Configuring vlan on pfsense on esxi, cisco 3560e 48 poe, and linksys ac1900
-
I am struggling to get data and internet to pass from the vlan interface to my network. I have tried to configure it in multiple ways and no luck. Configurations that I have tried:
Configured esxi to have vlan tagging on the lan port, pfsense vlan with dhcp configuration, with trunking and not trunking between the server and the switch.
Configured new lan port for just the vlan, vlan tagging in esxi, dhcp server, and trunking and not trunking between the server and switch.
Configured with no vlan interface, vlan tagging in esxi, dhcp server, and trunking and not trunking between the server and switch.Only configuration that works is:
Configured esxi without vlan tagging, no vlan in pfsense, dhcp server, and no trunking between the server and the switch.
I am trying to set up a vlan so I can configure my vpn to access my physical devices beyond the server. The only thing odd is I can access my other server with no issues but to remote into my other devices on the network it is a no go, I can't even ping them. I have my vpn server configured to pass traffic through to the local network I am trying to access, and can successfully do so with all my vms and servers but not to anything else.
-
If you want esxi vswitch to pass tags to pfsense then you need to set the vlan ID on the vswitch/port group to 4095.. If you want esxi to handle the tagging then put the vlan ID on the vswitch/port group that you will be using and pfsense interfaces will be untagged.
Its no different then using another vlan capable switch..
-
I have done that. By vlan tagging in esxi I meant adding the vlan ID to the port group. As soon as I configure vlans on everything, I lose connectivity to my pfsense box. I already have the port configured on the cisco as a "switchport access vlan 3."
-
@bigchoppers2003 said in Configuring vlan on pfsense on esxi, cisco 3560e 48 poe, and linksys ac1900:
"switchport access vlan 3."
Well that would be untagged..
You do tagging where there is going to be more than 1 vlan on the interface..
-
If that is the case then it doesn't make sense why I am unable to access the rest of my network from my VPN. I have it configured to force traffic through the gateway and everything is connected to my pfsense and esxi. Come to think of it I can't even manage my esxi host from my VPN but can run proxmox, server 2012r2 and everything else on my other server remotely.
-
Its not if that is the case, that is how it works... What your doing I have no idea.. You have not provided any actual info to what your actually doing or a drawing of how you have it all connected.
If your going to carry more than 1 vlan over a wire, then atleast all but 1 of them has to be tagged..
If you want esxi to handle the tags, just like you would on any other switch you set the vlan Ids on the port groups/ vswitch.. If you want it to pass the tags to something else, ie pfsense then you set 4095 as the vlan ID... It now becomes like a trunk port on a cisco switch.. If you set a vlan ID, its now like an access port in that vlan. And tags are not passed to the device(s) connected to that port group.
-
I will sit down here in a few and see if I can draw something up. As for right now I am just passing 1 vlan, all the rest are intranet vlans for management of other devices, but will be adding more vlans later, possibly.
-
If you have downstream vlans, then pfsense would be connected to downstream router (your L3) switch via a transit network if you want to get to those vlans.
And no you wouldn't pass those vlans be it untagged or tagged to pfsense..
-
I will explain my chicken scratch drawing a bit. Once the line from the cable modem hits the switch it comes into vlan 12( I did this because I needed a couple of other ports facing the unfiltered internet), then v12( unfiltered) goes to my ESXI host and a port directly tied to pfSense, then branches from there to everything that needs internet( I think it is clear but ask if not). The pfSense testbox is there to play with settings so I don't break my whole network again. PC0 is my desktop and has dual NICs to be able to use intranet and internet. The wifi I am still trying to figure out how to run that as an AP( Linksys WRT1900AC). Router0 is from when it was all sandboxed before I connected the internet and had a router on a stick. Test server is to play and will be a file server at some point, but just to learn new things right now. I have multiple vlans on the switch but the 2 with internet access is v12( unfiltered) and v3( primary). I hope that this makes sense.
-
don't see any chicken scratch
PC0 is my desktop and has dual NICs to be able to use intranet and internet. The wifi I am still trying to figure out how to run that as an AP( Linksys WRT1900AC). Router0 i
Borked! Zero reason to do that..
Lets see this drawing..
-
The link didn't work or you could understand what I am trying to do?
-
Other than it being borked - no! Sounds like a freaking mess!! Why do you need a link - attach the drawing...
-
I tried and it didn't let me, and when I clicked the add image icon it gave me this way to do it.
I did my desktop that way because I it isn't in the same room as the servers and switches, so I had a small switch and have that by the desktop. The 2 NICs make it where I can google things as I break them without spending more time switching ports than working on it.
-
What kind of drawing are you trying to attach? is it not a picture format file?
If your going to multhome a box, that is going to come with its own issues with routing and or your going to be asymmetrical..
-
The other server and the pfSense test box are just for testing purposes. I don't plan to have dual pfSense machines and the other server will end up being a nas later on when I can afford the drives to fill it. It is mainly just the esxi host and those primary VMs on it.
-
I don't care what you plan on having - if your going to multihome your PC, its going to have its own issues unless you correctly set up the routing on it since you have it in more than 1 network.
-
I guess I am not completely following, the only 2 vlans that pfSense will see is vlan 12 for wan and vlan 3 for lan. Other vlans I might create and have currently are for intranet and won't even go to the pfSense machine. That has been the main reason for keeping the router in there so I can still route traffic properly.
Could you elaborate a bit more on what problems I will face?
