PfSense with VLAN's - it looks right, but maybe I don't understand it?



  • I'm setting up an entirely new network for the small private school I work at.  I've bought a couple of TP-Link "Easy Smart" switches, and this Zotac Mini PC to serve as the pfSense box:  https://smile.amazon.com/gp/product/B0179S50UU/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

    I have this all put together in my living room at the moment to configure it and test it before I take it up to the school and start installing everything.  So, I installed pfSense, configured my switches, plugged in one of our school's Access Points (an Aerohive AP120), and even plugged in my VOIP phone.  Everything worked out of the box, even the phone!  I was pleasantly suprised at that - I was expecting to struggle with the phone, at least.

    Anyway, I have the switches configured for two VLAN's:

    "10" for Faculty/Staff
    "20" for Students

    I want to run VLAN 10 as un-filtered, and able to access anything on the network.

    I want to run VLAN 20 as filtered (by squidguard on the pfSense box), and unable to access anything else on the network except for Internet access.

    Here's how I have my switches configured:

    Right now I've only got the "Main Campus", "Server Room", and "Library" switches connected for testing.

    I followed the instructions on this page to set up the VLAN's:  https://www.iceflatline.com/2013/09/how-to-create-and-configure-vlans-in-pfsense/

    It seemed pretty straight forward, and everything went smoothly.  However, when I plug into a port on the Library switch that is set up for VLAN 20, I don't get an IP address in the range assigned to VLAN 20 (192.168.20.x).  I just get a normal 192.168.0.x IP address.

    And if I plug directly into a port on the Main Campus switch that is set up to be on VLAN 10, I still get a 192.168.0.x IP address.  AND, I can't see any other machines on the network.  For instance, I've got my home NAS box plugged into the Main Campus switch, on a VLAN 10 port with an ip address of 192.168.0.x, and I can't ping it at all.  I can get to the internet just fine, and both machines can see the pfSense box, just nothing else.

    Here's how I have the ports configured on the Main Campus switch:

    PVID's:

    Here are the Interfaces in pfSense:

    And here are the firewall rules for the two VLAN's:

    And here are the DHCP settings for the default LAN and the two VLAN's:

    Can anyone tell me what I'm doing wrong?  I'm assuming that when I plug into a VLAN port, I really do need an IP address that's assigned to that VLAN. I haven't even started on the squidguard setup yet, as I feel like I need to get this all straight first, so I'm kind of stuck.  I'm going through every post I can find on here about VLAN's, but I don't see anything that sticks out that I'm doing wrong yet.  Any ideas?

    NOTE: If the images aren't working here's the entire album:

    http://imgur.com/a/UE2ZA



  • you are untagging both vlan1 & vlan10/20 on the same ports …. untagging multiple vlans on the same port is generally not a good idea.

    also be sure your pvids are correct



  • I was going by these instructions from TP-Link:  http://www.tp-link.com/en/faq-788.html

    In their example, port 9 on their switch goes to the router, and it should be untagged in all VLAN's.  In my configuration, that's port 1 on the Main Campus switch.

    I thought that only ports that are going to other smart switches (trunk ports) are supposed to be tagged.  Is that right?

    They don't really explain PVID's for every port in those instructions - what should they be?



  • On TP-Link switches, here's how you do it, for the port connecting to pfSense and to ports connecting switches to each other:

    • VLAN1 untagged, port PVID = 1
    • VLAN10 tagged
    • VLAN20 tagged

    You can use VLAN1 to manage the switches and access pfSense's nic untagged LAN. Other two VLANs will work as expected.

    The ports connecting computers to VLAN10, you set VLAN10 untagged, and port PVID = 10.
    The ports connecting computers to VLAN20, you set VLAN20 untagged, and port PVID = 20.
    All other VLAN membership you should remove from these ports. Note that by default VLAN1 is assigned to all the ports in the factory default configuration, you sould make sure to check that a port which connects to a client computer should be set to a single desired VLAN untagged, and should have its PVID set to the same as the untagged VLAN number.



  • PVID has a meaning only when untagged VLANs are in the picture. The thing is: PVID refers to what tag should have the packets after they entered the switch's memory. TAG refers to what tag should have the packets leaving the switch through that port. If you set a port to untagged to a specific VLAN that refers only to outgoing traffic. That's not enough, you still have to set PVID also for that port, so the switch to know untagged packets coming in, which VLAN they belong to.

