Need Help Understanding Multiple Vlans on LAN Port

Overcon

Hi Guys. I have a Cisco 3750 Switch stack and I have Several VLANS configured on the switch. I have three NIC's on the PFSENSE Server, but only wanted to use two. The first port EM0 is plugged into a cable modem with a static IP, that is my Internet. EM1 is my LAN port. I have that plugged into GE1/0/2 on the Cisco Switch which is a trunked port allowing VLANS 172 (the subnet that the PFSENSE is giving IP's out from it's DHCP Server) and VLAN 116 (which is one of the subnets on my network for Admin PC's).

The VLAN Config on the Cisco:

interface Vlan172
description Vlan for Wireless
ip address 172.16.1.253 255.255.255.0
ip helper-address 172.16.1.1

The port I assigned the Interface on the PFSENSE is 172.16.1.1

The Trunked Port on the Cisco switch is:

interface GigabitEthernet1/0/2
description PFSENSE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,116,172
switchport mode trunk
spanning-tree portfast

The Settings in PFSense Under Interface Assignments for LAN reads (VLAN 172 on em1 PFSENSE).

I created two VLANs and pointed them to NIC em1 under VLAN's One of 172 and one of 116.

From the switch, I can ping any IP in the 172 Subnet of assigned IP addresses from the DHCP server on the other side of the PFSENSE, but I cannot ping ANY 172.16.1.0/24 addresses from pc's on the 116 VLAN.

Can someone explain to me what steps I need to get both the 172 and 116 VLANS on the PFSENSE assigned to the LAN (em1) interface so traffic from a 116 PC can access 172 devices behind the PFSENSE? I would really appreciate it.

heper

did you create firewall rules for the additional interfaces?

Overcon

What kind or rules? I created a rule on the LAN to allow traffic from a specific IP on the 116 VLAN  to anywhere on the 172 net but I am not able to reach them. But I can ping everything from the switch itself. Including the IP's assigned to it 172.16.1.1 and to the PC's that were assigned IP's from the DHCP server.

States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0 /6 KiB * * * LAN Address 443 * * Anti-Lockout Rule
0 /2 KiB IPv4 ICMP any * * LAN net * * none
0 /2 KiB IPv4 ICMPany * * * * * none   Ping
0 /0 B IPv4 * * * * * none   Allow Me
0 /110.31 MiB IPv4 * LAN net * * * * none

Derelict

Looks like the switch is in Layer 3 mode. What is the default gateway of the workstations on the VLAN?

If you want pfSense to be the DHCP server and the gateway there is zero reason to use Layer 3 mode, VLAN addresses (other than for management on one of them) helper addresses, etc on the switch.

If you do want the switch to be in layer 3 mode and route among the subnets, the firewall can't really be involved there and you would do a transit network between pfSense and the switch and route all the networks behind it.

Overcon

@Derelict:

Looks like the switch is in Layer 3 mode. What is the default gateway of the workstations on the VLAN?

If you want pfSense to be the DHCP server and the gateway there is zero reason to use Layer 3 mode, VLAN addresses (other than for management on one of them) helper addresses, etc on the switch.

If you do want the switch to be in layer 3 mode and route among the subnets, the firewall can't really be involved there and you would do a transit network between pfSense and the switch and route all the networks behind it.

So the switch stack runs two vlans right now and those are routed out to a router that sends the traffic out to the rest of the network and the internet.

What I am trying to do with the PFSense box is add another VLAN through the switch stack, but only allow one IP address on the 116 vlan access to the 172.16.1.0/24 subnet that is the LAN portion of the PFSense box.

I am running the 172.16.1.0/24 from the DHCP on the PFSense box to keep it isolated from the other two boxes. So on the switch stack, I took port 1/0/2 and trunked it to the LAN port on the PFSense box. The switch stack can ping all the 172 addresses just fine, I just can't figure out what I need to put somewhere to get the specific PC on the 116 subnet access to it.

The IP I assigned the LAN port under Interfaces Static IP is 172.16.1.1 /24 and the upstream gateway is the same.

So I figured it was a rules issue but I am just not sure that the system on the 116 knows how to get to the 172. The switch has always been set as a layer 3 and I tried creating an extended  ACL to allow the specific IP access to the 172 subnet but that didn't help.

I was thinking that maybe I had to setup a route on the switch stack to route 172 traffic from the 116 subnet to the 172.16.1.1 IP and then use firewall rules to block all 116 except for the ip of the one system I want access to the 172.16 subnet, just not sure what that would be and if that was the right direction.

Derelict

Untag the port for the PC on 116.

It sounds like you should just remove the layer 3 configuration from the switch on that VLAN which will revert it to simple layer 2.

Tag that to pfSense and configure that VLAN interface with whatever services (DHCP, etc) and firewall rules that you want.

It is very important, however, to know who is routing for what. is pfSense doing the routing or is the switch.

That diagram I posted covers both scenarios.

If you assign an interface in Interfaces > (assign) to eth0 that will be untagged traffic on eth0.
If you assign an interface in Interfaces > (assign) to VLAN 100 on eth0 that will be tagged VLAN 100 on eth0.
Your switch should be configured accordingly.