Install pfSense on Stormshield SN300
-
Did you add the VLANs in pfSense on the internal interface?
Never use VLAN 1.
Here's how I have mine:
>vlan config VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 101 Untagged Disabled Untag All S-Port 2 102 Untagged Disabled Untag All S-Port 3 103 Untagged Disabled Untag All S-Port 4 103 Untagged Disabled Untag All S-Port 5 104 Untagged Disabled Untag All S-Port 6 104 Untagged Disabled Untag All S-Port 7 104 Untagged Disabled Untag All S-Port 8 104 Untagged Disabled Untag All S-Port 9 104 Untagged Disabled Untag All S-Port 10 104 Untagged Disabled Untag All S-Port 11 105 Untagged Disabled Untag All S-Port 12 105 Untagged Disabled Untag All S-Port 13 None Tagged Disabled Tag All C-Port 14 None Tagged Disabled Tag All C-Port VID VLAN Name Ports ---- -------------------------------- ----- 101 WAN1 1,13,14 102 WAN2 2,13,14 103 LAN1 3,4,13,14 104 LAN2 5-10,13,14 105 WIFI1 11-14 VID VLAN Name Ports ---- -------------------------------- ----- VLAN forbidden table is emptyThough now I'm looking at it 'Untag PVID' would probably be better there. Hmm, been a long while since I configured that....
Ports 13 and 14 are the internal ports in the u250s. I have them as an LACP lagg.
Steve
-
Ok reviewing the untag all doesn't matter since it only untags member VLANs. In my case I don't have any mixed tagged/untagged ports so I could either.
You need to have port 9 a member of all the VLANs so it carries them tagged to pfSense.
The frame type needs to be 'all' since that port is carrying tagged and untagged traffic.
At least port 9 should be set to c-port or unaware so it tags for vlans.
Steve
-
I only have vlan 1 put on the em0 interface in WAN
On the internal interface? em0?
Internal ports? what does it correspond to?
I have port 9, I tried to put port 9 in "Frame Type : Tagged" and I lost control in ssh.
I didn't understand what "S-Port" and "C-Port" were
-
Yes em0 is the internal port, it's connected to port 9 on the switch.
It's frame type has to be 'all' because it's carrying tagged and untagged traffic in your setup.
Then you need to create the vlan interfaces in pfSense on em0.
Soem0.2em0.3etc.Steve
-
I just reviewed my configuration based on what I planned
VLAN>conf VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 None Tagged Disabled Tag All S-Port 2 None Tagged Disabled Tag All S-Port 3 100 Untagged Disabled Untag PVID S-Port 4 100 Untagged Disabled Untag PVID S-Port 5 100 Untagged Disabled Untag PVID S-Port 6 101 Untagged Disabled Untag PVID S-Port 7 None Tagged Disabled Tag All C-Port 8 None Tagged Disabled Tag All C-Port 9 None Tagged Disabled Tag All C-Port VID VLAN Name Ports ---- -------------------------------- ----- 1 1-9 100 LAN 3-5,7-9 101 DMZ 6-9 832 OrangeDataVoIP 1,2,9 840 OrangeTV 1,2,9 VID VLAN Name Ports ---- -------------------------------- ----- VLAN forbidden table is emptyI just reviewed my configuration according to what I planned
I have :
- ports 1 and 2 in VLAN 832 and 840 for the WAN (in trunk)
Port 1 is the operator WAN
port 2 is a LAN to the operator router WAN- ports 3 to 5 are the LAN - port 6 is for a DMZ (for a server)
- ports 7 and 8 are for a LACP with my manageable switch in trunk
On pfsense, I created VLAN 100, 101, 832 and 840 on em0 and I put em0.100 in WAN port and I connected my local network to one of the LAN ports (vlan 100)
-
Ports 1 and 2 will need to be a C-port or Unaware.
I think S-port is wrong for anything we are doing but on an untagged port it doesn't matter:
https://www.etherwan.com/support/faq/ethernet-switches/what-defines-vlan-trunk-modes-unaware-c-port-s-port-and-s-custom-port
That's probably based on the same switch chip family.That looks correct for LAN. Are you able to connect to pfSense on ports 3, 4 or 5?
Steve
-
I switched ports 1 and 2 to C-port
VLAN>conf VLAN Configuration: =================== Port PVID Frame Type Ingress Filter Tx Tag Port Type ---- ---- ---------- -------------- ---------- ------------- 1 None Tagged Disabled Tag All C-Port 2 None Tagged Disabled Tag All C-Port 3 100 Untagged Disabled Untag PVID S-Port 4 100 Untagged Disabled Untag PVID S-Port 5 100 Untagged Disabled Untag PVID S-Port 6 101 Untagged Disabled Untag PVID S-Port 7 None Tagged Disabled Tag All C-Port 8 None Tagged Disabled Tag All C-Port 9 None Tagged Disabled Tag All C-Port VID VLAN Name Ports ---- -------------------------------- ----- 1 1-9 100 LAN 3-5,7-9 101 DMZ 6-9 832 OrangeDataVoIP 1,2,9 840 OrangeTV 1,2,9 VID VLAN Name Ports ---- -------------------------------- -----I put the em0.100 (LAN) interface in WAN port and I connected my local network to one of the LAN ports (port 3)
To explain what I want to do.
The operator network will arrive on port 1 with VLAN 832 (options 60, 77, 90, 125 must be sent by the DHCP client to obtain an IP) and 840 for television.
On port 2, I send the vlan 832 (with option 90, 119, 120, 125 by DHCP server) and 840 on the WAN port on the operator router.
I retrieve the LAN from the operator router (by disabling the DHCP server to use the pfsense DHCP server) to send it to the pfsense LAN ports (on the Stormshield SN300).
I created a network for myself a DMZ.
There will be NAT on port 1
-
Hmm, OK. Seems complex! I would start simple first.
You were able to connect over VLAN100 to pfSense?
Steve
-
This is why I would have liked to have the Stormshield ports directly seen by pfsense. From what I understand, there is a lack of driver and the driver does not exist.
Yes, I access the pfsense web interface via the vlan 100.
-
It's not so much a lack of a driver as a system design issue. The ports are not connected individually to pfSense, you have to use the switch.
However that may actually be an advantage for what you're doing. Otherwise you'd have to bridge some of the interfaces to get the pass-through to the ISP router.Steve
-
All right,
I will also change the WAN port on em0.832 which will be the final wan port to lie on the em0.100
-
I defined the LAN and WAN interfaces using the interfaces with the vlans
[2.4.5-RELEASE][admin@pfsense-SN300A.home]/: exit exit pfSense - Serial: 1530B00379 - Netgate Device ID: 06645fdd1d35deecde91 *** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on pfsense-SN300A *** WAN (wan) -> em0.832 -> LAN (lan) -> em0.100 -> v4: 192.168.1.252/24 DMZ (opt1) -> em0.101 -> v4: 192.168.2.254/24 VLAN_TV (opt2) -> em0.840 ->I found that : http://asmodeus.com.ua/library/os/freebsd/freebsd_interface_em.html
I get stuck at the stage
Собираем это дело: makewith the error
[2.4.5-RELEASE][admin@pfsense-SN300A.home]/root/em-6.9.20/src: make make: "/usr/share/mk/bsd.kmod.mk" line 12: Unable to locate the kernel source tree. Set SYSDIR to override. -
There are no build tools in pfSense, you cannot run 'make'.
But why are you trying to build em? The driver is already loaded.
Those instructions are for an ancient version of FreeBSD anyway.
Steve
-
S stephenw10 referenced this topic on