Can't get VLAN's to work under VMWare

leonset · May 6, 2008, 8:40 AM

Hi!

I have tried everything that has come to my mind, but I've been unable to make VLAN's to work. I'm using a Procurve 2900 switch and I have set port 25 as tagged for VLANs ID 1 and 4. Then, I setup a FreeBSD VM with two virtual NICS, one bridged to my LAN and the other one to the NIC connected to Procurve's port 25. In the VM I'm using ethernet1.virtualDev = "e1000" to support VLAN's.

The real NIC's are Broadcom 5715 (onboard) and Intel 1000MT… I've tried both.

I can access the WebUI and use it to setup two VLANs, one with ID 1 and a second one with ID 4 (vlan0 and vlan1 within pfSense). Then, I create an interface for each one and give an IP address for them (10.x.x.x/24 with different subnets each one).

BUT... it doesn't work: I can't ping any hosts on those subnets. What am I doing wrong?

Many thanks in advance! :)

GruensFroeschli · May 6, 2008, 8:42 AM

Did you create rules on these "new" interfaces?

What exactly are you trying to ping?
Could you draw a diagram of your "logic" network?
Does your ping destination know the route back to you?
–> Per default pfSense doesnt NAT to OPTx interfaces, but routes.

leonset · May 6, 2008, 8:57 AM

Hello!

Ok, here's more detail:

VLAN0: VlanID1, IP subnet 10.1.20.0/24
VLAN1: VlanID4, IP subnet 10.4.20.0/24

To simplify, let's use only VLAN0. In that subnet I have more hosts, connected to the switch as untagged ports which belong to VLAN ID1. So, basically, they're on the same segment and you don't need routing to reach them. Then, I give IP 10.1.20.252 to pfSense VLAN0 iface and try to ping that IP from any other host within the same subnet, with no success. It seems as if the VLAN tag was ignored somewhere and pfSense was unable to identify those packets… but I don't know how to verify that point.

Thanks!

GruensFroeschli · May 6, 2008, 12:26 PM

dont use vid1

@802.1Q:

Table 9-2—Reserved VID values

VID value(hexadecimal) Meaning/Use
0 The null VLAN ID. Indicates that the tag header contains only priority
information; no VLAN identifier is present in the frame. This VID value shall not
be configured as a PVID or a member of a VID Set, or configured in any Filtering
Database entry, or used in any Management operation.

1 The default PVID value used for classifying frames on ingress through a Bridge
Port. The PVID value of a Port can be changed by management.

FFF Reserved for implementation use. This VID value shall not be configured as a
PVID or a member of a VID Set, or transmitted in a tag header. This VID value
may be used to indicate a wildcard match for the VID in management operations
or Filtering Database entries.

Buuut….
I still dont get what you are trying to achieve.

Could you draw a diagram of your "logic" network?

leonset · May 9, 2008, 8:33 AM

Hello!

Sorry for my late reply… I thougt I was a better ascii sketcher! This has taken me some time... ;)

The idea is to get this working using just 3 real Nics, which are virtualized in bridge mode by VMWare Server from the real hardware NICs. They don't have VLAN's defined in the host OS (Win2k3):

So, for NIC1 and NIC2 I must define the VLANs with the same IDs as for the rest of the hosts on each VLAN. I don't mind the ID itself, as I can use almost anyone. NIC3 will be used for pfsync and cluster heartbeat.

The problem is that after defining the VLAN's in pfSense and in the switch i get no comunication among the firewall and the hosts on any VLAN. pfSense is unable to get the MAC for any IP on those VLAN's.

Thank you!

David_W · May 17, 2008, 8:18 PM

I think you'll have to define the VLANs on the host OS, then bridge virtual network interfaces in VMware to those VLANs. I have had pfSense working that way in VMware Workstation 6.0.3 on Windows XP Professional SP2 once I'd defined the VLAN network interfaces using Intel PROset (no native VLAN support in Windows XP) and set up the bridging in VMware to those network interfaces.

It may be possible to deal with the tagging in VMware, but I doubt that the VMware virtual network interfaces have tagging support.

It's really a VMware question at heart - can you bridge to a tagged network and have the guest OS deal with the tagging, or not. I suspect the answer might be that you can't.

leonset · May 19, 2008, 8:59 AM

Hi!

Yes, I could use VLANs directly in the host OS… but that I way I would have a 4 NIC limit in the VM and I would like to use at least 5 of them... That's why I need to use VLAN's directly inside the pfSense VM.

Obviously, the VMWare Virtual Network layer has to be able to pass ethetnet packets unmodified to the VM, so it can deal with them. I'm going to set a Windows VM with an Intel virtual NIC and install Intel ProSet in it, so I would be able to define VLAN's directly on the guest OS.

I'll update the thread later...
Thanks!

leonset · May 23, 2008, 12:03 PM

Hi!!

I've been reading a lot but couldn't solve this problem yet, because aparently VLAN tagging passthrough from the NIC to the vNIC is an unsupported feature in VMWare GSX/Server: http://communities.vmware.com/message/297176#297176

So I've ended up setting up the VLANS directly on the host and connecting 4 vNICs to them. I'm limited, but I've found a way to overcome those limitations by changing my setup and using Port Forwarding from Inet to my servers…

Regards!

jnickel · Nov 14, 2008, 10:42 PM

Kinda late I know…but if you are using ESX...you just use VGT to allow VLAN Tagging through to the guest OS (pfSense). To do this, you setup a Virtual Switch with a VLAN ID number of 4095 - this means that all VLAN info will bypass the standard VMware and be passed right through to the guest.

I use this instead of Virtual IPs because these IPs are pingable (the Virtual IP ones are not because of the way that ESX handles the CARP stuff from pfsense)

I am doing this here with great success.

Also, I would recommend changing your NIC to use the e1000 adapter instead of the standard one.

Jim