VLANs please help
-
I have never thought of myself as dumb, I fix people for a living, but I am utterly failing at this. I'd appreciate some help.
This is my setup now:
Quad LAN Pfsense box (configured as WAN, LAN, OPT1, OPT2)
Tplink T2600G-28TS managed switch
I have a Ubiquiti controller running as a VM, and a number of access points. These access points tag WLAN clients to a DMZ VLAN if they are guests.
The Tplink switch is configured for tagged DMZ VLAN number (say 102) at the Pfsense uplink and the ports that connect to the Wifi APs.
Pfsense firewall lets the DMZ devices see the internet.
Everything works.I have acquired some time ago an 8-core server on a supermicro quad LAN motherboard with IPMI, and I'd like to experiment with this machine.
I want to make sure that the management port and IPMI are on a different VLAN from the rest of the network, but are still accessible to the desktop machines on the main LAN and nothing else.
I would appreciate some advice.
-
If you put this server on vlan X, and don't even put any rules on this vlan interface... Lan would be able to access it, because default rules are any any on lan.. And the return traffic is allowed by state. But nothing on the vlan could access lan - because there are no rules to allow unsolicited traffic from vlan to lan.
If you want detailed help - I would suggest you put together a drawing of your network. Showing your vlans, and rules you have on each interface.
Rules are evaluated as traffic enters an interface from the network its attached too. Top down, first rule to trigger wins - no other rules are evaluated..
-
Thanks let me try to explain in a little more detail.
My pfsense box has several ethernet ports.
Let's say eth0 is WAN uplink, and eth1 is connected to my switch.
eth1 is assigned to vlan 101 LAN, as well as 102 LANrestricted and 103 DMZ
My TPlink switch is set to allow VLANs 1, 101, 102, 103 (their version of trunk port) on the port connected to pfsense.
Two IP cameras are assigned VLAN 102 "untagged" ports on the switch and should be able to grab DHCP addresses on the LANrestricted interface.
Right now I have restricted the rules I have to just to rules
Pass->any protocol / any port -> LAN address to LAN restricted address
Pass->any protocol / any port -> LAN restricted address to LAN address
I have replicated both rules on both interfaces.
I figured if I can't get to the cameras using these minimal rules, I won't be able to do it at all.Ultimately, my goal is to have VLAN 102 be restricted to devices that I want to disallow access to the internet, and which can only connect to my NAS that is located on VLAN 101.
Clearly I'm going wrong somewhere with either rules or VLAN assignments.
Does this help explain what I have and what my goals are?
Thanks in advance!
-
@efriedman said in VLANs please help:
My TPlink switch
Stop you right there - which make and model... Their low end switches are shit... They do not allow you to remove vlan 1... So they are not much more than trying to run multiple L3 on the same L2..
Now their is suppose to be a fix firmware, and it does allow you to remove vlan 1...
But I wouldn't use those switches if you gave them to me for free when it comes to vlans..
-
JetStream Gigabit L2 managed switch T2600G-28TS
It's not a cheap model, it's supposed to be L2 24 port rackmount switch. At the time when I was buying it the reviews and features seemed ok. -
I just figured it out. I wasn't setting the PVID of the switch ports correctly. Once I set the PVID of the untagged ports to the same VLAN ID as what I wanted the packets entering those ports tagged as, as I was able to connect to the cameras.
Yet again the need to be explicit in your instructions proves itself.
