Hyper-v pfsense and servers
-
Hey guys & girls.
I'm having some issues with a HyperV install of pfSense at the moment. I'll outline the setup:
Phys NIC 1 - Allocated to 2 Windows VMS - Connected to a physical switch
Phys NIC 2 - HyperV management (Not allocated to any VMS) - Connected to a physical switch
Phys NIC 3 - pfSense LAN - Connected to a physical switch
Phys NIC 4 - pfSense WAN - Connected to modem
pfSense LAN: 192.168.2.1
pfSense WAN: 172.16.15.2 (Modem 172.16.15.1)
RSL-SVR-01: 192.168.2.10
HyperV Server: 192.168.2.5At the moment all machines are looking at pfSense LAN and all is working fine. Routing, DNS etc. Currently DHCP of 192.168.2.0/24 being done by RSL-SVR-01.
I have created a couple VLANs within pfsense that will be connected to L3 switches. I've created the VLAN20, assigned it to the pfSense LAN adapter and given it an ip of 10.120.0.1. I can ping this address from RSL-SVR-01. Tracert shows it hops through 192.168.2.1 (I haven't locked anything down yet).
I cannot get DHCP working for devices on VLAN20. If I assign a device a static address in 10.100.0.2, I cannot ping 10.100.0.1. I don't believe its a VLAN tagging issue. I'm testing this on a single switch, and the port that NIC3 is connected to is assigned to accept all untagged and VLAN20 tagged packets.
I've created a Windows 10 test VM, set its network to NIC3, set the virutal in in the VM to be tagged VLAN20 (within the settings of the HyperV VM) and still no traffic.
Safe to say I am quite confused. Hoping someone can help shed some light on the situation.
Jase
-
Not sure if it is a typo, but you have the router NIC at 10.120.0.1 and SecurityOne at 10.100.0.2? Those are different IP networks.
I've done some VLAN work (not with pfSense) so bear with me if I'm not 100% accurate.So RSL-SVR-01 is at 192.168.2.10. pfSense has a NIC at 192.168.2.1. Both of those are plugged into the same switch and can ping each other. You also have a NIC on pfSense with an address of 10.120.0.1. You can reach this IP by pinging from the server but it appears that it is coming in via the 1921.68.2.1 address from your tracert. That means that traffic isn't reaching your via the VLANned port, but is being routed via your pfSense router.
What kind of switch do you have and how are the ports configured?
-
Correct, that is a typo. Second router NIC with VLAN20 is assigned 10.100.0.1. Basically the firewall in pfSense is allowing traffic on the 192.168.2.0/24 subnet through to all nets. That's why when I ping 10.100.0.1 from 192.168.2.10 I get a response.
Switch is a HPE 1920s (VLAN1 = default "Not a VLAN"
Phys NIC 1 - Connected to port 40 - PIVD1, member of VLAN1 ONLY
Phys NIC 2 - Connected to port 46 - PVID 1 member of VLAN1 ONLY
Phys NIC 3 - Connected to port 48 - port configured with PIVD1, member of VLAN1 & VLAN20Additional Testing results:
I've linked the HyperV managment back to share Phys NIC 1 to free up a third NIC to allocate to pfsense. I removed the VLAN id from the issue and setup the third NIC into pfsense, assigned it 10.100.0.1, and my test VM could ping this interface. I've setup a second test windows VM sharing Phys NIC 3. I don't believe this sharing will have any impact on results
HyperV is NOT set to enable any VLAN identification. pfSense not using VLANs (VLAN20 adapter in interfaces is disabled)
Phys NIC 1 - Connected to port 40 - PIVD1, member of VLAN1 ONLY
Phys NIC 2 - Connected to port 46 - PVID 1 member of VLAN1 ONLY
Phys NIC 3 - Connected to port 48 - port configured with PIVD1, member of VLAN1 & VLAN20Ping 192.168.2.10 > 192.168.2.1 - OK!
Ping 192.168.2.10 > 10.100.0.1 - OK!
Ping 10.100.0.30 (temporary test vm) > 10.100.0.1 - OK!
Ping 10.100.0.30 > 192.168.2.1 - OK!I can even Ping between 192.168.2.10 and 10.100.0.30 (RSL-SVR-01 to test windows VM, firewall on test vm off of course)
So I know the config itself works. I know traffic is traversing the ports, pfsense etc correctly. Turns out this is one of 2 things. pfsense doesn't like trying to handle VLANs whilst virtualised (However others have similar setups that are working) or the switch port config is incorrect. On the blower to HP about the correct config, though I am sure it's all correct.
Jase
-
To allow pfsense to configure vlan tags on a Hyper-V host you have to do special configuration to those ports in Hyper-V.
I think you just have to turn on trunking on that hyper-v port to allow pfsense to do Vlan tagging.
Something like(in elevated powershell):
Get-VMNetworkAdapter -VMName "vmname" | Where-Object {$_.MacAddress -eq "XXXXXXXXXXXX"} | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-100" -NativeVlanId 1
-
To allow pfsense to configure vlan tags on a Hyper-V host you have to do special configuration to those ports in Hyper-V.
I think you just have to turn on trunking on that hyper-v port to allow pfsense to do Vlan tagging.
Something like(in elevated powershell):
Get-VMNetworkAdapter -VMName "vmname" | Where-Object {$_.MacAddress -eq "XXXXXXXXXXXX"} | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-100" -NativeVlanId 1
So ran this command on the vNIC mac for hn2 in pfSense. Still no traffic. I cannot work out what the command is to view the status of the VLAN/trunk settings for a MAC in powershell.
For what its worth, RSL-SVR-01 can ping the VLAN20 Interface address: 192.168.2.10 > 10.100.0.1, but I cannot ping 10.100.0.30 to 10.100.0.1. Suggests firewall rules are still all ok, but vlan tags aren't carrying through either the switch, or the vnic?Do the settings look correct? I've set the test VM to TAG VLAN20. It's sharing an interface which I don't want to remove from include untagged status.
-
So I decided to test some other setups. I've decided to add a quad NIC to the server and allocate a physical NIC to each "VLAN" then just change the PVID for each port according to the VLAN ID required for the virtual NIC in pfSense.
I'm keen to hear from someone that has had VLAN tagged passed through HyperV vNICs however. My HyperV trunk matched a whole lot of documentation I've read, but still go go; I've probably missed something.