Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to get VLAN working

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    3 Posts 2 Posters 778 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by A Former User

      In my previous post, I thought I had it, but I've got some strange things happening. Here's a simplified topology:
      pfsense-network.png

      RED is WAN, BLUE is LAN. Due to the way the VoIP system is setup on this network, all ports are trunk ports because the phones are not Cisco compatible. The LAN side 8 port SG300 is all configured for trunking and hasn't been touched. On the Cisco 2960S, ports for PCs are configured as:

      interface gig0/XX
 switchport mode trunk
 switchport trunk allowed vlan 1,18

      as there should be no LAN devices on this VLAN. This is for an SSID only.

      I've added the new VLAN 400 to every switch in the network. On the IOS 12 devices, I can see this:

      vlan 400
 name CorpWireless

      All switches only work with 802.1q so "switchport trunk encapsulation dot1q" isn't accepted and doesn't need to be specified.

      All links to other switches and Meraki MR access points are configured as:

      interface gig0/XX
 switchport mode trunk

      Within the Meraki dashboard, the access points do pick up VLAN 400.

      For troubleshooting, I've set one of the switchports to access VLAN 400. The computer plugged in is unable to pull an IP and I have DHCP enabled on the VLAN interface within pfSense.

      Here's my pfSense configs:

      36338b3c-bde5-4b4c-85ad-5e2b8197b3ef-image.png

      a3c1e906-6dec-4740-b8b3-084c2f5d2bd3-image.png

      523b90c7-14fd-4dd6-be22-362aa490d85c-image.png

      Routing Table:

      17bd5599-f69a-4621-8332-2002624a5126-image.png

      My concern is I see no traffic in the routing table or firewall. Yet using the diagnostics, I can ping from the VLAN interface to a server on the default VLAN so routing is clearly working:

      ff9cc507-d3e4-423f-88cb-2f2c85e6ce34-image.png

      The CARP IP, 10.19.4.1, shows as "master" on both firewalls and from other threads and Google, this seems to indicate that the firewalls aren't sure of each other with this interface. The firewall rules for VLAN 400 do sync across and match up to the secondary firewall. I've noticed during this that if I try to ping 10.17.1.3 or 10.19.4.3 (the physical and VLAN 400 interface, respectively, on FW2, no pings return). Any pointers where I can check?

      Edit:
      I did a packet capture on pfSense while pinging from the switch to 10.19.4.2 and these are the only packets captured:
      94b2b6a3-28d5-4afb-9a09-b6b25fb0c68f-image.png

      Edit 2: I had a user on site plugin a laptop and configure a static IP. When they set the gateway to 10.19.4.1 (the CARP IP), nothing went through. Running a packet capture, I was able to obtain the following when they set the gateway to 10.19.4.2.
      ce3cd79d-c3bc-452a-9f42-f09601f77588-image.png

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Looks like your switching gear is not sending any traffic to pfSense tagged VLAN 400.

        55b69261-e937-4727-b88a-6cc071c7b7f4-image.png

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Finally got this solved! Previous admin never documented anything so I was just stumbling around. There's a layer 3 switch doing VLAN routing (originally it was just passing the routing off to the old router). So I reconfigured the layer 3 switch to handle the VLANs, pfSense just handles everything out to the internet. So we're all good!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.