Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to route between multiple VLAN's on the same uplink port

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    8 Posts 3 Posters 892 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      emiljan
      last edited by

      Hello,

      I have a ESXI host connected to pfSense via one uplink (igb1) and trying to create a router on a stick topology with that one uplink trunking multiple VLAN's and performing the routing.

      My lab topology:

      ESXI
      -Virtual Switch (Homelab) (Uplink: ESXI:igb1 > pfSense:igb1)
      --PORT GROUP (NAME:VLAN-10) (VLAN ID: 10)
      --PORT GROUP (NAME:VLAN-20) (VLAN ID: 20)
      --PORT GROUP (NAME:VLAN-30) (VLAN ID: 30)
      --PORT GROUP (NAME:VLAN-100) (VLAN ID: 100)
      --PORT GROUP (NAME:VLAN-122) (VLAN ID: 122)

      pfSense:
      -Created 5 VLANs
      --Tag: igb1.10
      --Tag: igb1.20
      --Tag: igb1.30
      --Tag: igb1.100
      --Tag: igb1.122
      -Assigned all VLAN interfaces under "interface Assignments"
      -Enabled all interfaces and set the default gateway address
      -Set Firewall rule to allow-all traffic

      I am able to access the internet of the VM's inside of ESXI
      I can ping all of the VLAN gateways from the VM's
      I am able to ping/connect to any of the VM's within the same port group in ESXI
      I am unable to ping or connect to any VM's that are on a different port group/VLAN - i get a error stating it cannot find a route to the destination

      I am at a loss and need some assistance with getting the routing between VLAN's working properly.

      Thank You,

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You understand if you doing port groups on esxi, then there are no tags on pfsense.. I you want pfsense to handle the tags then your port group would be set to 4095 on your vswitch so it doesn't strip tags.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • E
          emiljan
          last edited by

          Thank you for the quick reply, so i can just use one port group with the VLAN tag set to 4095 and keep my current config in pfSense?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            yup as long as your switch the connected to this interface that is corrected to the port group is tagging the traffic, if the port group is 4095 it will not strip tags. You only use 1 port group in such a setup, and your pfsense interface that is connected to this port group has the vlans on it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • E
              emiljan
              last edited by

              I created a new port-group with a tag of 4095 in ESXI and added 2 hosts, each from different subnets, and neither has internet access or able to communicate with the other.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                2 hosts for what... Your going to have to provide more info..

                You mean 2 more vms.. Two boxes via physical connections? Do they get dhcp from pfsense..

                do you own research esxi vswitch set to 4095 does not strip tags.. If you want to pass tags for pfsense to handle then that is what you need to set on your vswitch.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  jagradang
                  last edited by

                  Ok, I'm assuming you meant your pfsense is a vm inside esxi? Or am I misunderstanding you?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Yes if the pfsense is inside your vm host, ie a vm itself and you want it to handle tags, then the vswitch its connected to that connects it to the real world needs to be set for 4095 if you want pfsense to see the tags.

                    Is your pfsense external to your host?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.