How to send LAN w/DHCP over both a NIC and a vLAN on another nic?
-
I have the following:
- HP 1U server with 6 NICS running ESXi 6.5
- ESXi is configured with 6 vSwitches - each one is uplinked to its own physical NIC
- PFsense is installed VM with 6 vNICS tied 1:1 to each vSwitch
- Ubiquiti Wireless Access Point (AP)
Two of the interfaces on the PFsense firewall are dedicated to:
-
LAN (192.168.1.1) - DHCP hands out .1 addresses
LAN interface is uplinked to a switch serving the house -
WAP {192.168.2.1) - DHCP hands out .2 addresses
WAP interface is uplinked directly to the Ubiquiti AP
Both networks work as expected, DHCP, etc.
I now have a need to deliver the LAN (.1 net) over the AP to a separate SSID in ADDITION to the existing .2 network.
I know how to set up the second SSID on the AP so that it runs on a vLAN.
My problem is how do I use a vLAN in PFsense to extend the EXISTING LAN (.1 network) over the WAP interface as vLAN 101 in addition to the existing WAP (.2 network)?
-
Why involve pfSense? That would be an ugly mess of bridging. You can solve this at L2 between the vswitches, real switches, and your AP. Whatever VLAN your LAN is using untagged, just tag that on the port connected to the AP.
-
So you're right.
However that would prevent me from managing the networking from the one pane of glass that PFsense provides.
It's worth noting that no vLANS are in use at this time, and i'm trying to use a vLAN to deliver the LAN alongside the Wireless network.
All the networks are all on default vLAN for their interface.
Also note that the WAP is connected DIRECTLY to the ESXi server NIC port and does not go through a switch.
I suppose I should start thinking about a redeployment using a vLAN based setup, but I was trying to adhere to the design principle of keeping firewall and network management tasks as close to the experience of using a physical firewall server as possible.
Any more thought on this?
-
To get both networks on the AP even directly connected you'll still have to tag VLANs.
And the only thing you lose by handling it at L2 is being able to filter wireless users on LAN separately from users on the regular LAN, and if you're doing that, why bother putting them in the same subnet at all? Just keep them isolated.
Bridging on the firewall is ugly. Avoid it at all costs.
-
esxi vswitches/portgroups will not strip tags if you set the vlan id to 4095.. Then you can bring in a untagged network and tagged network into a vnic on pfsense..
This would allow you to handle your network native and vlans at pfsense.. How you connect them into pfsense is the big question.. If your to the point you want to play with vlans - then your at the point to get yourself a vlan capable switch to use..
You can get a vlan capable switch for like $30..
-
@jimp the ultimate issue is that the home theater gear at this site is driven by Logitech Harmony remote hub units. these ONLY have WiFi access - not wired.
Whereas the media servers and rokus are all on the WIRED network to ensure 4K strems properly to all devices.
(This is a 10Gb switched infrastructure)
The Rokus cannot take controls from the Harmony units due to routing incompatibilities on the logitech side.
This is why I need to have the LAN present as a separate SSID beside the WiFi network.
:(
-
@johnpoz you called out the wall i ran smack into...
I can get the vLAN out to the WAP from the firewall but how I connect it to the existing LAN is maddening.
-
My roku is wired and not on the same wifi network s the harmony hub..
Not sure what any of that has to do with the price of tea??
GET A SWITCH!!!!
Trunk run whatever vlans you want into the esxi nic, set the portgroup to 4095 and let pfsense handle the vlans.
This is all basic networking 101 with the addition of simple 30$ switch that support vlans. Allow you to run uplinks on native untagged into different esxi nics or tagged, have devices on any vlan you want. Or uplinks that are tagged can carry multiple networks to the devices that will isolate them like other switches or AP.. Where you could have as many ssid on different vlans you want and them put any wired device on any network you want as well.
-
@johnpoz It is related because as I mentioned before, the wired Roku on LAN (.1 network) does not receive commands from the Harmony Hub which lives on the WAP (.2) network without a 5-10 second delay.
This is a known issue at Logitech and many have issues with this.
The only solution at this time is to ensure the two devices are on the same network.
I understand what you say about the switch, however I would like to have been able to simply ride the LAN on an extra vLAN using the current setup without having to go on site and install more gear when it shouldn't be necessary.
-
Its not EXTRA anything... Its how you do networking... You have an AP that does vlans - you need a switch that does vlans. You don't use freaking interfaces as switch ports.
You clearly can afford a freaking 30$ switch to do it CORRECTLY!!!
-
-
So am I to be honest!! ;)
Some times I wonder why I am even still here after 10+ years of the same shit over and over and over again..
You clearly can afford 30$ switch with the gear you have... To do something CORRECTLY being told you by 2 people that do networking for a living.. Myself have been in the business before there were even switches..
You want to do vlans.. This is your statement... You need to connect multiple devices = Vlan capable switch! Period!!
How is that difficult to understand. Sure you go ahead and bridge 2 of your 6 interfaces.. You could also fix your car with duct tape and bubblegum next time it breaks.. Don't yell at the mechanic when they told you to do it correctly..
Have Fun!
-
Well this is getting out of hand!
But I agree, the only reason you would want to be bridging the interfaces in pfSense is if you need to filter between the wired and wireless segments of the .1.X subnet.
You should be able to do this just using the vswitches in ESXi anyway. Just bring the connection to the AP in as a tagged port on whatever VLAN you configured for the additional SSID and and make that tagged on the LAN vswitch. All done no problem.
Steve
