ports 2-7 and Asus Route port 8r)
TLSG108e Cabling
port 1 - PFSense
Ports 2 - 4 LAN devices
Port 5 - (using to configure the switch will be added to Vlan10 when all is working)
Ports 6-7 - LAN devices
Port 8 - WAN2 (VLAN 20)So on the TP link I have this VLAN config
MTU VLAN - Disabled
Port Base VLan - Disabled
802.1q VLAN
VLAN 10 member ports 1-4,6-7 Untagged 1-4,6-7
VLAN 20 Member Ports 1,8 untagged 1,8802.1.q PVID
port 1 on PVID- 1
ports 2-4 on PVID 10
port 5 on PVID 5
Ports 6-7 on PVID 10
Port 8 0n PVID 20For some reason I cant ping the router on port 8 of the switch Pfsense is configure with an interface on the same subnet on VLAN20 on em1 (same as the LAN) if any one has any suggestions of what I am doing wrong?
-
802.1q VLAN
VLAN 10 member ports 1-4,6-7 Untagged 1-4,6-7
VLAN 20 Member Ports 1,8 untagged 1,8
…
Port 8 0n PVID 20For some reason I cant ping the router on port 8 of the switch Pfsense is configure with an interface on the same subnet on VLAN20 on em1 (same as the LAN) if any one has any suggestions of what I am doing wrong?
If your pfSense interfaces are assigned to VLANs like this:
LAN - VLAN 10 on em1
WAN2 - VLAN 20 on em1Then that means pfSense is expecting and sending traffic with 802.1q tags.
Change port 1 on the switch to be tagged VLAN 10 and 20 instead of untagged and it should be good to go.
-
802.1q VLAN
VLAN 10 member ports 1-4,6-7 Untagged 1-4,6-7
VLAN 20 Member Ports 1,8 untagged 1,8
…
Port 8 0n PVID 20For some reason I cant ping the router on port 8 of the switch Pfsense is configure with an interface on the same subnet on VLAN20 on em1 (same as the LAN) if any one has any suggestions of what I am doing wrong?
If your pfSense interfaces are assigned to VLANs like this:
LAN - VLAN 10 on em1
WAN2 - VLAN 20 on em1Then that means pfSense is expecting and sending traffic with 802.1q tags.
Change port 1 on the switch to be tagged VLAN 10 and 20 instead of untagged and it should be good to go.
Thank you very much for your help, what a legend! I was chuffed that I was so close to getting it working on my own shows I more or less got the gist of it! haha.
thanks again!
-
Hi Sorry to be a bit of a pain but have one more question.
I modified my setup a little to make it work I did away with VLAN10 (as using the default for the main LAN was just fine and VLAN10 isn't needed) only one port on the switch is connected to WAN2 and so VLAN20 remains in place, and WAN1 is on a separate port on the PFsense box so no need for a vlan there either.
so I have WAN2 (VLAN20) on 192.168.20.0
LAN on 192.168.1.0
and WAN1 on 192.169.4.0each interface has the PFsense IP as 1 and the Router on 192.168.20.0 is on 254 and 192.168.4.254 for some reason I can not work out I can not connect to the webpage on the WAN interfaces (sort of) the pages seem to partially load and some parts are missing altogether, if I plug into the routers directly all works fine, Pinging all the gateways from the LAN works fine, and internet connection works fine load balancing and failovers working as they should.
my question is why isn't the router config page loading correctly?
(nb I have got allow all rules in the firewall for the LAN) -
"LAN on 192.168.1.0" won't work with a /24 (or 255.255.255.0, it's the same) netmask.
Valid IPs are from 192.168.1.1 to 192.168.1.254 and your LAN has to be in that range! The same for your WAN networks, of course.
.0 is the network's address and .255 the broadcast address (in a /24 network).… I can not connect to the webpage on the WAN interfaces...
???
If you want to connect FROM your WAN interface you have to add a rule to allow this.