Problem with VLAN's
-
I am new to pfSense, but have had great success to date. I am now in the process of trying to setup a DMZ with VLAN's, but can't seem to resolve my issue. When I try to connect via VLAN's, my network is unreachable.
First, I started off with a managed switch, an 8 port TP-Link SG108E. I have a tagged port 1 going to another switch (which I unplugged to narrow scope). I have ports 2-6 untagged on VLAN 110 (LAN), and port 7 untagged on VLAN 120 (DMZ). Port 8 goes to my pfSense router and is untagged for both VLAN 110 and 120. I have PVID of ports 2-6 set to 110, port 7 to 120, and 8 set to 1 (default and undeletable), per installation instructions.
https://www.dropbox.com/s/qlyp09kphs48wxy/pic1.jpg?dl=0
https://www.dropbox.com/s/2ekwi8tm2386uxs/pic2.jpg?dl=0I created a new VLAN definition for both:
https://www.dropbox.com/s/1dwnlm5q2q3f73e/pic3.jpg?dl=0I first assigned the DMZ interface and kept the LAN interface unchanged. I went into the DHCP server for the DMZ and setup a separate subnet for it.
https://www.dropbox.com/s/tkr14rv489veh7e/pic4.jpg?dl=0When I attempted to connect to port 7 (DMZ), I kept getting assigned an IP address from the LAN DHCP subnet. Thinking that VLAN 1 was overriding, I changed the LAN interface to use VLAN 110:
https://www.dropbox.com/s/5x0vjfv74gar1ox/pic5.jpg?dl=0I then attempted to connect to any port (2-7) but was not able to access the network. . No DHCP address was served up. If I tried to explicitly assign a static IP address, I still could not ping other machines in the subnet. It's almost like the pfSense router on port 8 was not reachable.
At this point, I am scratching my head. I would appreciate any coaching / guidance people might have.
-
Port 8 goes to my pfSense router and is untagged for both VLAN 110 and 120.
(what a garbage switch)
Try setting the port that goes to pfSense as tagged on VLANs 110 and 120 and assigning your pfSense interfaces to those VLANs.
-
That didn't work. I'm still not able to recognize the network when I connect. Do you have a recommendation on a better switch for home use? I'm reading that the Ubiquiti 8-port appears to work well with pfSense VLAN's.
-
Any switch works well. It is 802.1q, not black magic. Some switches are junk and allow nonsense such as assigning two untagged VLANs to the same port.
Post a screen shot of your Interfaces > Assign page and the VLAN config page(s) in the switch. The one(s) that shows what is tagged and untagged to each port. Please note which port is going to pfSense.
-
pfSense router is connected to port 8. Port 1 is tagged, going to another switch, but unplugged for purposes of this test.
Interfaces > Assign page:
https://www.dropbox.com/s/5x0vjfv74gar1ox/pic5.jpg?dl=0VLAN configuration pages for switch:
https://www.dropbox.com/s/qlyp09kphs48wxy/pic1.jpg?dl=0
https://www.dropbox.com/s/2ekwi8tm2386uxs/pic2.jpg?dl=0Documentation from manufacturer on how to configure VLAN's on switch:
http://www.tp-link.com/us/faq-788.htmlNote: While not represented in the above screenshots, I set port 8 to tagged for both VLAN's, but that did not work.
-
You need to change 110 and 120 to be TAGGED on port 8, not UNTAGGED. Leave the PVID set to 1.
Think of the link to pfSense as you would a link to another switch. It is VLAN-aware. You are putting multiple networks on the same wire. You need the dot1q tags to be able to tell what goes where.
The same would apply if you were connecting any VLAN-aware device, such as a decent wireless access point.
Note: While not represented in the above screenshots, I set port 8 to tagged for both VLAN's, but that did not work.
Well it's your only choice here and is the correct configuration. Try it again.
-
Thank you! I thought I had already tried the config with tagging port 8, but clearly I missed something. I went back, tried again, and it's now serving up IP addresses in the proper subnet now. Thank you very much!
-
Can I know the purpose of Vlan tag and priority? What is it for? :)
