Folks I need Help!
-
Vlan is kill me :(…I have a pfsense with two nics (intel) and the lan port connected to a Cisco 3750 switch. I have watched videos, read docs and google search.
I cannot get vlan to work. I create the vlan on pfsense, add DHCP, firewall rule to allow any access. I then create vlan on the switch and assign ports and make them access ports.
Then create trunk port and make it 802.1Q. Then add the vlan allowed and add the vlans to it. I'm not a Cisco guy, first time touching this router so newbie.
From Cisco CLI and my desktop connected to default vlan 1 I can ping all vlans but if I plug my laptop in the one of the vlan ports I can't get an ip or network access to anything.
This is driving me mad because I know this is possible.
Please Help!!! -
And what ID did you give the vlan? Did you create rules on the vlan? What IP range are you using for the vlan?
What is the config of your cisco port connected to the pfsense lan interface? What is the config on the port connected to another device that you want in the vlan?
In a nutshell lets call the vlan 100, this will be the vlan ID.
So your lan network lets say is 192.168.0.0/24 with pfsense having 192.168.0.1
Your vlan interface lets make it 192.168.1.0/24 with pfsense having 192.168.1.1 on this vlan.On your switch your port connected would be trunk. You would allow 100, I am assuming your default vlan is 1 which would be auto allowed and not tagged.
On your ports your connecting to device would be access and you would allow vlan 100 for those devices, and vlan 1 for devices in your lan.
Post up your show run from your cisco.
access port vlan 1
interface gigabitethernet1
switchport mode accesstrunked port
interface gigabitethernet3
switchport trunk allowed vlan add 100access port other vlan
interface gigabitethernet10
switchport mode access
switchport access vlan 100Also you need to make sure the vlans have been created, do a show vlan
-
….Cisco 3750 switch......
If this is a Layer3 Switch he is able to route the VLANs by it self and not by the pfSense!!!!
So you must decide you who and where is routing now the VLANs and is playing the role of DHCP server too!
The pfSense or the Layer3 Switch. -
Right now the pfsense is doing all the routing…dont know how to do it in the switch.
But can't get it to work. -
And what ID did you give the vlan? Did you create rules on the vlan? What IP range are you using for the vlan?
What is the config of your cisco port connected to the pfsense lan interface? What is the config on the port connected to another device that you want in the vlan?
In a nutshell lets call the vlan 100, this will be the vlan ID.
So your lan network lets say is 192.168.0.0/24 with pfsense having 192.168.0.1
Your vlan interface lets make it 192.168.1.0/24 with pfsense having 192.168.1.1 on this vlan.On your switch your port connected would be trunk. You would allow 100, I am assuming your default vlan is 1 which would be auto allowed and not tagged.
On your ports your connecting to device would be access and you would allow vlan 100 for those devices, and vlan 1 for devices in your lan.
Post up your show run from your cisco.
access port vlan 1
interface gigabitethernet1
switchport mode accesstrunked port
interface gigabitethernet3
switchport trunk allowed vlan add 100access port other vlan
interface gigabitethernet10
switchport mode access
switchport access vlan 100Also you need to make sure the vlans have been created, do a show vlan
Tried what you said but still not working…this is driving me mad.
Here is my show run
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,1001-1005
switchport mode trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
switchport access vlan 100
switchport mode accessAlso didn't understand this part of your post... do I need to make access port vlan 1?
Thanks
-
If you want a device in vlan 1 you would need to make a switch port in that vlan yes. Unless your going to not use vlan 1? Is quite common in the enterprise not to use the default vlan one. You would change the management vlan to something else. And not use it.. This is in the enterprise!! In a home setup, its fine to use vlan 1.. I use it in my home setup.. I am not worried about someone plugging into a switch port that has not been configured and sitting in vlan 1 and that user getting access they shouldn't ;)
So I don't see anything wrong with that. Did you run the sho vlan command?
its quite possible your vlans have not actually been created on the switch.. Do you see them listed in your run, when you do show run?
So lets see your vlan config on pfsense. Rules on your vlan, your dhcp server enabled on the vlan, etc.
Just because you tell a trunk port to allow vlan X, doesn't mean vlan X actuallay exist in the switches database - if it doesn't then its not going to work.. Post the output of show vlan on your switch.
Are you using vlans 1001-1005 ? Out of the box vlans 1 through 1005 would be allowed on a trunk port. No real reason to call out specifics.. Like that to be honest..