    Once you learn and understand this, managing these switches will be very simple!



  • Ah, it was that one port that was the problem.  Once I switched port 1 on the Main Campus switch to be tagged for both VLAN's 10 and 20, it started working!

    Here's the current setup:

    So now I am getting the correct IP range when I connect devices to either a Faculty or a Student port.  Thanks for setting me straight on that!

    One thing that seems to not be working now - I'm on VLAN 10, but I can't access my NAS (192.168.0.199), but I CAN access the switch's admin page (192.168.0.90).  I would have thought that with my Firewall rules set for VLAN 10(see below) that I should be able to access anything on my subnet (192.168.10.x) or the default (192.168.0.x).  Is that not how that works?



  • @MisterVance:

    Here's the current setup:

    My advice would be to also remove VLAN 1 from ports 6-24 - to avoid future problems. My 2 cents for that.

    @MisterVance:

    One thing that seems to not be working now - I'm on VLAN 10, but I can't access my NAS (192.168.0.199), but I CAN access the switch's admin page (192.168.0.90).  I would have thought that with my Firewall rules set for VLAN 10(see below) that I should be able to access anything on my subnet (192.168.10.x) or the default (192.168.0.x).  Is that not how that works?

    Is the default gateway address (192.168.0.1) set properly in your NAS's network settings? Also double check that the NAS is plugged into a port that has VLAN 1 untagged and PVID set to 1 (and no other VLANs present on it)



  • @robi:

    My advice would be to also remove VLAN 1 from ports 6-24 - to avoid future problems. My 2 cents for that.

    I don't think I can remove the Default VLAN 1 from those ports.  The utility won't let me.  Yep, just confirmed.  VLAN 1 can't be altered on these switches.

    @robi:

    Is the default gateway address (192.168.0.1) set properly in your NAS's network settings? Also double check that the NAS is plugged into a port that has VLAN 1 untagged and PVID set to 1 (and no other VLANs present on it)

    Actually, since it's my home network, I just changed the NAS IP address to 192.168.10.199 so that I could access it.  I'm wondering if I should change my switches over to the 192.168.10.x subnet as well so that I can access them?  On the two bigger switches (Main Office and Server Room), they have web interfaces I can access while I'm on VLAN 10.  But all the rest of the switches, I have to use their configuration utility, and it doesn't look on other subnets.  Would that cause any problems?



  • @MisterVance:

    Actually, since it's my home network, I just changed the NAS IP address to 192.168.10.199 so that I could access it.  I'm wondering if I should change my switches over to the 192.168.10.x subnet as well so that I can access them?  On the two bigger switches (Main Office and Server Room), they have web interfaces I can access while I'm on VLAN 10.  But all the rest of the switches, I have to use their configuration utility, and it doesn't look on other subnets.  Would that cause any problems?

    VLAN1 is just like any VLAN. You can keep it as well, just don't forget to properly cofigure the LAN interface to properly handle traffic with rules etc.



  • What's the purpose of keeping the untagged VLAN1 and the corresponding "LAN" interface on the pfSense? I can't find it anywhere in the OP's description. I'd get rid of it, personally.

    You need two separate logical networks - Staff (VLAN 10, unrestricted) and Students (VLAN 20, restrictive firewall/proxy).
    That's two VLAN interfaces on the pfSense and a trunk port between it and the main switch. Then other trunks between the main and all other managed switches. All other ports designated for users should be access ports (untagged egress traffic) belonging to any of those two VLANs.
    If you want to have a separate management or server network, just create third VLAN and use it for that the same way as those two. With these switches you should be able to set up some nice stuff, like MAC VLANs so that you can connect your laptop into any port on any switch and always be connected into your management network with its IP adresses and firewall rules.

    Mixing tagged and untagged traffic together on the same port should be avoided. It can work and I've done that a few times too, but it's ugly nonetheless.

    @MisterVance:

    But all the rest of the switches, I have to use their configuration utility, and it doesn't look on other subnets.  Would that cause any problems?

    They might need direct L2 connectivity between the switches, so they can't talk across different VLANs. I admit I'm guessing here, because I have got only the fully managed higher-end TP-Links (yes, I know, sounds funny) here so no config utility, just the web and command line. Anyway, in that case it would be one more reason to set up a management VLAN where all the management stuff (and your PC) would be accessible together, on the same broadcast domain.