Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need Help Understanding Multiple Vlans on LAN Port

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Overcon
      last edited by

      Hi Guys. I have a Cisco 3750 Switch stack and I have Several VLANS configured on the switch. I have three NIC's on the PFSENSE Server, but only wanted to use two. The first port EM0 is plugged into a cable modem with a static IP, that is my Internet. EM1 is my LAN port. I have that plugged into GE1/0/2 on the Cisco Switch which is a trunked port allowing VLANS 172 (the subnet that the PFSENSE is giving IP's out from it's DHCP Server) and VLAN 116 (which is one of the subnets on my network for Admin PC's).

      The VLAN Config on the Cisco:

      interface Vlan172
      description Vlan for Wireless
      ip address 172.16.1.253 255.255.255.0
      ip helper-address 172.16.1.1

      The port I assigned the Interface on the PFSENSE is 172.16.1.1

      The Trunked Port on the Cisco switch is:

      interface GigabitEthernet1/0/2
      description PFSENSE
      switchport trunk encapsulation dot1q
      switchport trunk allowed vlan 1,116,172
      switchport mode trunk
      spanning-tree portfast

      The Settings in PFSense Under Interface Assignments for LAN reads (VLAN 172 on em1 PFSENSE).

      I created two VLANs and pointed them to NIC em1 under VLAN's One of 172 and one of 116.

      From the switch, I can ping any IP in the 172 Subnet of assigned IP addresses from the DHCP server on the other side of the PFSENSE, but I cannot ping ANY 172.16.1.0/24 addresses from pc's on the 116 VLAN.

      Can someone explain to me what steps I need to get both the 172 and 116 VLANS on the PFSENSE assigned to the LAN (em1) interface so traffic from a 116 PC can access 172 devices behind the PFSENSE? I would really appreciate it.

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        did you create firewall rules for the additional interfaces?

        1 Reply Last reply Reply Quote 0
        • O
          Overcon
          last edited by

          What kind or rules? I created a rule on the LAN to allow traffic from a specific IP on the 116 VLAN  to anywhere on the 172 net but I am not able to reach them. But I can ping everything from the switch itself. Including the IP's assigned to it 172.16.1.1 and to the PC's that were assigned IP's from the DHCP server.

          States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
          0 /6 KiB * * * LAN Address 443 * * Anti-Lockout Rule
          0 /2 KiB IPv4 ICMP any * * LAN net * * none
          0 /2 KiB IPv4 ICMPany * * * * * none   Ping
          0 /0 B IPv4 * * * * * none   Allow Me
          0 /110.31 MiB IPv4 * LAN net * * * * none

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Looks like the switch is in Layer 3 mode. What is the default gateway of the workstations on the VLAN?

            If you want pfSense to be the DHCP server and the gateway there is zero reason to use Layer 3 mode, VLAN addresses (other than for management on one of them) helper addresses, etc on the switch.

            If you do want the switch to be in layer 3 mode and route among the subnets, the firewall can't really be involved there and you would do a transit network between pfSense and the switch and route all the networks behind it.

            pfSense-Layer-3-Switch.png
            pfSense-Layer-3-Switch.png_thumb

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • O
              Overcon
              last edited by

              @Derelict:

              Looks like the switch is in Layer 3 mode. What is the default gateway of the workstations on the VLAN?

              If you want pfSense to be the DHCP server and the gateway there is zero reason to use Layer 3 mode, VLAN addresses (other than for management on one of them) helper addresses, etc on the switch.

              If you do want the switch to be in layer 3 mode and route among the subnets, the firewall can't really be involved there and you would do a transit network between pfSense and the switch and route all the networks behind it.

              So the switch stack runs two vlans right now and those are routed out to a router that sends the traffic out to the rest of the network and the internet.

              What I am trying to do with the PFSense box is add another VLAN through the switch stack, but only allow one IP address on the 116 vlan access to the 172.16.1.0/24 subnet that is the LAN portion of the PFSense box.

              I am running the 172.16.1.0/24 from the DHCP on the PFSense box to keep it isolated from the other two boxes. So on the switch stack, I took port 1/0/2 and trunked it to the LAN port on the PFSense box. The switch stack can ping all the 172 addresses just fine, I just can't figure out what I need to put somewhere to get the specific PC on the 116 subnet access to it.

              The IP I assigned the LAN port under Interfaces Static IP is 172.16.1.1 /24 and the upstream gateway is the same.

              So I figured it was a rules issue but I am just not sure that the system on the 116 knows how to get to the 172. The switch has always been set as a layer 3 and I tried creating an extended  ACL to allow the specific IP access to the 172 subnet but that didn't help.

              I was thinking that maybe I had to setup a route on the switch stack to route 172 traffic from the 116 subnet to the 172.16.1.1 IP and then use firewall rules to block all 116 except for the ip of the one system I want access to the 172.16 subnet, just not sure what that would be and if that was the right direction.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Untag the port for the PC on 116.

                It sounds like you should just remove the layer 3 configuration from the switch on that VLAN which will revert it to simple layer 2.

                Tag that to pfSense and configure that VLAN interface with whatever services (DHCP, etc) and firewall rules that you want.

                It is very important, however, to know who is routing for what. is pfSense doing the routing or is the switch.

                That diagram I posted covers both scenarios.

                If you assign an interface in Interfaces > (assign) to eth0 that will be untagged traffic on eth0.
                If you assign an interface in Interfaces > (assign) to VLAN 100 on eth0 that will be tagged VLAN 100 on eth0.
                Your switch should be configured accordingly.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.