Multiple VLANS with multiple DHCP scopes

Banelight

Hi All,

I am new to PFSense and these forums.

I am currently trying to implement the following on my network at work:

I need 3 separate VLAN's running, each with their own DHCP Scope

1 x Office Network (Wifi AP - Unifi AP LR)
1 x Guest Network (Wifi AP - Unifi AP LR)
1 x Labs Network (Switch L2)

All this traffic runs through a Dell X1026 Managed switch.

Our PFSense is a 2.3.1 VM running on ESXi platform.

What I have done:

I have configured the following Vlans on my the switch:

Vlan 2 - Guest network - this AP's port on Dell switch is set to general (untagged) as it actually runs 2 wifi networks (Office and Guest) so I tag the vlan traffic on the AP for Vlan 1(Vlan 1 (office) and Vlan 2 (Guest))
Vlan 10 - Labs Network
Vlan 1 - Default, being used for office network.
Trunk port has been configured on the port that connects to PFSense

I have configured the following on the PFSense VM:

Vlan1 Default - Office - this is on LAN interface - has its own dhcp scope of the officemain network.
Vlan 2 - Guest - Assigned it an interface and its desired dhcp scope
Vlan 10 - Labs - Assigned its interface and desired dhcp scope

Firewall
I have created an ANY ANY rule for testing, for each Vlan

If I plug into my LABS network, I am not getting an IP, similarly for the AP traffic on Guest VLAN. My main office network works fine, has internet access etc, but none of the other networks are working as intended.

Question:

1. Does each configured VLAN and DHCP scope need its own virtual Gateway, and do I need to configure any special NAT / Bridges rules etc to get the VLAN traffic out my gateway to access the internet?
2. What am I missing

heper

1. no, no special nat/bridging is required, this is handled automagically
2. you might be missing a valid vlan configuration on your switches or esxi.

• does esxi handle the vlans ==> don't create interfaces based on vlans on pfSense

• does pfsense handle the vlans ?==>set vlan 4095 on the vswitch: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004252

Banelight

Hi Heper,

Thanks for the reply.

So if I configured the Vlans on the vSwith to 4095 for ESXi, should I not configure the interfaces for vlans on PFsense?

Currently I have an interface assigned to the Labs Vlan… should I remove this and just elave it on the default local LAN interface as it was before?

Thanks

Banelight

Ok… just as an update:

I have enable VLAN 4095 on the vSwitch on the ESXi network configuration, and am still unable to get DHCP on the LABS network :(

Also, on the Dell Switch, the port that goes to the switch in the labs, is configured as an Access Vlan port and set to Vlan 10... not sure if this needs to be changed. That network should only ever get an IP from the range I set for the DHCP scope for the Labs vlan.

So on PFSense:

LAN - 192.168.1.0/24 scope is set - this works fine (default Vlan) gateway IP is 192.168.1.1 (Default gateway for our network)
Labs - 192.168.2.0/24 scope is set (Vlan 10) gateway the default / static gateway Ip is set to 192.168.2.1

Does PFSense automatically route traffic between the "Gateways" of the different vlans to the main gateway?

heper

Please draw a schematic that includes port config on the managed switches

Derelict

What are your interface assignments in pfSense?

If you send VLAN 4095 to an interface on a VM, VLAN traffic will arrive at the VM tagged so you need to create the VLANs on the virtual interface and assign the VLAN interface to Labs.

Banelight

Hi All,

I got this working now as I originally wanted:

3 subnets with 3 dhcp scopes, and the unifi AP's are working as well! Thanks!

I had completely forgotten about the vlan configurations needed for the ESXi vSwitches

Thanks Heper!

Guest

I need 3 separate VLAN's running, each with their own DHCP Scope

1 x Office Network (Wifi AP - Unifi AP LR)
1 x Guest Network (Wifi AP - Unifi AP LR)
1 x Labs Network (Switch L2)

If this APs are offering multi-SSID support I would set up them as the following;
VLAN1 - default VLAN for the admin all devices are inside
VLAN10 - SSID "office" (internal) - 192.168.2.0/24 (255.255.255.0)
Radius Server and client isolation is on
VLAN20 - SSID "guests" (external) - 192.168.3.0/24
Captive portal with vouchers client isolation is on
VLAN30 - SSID "testlab" (internal for doing tests only) - 192.168.4.0/24
Radius Server but another user group or free and open or what ever you wish to do
And this might be set up on all three WiFi APs, if they are offering multi-SSID support.

1 x Labs Network (Switch L2)

If this might be not being also WiFi based you could also set up.
VLAN1 - default VLAN for the admin all devices are inside
VLAN10 - SSID "office" (internal) - 192.168.2.0/24 (255.255.255.0)
Radius Server and client isolation is on
VLAN20 - SSID "guests" (external) - 192.168.3.0/24
Captive portal with vouchers client isolation is on
VLAN30 - "testlab" (internal for doing tests only) - 192.168.4.0/24
LDAP or OpenLDAP Server or free and open or what ever you wish to do
And this might be set up on all three WiFi APs, if they are offering multi-SSID support
and the test lab is cable or wire based on.

All this traffic runs through a Dell X1026 Managed switch.

This is a managed Layer2+ switch and there fore I would let handle and route the pfSense box
then the VLANs and manage the security options.