Share traffic between VLAN's
-
I have WAN (em0) & LAN (em1) on pfsense interface, I have created 3 other VLAN's (VLAN10=Design, VLAN20=Storage & VLAN30=Science = em1) on interface. I have configured firewall rules for these VLAN's.
Now its time to configure switch to listen from these VLANS.
VLAN10Design -> 192.168.61.1/24
VLAN20Storage -> 192.168.62.1/24
VLAN30Science -> 192.168.63.1/24I have uploaded a diagram of how network should be on OneDrive (click link below):
https://1drv.ms/i/s!AiHjDUeliQr4gmAcwtQ35_9bvBHXTo configure switch this is what I did:
MainSwitch# conf t MainSwitch(Config)#vlan 10 name Design MainSwitch(Config)#exit _Setup trunk port: MainSwitch(config)#interface fa 0/0 MainSwitch(config-if)#Switchport trunk MainSwitch(config-if)#Switchport trunk allowed vlan all MainSwitch(config)#interface fa 1/0 MainSwitch(config-if)#Switchport mode access vlan 10 MainSwitch(config-if)#Switchport mode access vlan 20 MainSwitch(config)#interface fa 1/1 MainSwitch(config-if)#Switchport mode access vlan 20 MainSwitch(config)#interface fa 1/2 MainSwitch(config-if)#Switchport mode access vlan 30_ ``` _I still have basic understanding of pfsense so correct me if I am doing anything wrong, below are my simple questions. Questions: 1\. am I missing anything on switch config? 2\. I have created f0/0 as a trunk port, means will I be able to share traffic from VLAN10 (f1/0) and VLAN20 (f1/1) - (I want VLAN10 to have access to VLAN20). In future I may want to give VLAN30 an access to VLAN20 too. 3\. I have first configured pfsense with specific VLAN and firewall rules then I have configured switch, here I don't see me linking both settings, am I doing anythings wrong? Its just that I don't want to do this in production without knowing that I be successful._ -
MainSwitch(config)#interface fa 1/0
MainSwitch(config-if)#Switchport mode access vlan 10
MainSwitch(config-if)#Switchport mode access vlan 20Yeah that would not work.. Your access ports can only be in 1 vlan. For device in vlan 10 to access device in say vlan 20 traffic would be routed through pfsense, and allow or not allowed based up on the firewall rules in pfsense.
-
Thanks for that info.
Ok so I have assigned each part to a VLAN. Next task is to configure pfsense firewall so that it can allow specific VLAN to talk to another VLAN.
PfSense -> firewall Rules -> select specific VLAN = here I have implemented two rules that will allow ipv4 and ipv6 traffic by clicking plus button -> selected IPv4 on tcp/IP and protocol I selected 'any', rest of the settings I kept default. This is the only rule I have in firewall.
Is it possible to know what settings I have to implement under firewall rule section (how do i allow VLAN traffic to pass here)?
under source and destination i do see type and does give me option to select other VLAN's is thats how its done?just to let you know my pfsense version is:
Pfsense version I have is: 2.1.5 -
"Pfsense version I have is: 2.1.5"
Why??? That version is no longer supported.. Why would you be running it?
You create the rules on your vlan interfaces to allow or block the traffic you want. If you created any any rules, then traffic from say vlan 10 would be able to go anywhere be it internet or vlan 10 or vlan 30, etc.
Post up your rules via screenshot if you want to discuss if they are correct or not. But don't understand why you would want to run a version that is not support. Current is 2.3.2_p1 which is what I suggest you run.. 2.2.6 would be the previous release.. 2.1.5 is over 2 years old..
-
So:
https://drive.google.com/file/d/0B7n2Bpx-GxmHTlNEZFJIZkVTMFU/view?usp=sharing
this is the only rule I have. If I click edit this is what I have:
https://drive.google.com/file/d/0B7n2Bpx-GxmHdkVjWVRXYU5TdEE/view?usp=sharingI want DesignVLAN to communicate with EngVLAN
There is a option here but not sure if I selected correctly:
https://drive.google.com/file/d/0B7n2Bpx-GxmHODlFb3BWcWxmQk0/view?usp=sharingThe reason for old version is the I just purchased this. I will be upgrading the version (can this damage anything because there is already preconfigured settings? )
-
where are you selecting that option. What interface.. But that rule would only allow the SOURCE eng vlan network to talk to the engvlan address.. That rule would be completely pointless and useless on the design vlan..
Rules are evaluated the interface that pfsense would first see the traffic..
If you want design to talk to engvlan then on the design interface you would place rules to allow desvlan as source to talk to engvlan network.. Or you could get more specific, etc.
When pfsense first sees traffic INTO an interface. It looks at the rules top down, first rule to fire wins - no other rules are looked at.
So you bought some appliance off ebay or something that had 2.1.5 on it?? Yes normally can upgrade from version to version without any issues and sure all your settings should move forward. You should go over the updrade docs though. I don't know all the settings you have created. And jumping from 2.1 to 2.3 might??? Have issues? As failsafe just grab copy of the 2.1.5 install. And make sure you have a backup of your config. This way worse case you can get back to where you are now, etc..
Doesn't sound like you have too much config as of yet. I would just go to 2.3.2p1 and worse case do a from scratch config… To be honest that would of been the first thing I would of done before putting it to any use at all.
-
Thanks for that information - Learnt a lot they!
One thing I don't understand is:
VLAN in Pfsense, how is it linked with VLAN in switch so in switch I will create 3VLANS(eng, design & storage). I will do the same thing in Pfsense so the rules in pfsenese how is it linked with switch? how does switch knows design VLAN should follow design VLAN rules in pfsense? -
What does the switch care about rules in pfsense?? Switch is just layer 2, it sees packets come in 1 interface and based upon the dest mac, or broadcast sends it out other interfaces.. Are you going to use this switch as a router in layer 3 mode??
So there is few different ways you match up your vlans you create in your switch to the vlans you create on pfsense so that your packets go where you want them to go.. So your sending in all your vlans into pfsense via only 1 interface em1 (lan)… So you need to create your vlans in pfsense to match up with the vlan ID, which you have as 10,20,30..
So these vlans are all in addition to your normal LAN? Or do you also have LAN native on the interface and then these 3 vlans are on top of that? So for example maybe that is just going to use the default vlan 1 on your switch??
So you really have
lan (em1) (vlan 1) but not tagged this is just native vlan
VLAN10Design (em1 vlan id 10)
VLAN20Storage (em1 vlan id 20)
VLAN30Science (em1 vlan id 30)So for example here is my vlans.. They all sit on my em2 interface, and their tags match up with the tags in my switch.. But there is also a network that runs native without any tagging that is em2 (wlan) pfsense doesn't care about this tag. But in my switch this vlan has tag of 20..
So you can tag all your traffic to pfsense and let it determine what traffic is in what network. Or you can use native without any tagging and just create a new layer 2 network in your switch and pfsense doesn't know what this tag is. Or you can do a combination where there is a untagged network on your parent interface, but there are also vlans on top of that with tags..