The 1 thing when you set to dot1q, its quite possible your tagging vlan 1? Which if you don't have setup in pfsense then that vlan would not work.. I would put a switch port in just vlan 1, ie just switchport mode access.. Does that work?? If vlan 1 is not working then remove the dot1q statement. And vlan 1 from your trunk allow.. Off the top vlan 1 is the default vlan and would be untagged and on the trunk. Your other vlans you add would be tagged by default and you wouldn't need that dot1q statement..We don't use vlan 1 at work, so been awhile since I played with how it functions with that statement. I use it here on my home network, but its used on a interface that has no vlans on it. I do tag it up trunk uplink to another switch, etc. And use it on some ports in my switch.. But I run two uplinks to pfsense.. 1 is my native lan network, and then another uplink is for another network and my vlans..
-
I've checked the logs on the pfsense firewall and this is what I get…I'm starting to believe the switch settings are good.
/status_services.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1 em1_vlan100' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 29 leases to leases file. Listening on BPF/em1_vlan100/00:14:5e:77:61:9d/192.168.2.0/24 Sending on BPF/em1_vlan100/00:14:5e:77:61:9d/192.168.2.0/24 Listening on BPF/em1/00:14:5e:77:61:9d/192.168.1.0/24 Sending on BPF/em1/00:14:5e:77:61:9d/192.168.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp ser
-
pfsense vlan settings
-
Yeah that looks fine.. Is that the only rule you have on the wifi vlan?
So your saying your devices on this vlan 100 are not getting an IP from pfsense?
Then yeah you have a problem with the switch config, or connectivity. So is your lan, or vlan 1 working?? How are you accessing the pfsense gui?
-
Yeah that looks fine.. Is that the only rule you have on the wifi vlan?
So your saying your devices on this vlan 100 are not getting an IP from pfsense?
Then yeah you have a problem with the switch config, or connectivity. So is your lan, or vlan 1 working?? How are you accessing the pfsense gui?
Lan is working fine on vlan 1…I have one vlan for now until I can get it working, vlan 100 wifi.
If I plug into any ports on the switch it all works except for port 10 connected to vlan 100.
On vlan 1 I have no problems getting ip from dhcp 192.168.1.x
On vlan 100 I cannot get an ip from dhcp 192.168.2.x -
so going to ask for the 3 times..
did you run the command show vlan on your switch??
-
Sorry yes I did…see below
VLAN Name Status Ports
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/11
Gi1/0/12, Gi1/0/13, Gi1/0/14
Gi1/0/15, Gi1/0/16, Gi1/0/17
Gi1/0/18, Gi1/0/19, Gi1/0/20
Gi1/0/21, Gi1/0/22, Gi1/0/23
Gi1/0/24, Gi1/0/25, Gi1/0/26
Gi1/0/27, Gi1/0/28
100 Wifi active Gi1/0/10
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsupVLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1 enet 100001 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0 -
Correct me if I'm wrong but you only appear to have VLAN100 tagged on one port?
-
Correct me if I'm wrong but you only appear to have VLAN100 tagged on one port?
Yes…do I need more ports?
I did try that and it didn't work -
You need VLAN100 tagged on the port that connects to your WiFi AND the port that connects back to pfSense. VLAN1 should remain untagged but active on all ports. Your AP also needs to be VLAN aware, what one are you using?
-
You need VLAN100 tagged on the port that connects to your WiFi AND the port that connects back to pfSense. VLAN1 should remain untagged but active on all ports. Your AP also needs to be VLAN aware, what one are you using?
Sorry really green at this…vlan 100 to tagged to port 10 and port that connects to pfsense is port 3.
If you can help me with the commands I would appreciate it, see below, show run command...thxinterface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,1001-1005
switchport mode trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
switchport access vlan 100
switchport mode access -
ok so port 10 is in vlan 100
Can you do a show interfaces trunk
Or how about
sho int switchport G1/0/3That is the port you have in trunk mode to pfsense right..
I would remove this from your port 3
switchport trunk encapsulation dot1qconf t
int gi1/0/3
no switchport trunk encapsulation dot1qThen show the commands of the ones I gave above.
Then once you have a device that you connect to on port 10, we can worry about connecting a AP on another trunk port that does vlans, etc.
-
I wouldn't have a clue about commands, my switch has a Web GUI 8)
But if pfSense is on port 3 then that also needs tagged to VLAN100
-
ok so port 10 is in vlan 100
Can you do a show interfaces trunk
Or how about
sho int switchport G1/0/3That is the port you have in trunk mode to pfsense right..SW#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/3 on 802.1q trunking 1Port Vlans allowed on trunk
Gi1/0/3 1,100,1001-1005Port Vlans allowed and active in management domain
Gi1/0/3 1,100Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/3 1,100Yes port 3 is trunk…see below
-
We already went over what needs to be tagged where.. Yes completely agree with you
Port to pfsense needs vlan 100 tagged.. And then any uplinks to any AP that would be doing vlan 100 on SSID also tagged, etc.
But he can not seem to get vlan 100 to work..
