Single Port VLAN/Switch Config Questions
-
Hey ya'll! I'm starting to get a handle on pfSense, and wanted to outline some of the issues I've been running into over the past several days.
Hardware and Physical Configuration:
[Wall Ethernet (ISP)] –------ [Modem (ZyXEL C1100Z, 192.168.0.1)] –------- [Switch (TPLink TL-SG108E, 192.168.0.2)] –- [LAN (192.168.0.0)]
|
[Laptop (pfSense)] –--------Now, pretty clearly I've only got one physical switch on the laptop running pfSense, so I'm working with VLANs right out of the gate.
The VLAN configuration options of my switch are a little limited, but here's what I've got:
Port 3 is pfSense
Port 8 is the modem
All the remaining ports (1,2,4-7) are LAN connections to a NAS and other computers.VLAN_1 (default): 1-8, untagged (I can't remove this even if I wanted to, it's just stuck there if I enable 802.1Q)
VLAN_2 (WAN): 3 & 8. 3 is tagged, while 8 is untagged. From what I've read about here:https://forum.pfsense.org/index.php?topic=28379.0 this is what I want to do.
VLAN_3 (LAN): 1-7. 3 is again, tagged, while the rest are not.Now, the PVID settings I have on the switch give me some pause: I can only set one PVID per port, even if the port is used in more than one VLAN. Clearly, port 3 (pfSense) is a member of both the WAN and LAN VLANS, so I'm under the impression that it needs to be configured with a PVID of both 2 and 3, in order to properly pass frames between the different ports. Also, I've tried setting the untagged modem port ( 8 ) to a PVID of 2, since it's on VLAN_2. I believe this is correct?
Furthermore, I've configured all the LAN ports (1,2,4-7), to a PVID of 3 (their VLAN number), so that they can pass tagged frames to pfSense, port 3 on VLAN_3, but that hasn't done much.
If I'm wrong here, I would love to be corrected!On pfSense itself, I've tried just about every configuration under the sun I can think of. Using only the physical shell (typing into the laptop, rather than using the WebGUI, you'll see why), I've set up two VLANS on the ethernet adapter (called alc0): alc0_vlan2, for the WAN, and alc0_vlan3, for the LAN.
From the reading I've done, it seems that I want my WAN VLAN to be set up to run the WAN (so alc0_vlan2), and my LAN VLAN should be running the LAN (alc0_vlan3). Duh, right? But this is where I start to stumble, and because there are so many variables to change I'm not entirely sure how to start flipping switches, basically (though to be sure, I've been trying).
When the WAN and LAN are configured to run on the VLAN interfaces, and my modem is put into bridge mode, I have no internet access and no WebGUI access. Neither interface generates an IP address, and even if I try to configure them manually (static for LAN, static and DHCP for WAN) I get nothing. Making this a little more complicated, I have the option to switch the VLAN ID of the modem, while in bridge mode, between untagged, VLAN-0, and VLAN-201. I've tried all three, and found that generally keeping it on the default, VLAN-201, seems to work best. There's no internet access either way, but things have gotten even more broken if I try to do anything while the VLAN ID of the modem isn't 201. If anyone can tell me more about what this means, or why it has these labels, that would be awesome. I haven't been able to change these options, even if I add the modem's port on the switch to an additional, just for testing VLAN (4, for instance). Those three options remain no matter what.
My modem also defaults to using PPPoE. It's what it's configured to now, so that I have internet access to ask for help from ya'll. I have all the security information for that (though the username and PW are configured under just PPP on the modem, which seems misleading to me, but that's an issue for another day), and have tried to enable PPPoE on pfSense. At one point, I had an adapter named "pppoe" which was dynamically assigning itself an external IP address at XXX.XXX.XXX.XXX/32, but I wasn't able to do anything with that (and honestly, I'm not 100% sure how I managed to do that in the first place).
I can, however, get into the WebGUI if I only and exclusively set my only physical ethernet adapter (alc0, no VLANS) to be the WAN interface. It automatically (DHCP, at least) assigns itself to 192.168.0.18. Now, I've played around in the WebGUI a little bit, but haven't added any new rules, and am unable to add any rules to configure the VLANs once I set them up, as once I decide to change the physical interfaces to using VLANs, the WebGUI access goes away along with it. Bit of a Catch-22.
Of course, if anyone has any suggestions or questions that I can answer to help clarify this, that would be great. Just let me know.
I realize this setup isn't optimal. I know it's not ideal. But it's what I have the budget for, and is an interesting project to play with, considering that it's not (yet) a mission-critical part of my network infrastructure. But I'd like it to be, so if anyone is willing to throw in their advice, I'm all ears.
Thanks for reading!
-
First, I'm sure you are aware of the following.
-
pfsense features allow you to run it also as a router
-
you can therefore enable all features to route the traffic to the switch for you.
Although, your set up seems ok at home, typically you will put the zyxell into a modem mode, connect the modem to the PfSense on one Nic and use the other NIC to connect the switch. This way, your PFSense FW/R will assign the addresses for you and get all the traffic routed through PfSense, assuming it is a managed switch. Otherwise anything on the switch can bypass it. You will therefore need 2 NICs on your PfSense machine to do it this way.
Did you try this route to see if it solves your problem?
Your set up is possible, as the switch and pfSense NIC support 802.1Q VLANs. You may assign the modem to say, VLAN 1 is untagged, other devices as VLAN 2; you may Trunk both of those VLANs on the switchport pfSense connects on and configuring pfSense appropriately.
-
-
Thanks for responding! I appreciate your taking the time.
Now from what I can tell, this:
Your set up is possible, as the switch and pfSense NIC support 802.1Q VLANs. You may assign the modem to say, VLAN 1 is untagged, other devices as VLAN 2; you may Trunk both of those VLANs on the switchport pfSense connects on and configuring pfSense appropriately.
Is what I was trying to describe. I'm fairly sure that I've accomplished this across my switch, modem, and pfSense (as the router).
I haven't, however, tried it with a second physical interface. I have read a little about people getting USB to Ethernet adapters to work (the only thing I could manage on a laptop, with the lack of PCI-E slots). However, while I did look into this, I had a hard time tracking down the actual interface and driver required for each one, meaning it felt like a shot in the dark to see if the dongle would actually be compatible with FreeBSD.
If anyone has a suggestion for actual hardware that is a known good fit for pfSense in an application like this, that would be lovely.
-
Now, the PVID settings I have on the switch give me some pause: I can only set one PVID per port, even if the port is used in more than one VLAN. Clearly, port 3 (pfSense) is a member of both the WAN and LAN VLANS, so I'm under the impression that it needs to be configured with a PVID of both 2 and 3, in order to properly pass frames between the different ports. Also, I've tried setting the untagged modem port ( 8 ) to a PVID of 2, since it's on VLAN_2. I believe this is correct?
The PVID setting simply controls what the port does with untagged traffic that passes into the port (traffic coming into the switch from a connected device). If you want untagged traffic on a port in say, VLAN 50 (my VLAN number is arbitrary) you set the PVID to 50 and set the port untagged in VLAN 50. That would handle a client device that is unaware of VLANs. The PVID makes sure any traffic entering the port that doesn't already have a VLAN tag gets tagged as 50, and the untagged setting in VLAN 50 makes sure that any VLAN 50 traffic passing through the switch will exit the port, removing the tag in the process. You can only have one PVID per port.
Hope that makes sense.