New to VLAN, in need of some help with firewall rules.
-
I've been trying to figure out VLAN's for a couple of days now, but I'm a bit unsure if what I'm doing is correct. I'm just trying to create a VLAN for a secure seperate network within my own LAN. It shouldn't be able to access anything, but the internet.
I'm running an r710 with ESXi and PFSense virtuazlied. I also have a HP 3500yl managed switch.
http://networktechnical.blogspot.ca/2007/04/pfsense-how-to-setup-vlans.html
–---------------------------------------------
Interfaces > VLANs > New
Parent Interface : lan
VLAN Tag : 2000Interface Assignments > Add VLAN 2000 as OPT1
Enable
Desciption : VLAN2000
Static IPv4
IPv4 Address : 10.0.10.1Services > DHCP Server > OPT1
Enable EHCP server on OPT1 interface
Range : 10.0.10.100 - 10.0.10.254Firewall > Rules > VLAN2000
Protocol : Any
Source : VLAN2000 net
Destination VLAN2000 net
Description : VLAN2000
(Really not sure if my firewall is configured correctly...)https://calvin.me/vlan-pfsense/
VMware vSphere ClientConfiguration > Networking
Lan Port GroupCurrently everything is in vSwitch0
Properties > LAN > Edit > Vlan ID
VLAN ID : ALL (4095)
Close
Add Networking > Virtual Machine >
Use vSwitch0 (vmnic0) (Same one as LAN)I'm confused with my actual managed switch. I'm not sure how to configure it with my switch, do I assign a port on my switch VLAN2000 and anything on the port automatically becomes a part of VLAN2000?
I copied a Debian VM to my r710, in its settings under network adaptor > Network Connection, I have the Network label as VLAN2000. When I turned on the VM, PFSense instantly gave it the ip 10.0.10.100, so I'm assuming DHCP works. I'm I can ssh into the VM fine from the LAN. If I try to ping google.com in the debian VM, nothing happens. I'm thinking this might be due to my firewall settings?
I'm not sure if a good way to format this for you guys, but if screenshots would be better I can get them.
Thank you for any help. :) -
Got to love using a 10 year old link in setting up pfsense.. Prob first mistake…
Source : VLAN2000 net
Destination VLAN2000 net
Description : VLAN2000
(Really not sure if my firewall is configured correctly…)So your telling pfsense hey if you see any traffic on your vlan2000 int from that network to that network - allow it! Great since pfsense would never ever see such traffic... Traffic from a network only gets sent to the gateway when its leaving the network.. Ie the whole router/gateway thing..
So when clients on vlan2000 sent traffic for say your lan or any other network.. It would just be blocked by the default deny rule on interface vlan2000.
Screenshots are always better. If your on a VM setup your going to need to describe how this connects to your real world.. And yes physical switches will need to be setup for vlans if your going to have your vlans go over the physical infrastructure.
If your going to use 4095 as your setting in a vm switch (on esxi atleast) this is to not mess with the tags and let the devices deal with them.. Like pfsense vlan interfaces on the vmnic connected to this vswitch.. But you could also do it via just adding more vm nics to your vm and put them in vswitchs/portgroups on the switch that are in specific vlans, etc..
A drawing of how you have every thing connected, and what exactly your trying to accomplish with your vlan(s) and we can discuss best way to achieve that goal.
-
Hi, I want to make VLAN2000 my 'lab' environment, where it cannot communicate to anything other than the internal network and WAN. So the current firewall rule I had on if I understand correctly says VLAN2000 can communicate with VLAN2000, but nothing else?
My current rules for VLAN2000 is attached.
From what I understand, it's saying VLAN2000 can talk to anyone. I ssh'd into a server on the vlan and pinged stuff on my lan and google.com and it worked. I'm stuck on how to make it where the vlan has only internet access.I'm running ESXi 6.0 on a Dell r710. PFSense is virtualized in there. It has 4 nic's and 2 are being used. One for pfsense's LAN and pfsense's WAN.
Modem > r710 PFSense WAN > r710 PFSense LAN > HP 3500yl Switch > everything else is connected to the switch.
Sorry, is there a free software where I can easily create network diagrams?My end goal is separating my networks into a few separate VLAN's.
1. Home - Plex, File Servers, etc
2. Users - girlfriend and fr
3. Guest - Only internet usage
4. Lab - Testing environment that cannot affect anything elseGot to love using a 10 year old link in setting up pfsense.. Prob first mistake…
Thank you for the reply,
I really should doublecheck what year guides are from..
 -
Yes that rule would allow vlan2000 any any…
So if you don't want it to go somewhere like lan, put a block to lan above that.
Rules are evaluated top down, first rule to triggerr wins - no other rules evaluated.
As to free software for network diagrams - sure plenty of them.. example https://www.gliffy.com/ is online free also https://www.draw.io/ or if you want actual software https://www.libreoffice.org/discover/draw/ there is also yEd etc.. etc..
If your going to do vlan tagging on the vm running on esxi, ie pfsense your vswitch needs to be set to 4095 so it doesn't mess with the tags.. Its like a trunk port for a switch. You could also use different vswitch port groups with setting specific tags, etc. or different physical nics tied to different vswitch and vnics attached to pfsense, etc..
-
Whew you're quick.
I might've posted too soon, I was searching and found this . (looks like you're pretty helpful around here, john. ;D )
I made a second rule blocking any access to the LAN and now if I try to ping from the VLAN, it can only access the internet!I'll try to configure the rest of my network… PFsense has been a bit confusing to dive into, but I'm starting to understand it.
 -
"looks like you're pretty helpful around here, john"
I try to be ;)
-
If your going to do vlan tagging on the vm running on esxi, ie pfsense your vswitch needs to be set to 4095 so it doesn't mess with the tags.. Its like a trunk port for a switch. You could also use different vswitch port groups with setting specific tags, etc. or different physical nics tied to different vswitch and vnics attached to pfsense, etc..
I actually just got my managed switch to learn more about VLAN's haha.. I'm really just starting out.
I've attached what my network looks like on vswitch. I've set the vswitch on both LAN and WAN to 4095.
 -
That is not how I would normally do it.. So all of those vms understand vlan tags? They would see the traffic with tags on it now for any vlan..
Why would you set it on your wan??
What are you doing with the other physical nics on your esxi host? Having your vmkern on the same vswitch sharing your physical nic is not really best sort of setup.. If you have the spare nics in the host, break out your vmkern to its own physical nic.. Here is my esxi setup.. For comparison.
Pfsense would have interfaces or vnics in each or any of your vswitches that are in different networks that are untagged, say wan and lan - if your going to be having pfsense do the vlans then you would set 4095 so that tags would be sent to the VM vnic.
But you have a lot of machines on that vswitch - what network are they in? Why would you be sending them all the tagged traffic if your just going to be on the untagged vlan. See how my lan is 0.. This nic is connected to my untagged native lan network (vlan 1 on the switch). My wlan switch carries a untagged vlan 20, and then tagged traffic from my AP. There are couple other machines on this vswitch because they have been setup to understand the vlans.. that Domotoz for example has interfaces in multiple vlans because it monitors network for new machines, etc..
Now that I look at it - that UC box should prob be broken out into its own port group on that physical nic.. Since it only needs to see the untagged vlan 20 traffic..
You can do it that way as your doing it.. But I would break up the vswitches to more align with your different vlans, etc.
-
Perhaps I dived in too early before getting a good understanding of what VLAN's can and cannot do. I've deleted the vlan2000 and started 'fresh' to try and figure out how to do things the 'right' way.
What are you doing with the other physical nics on your esxi host? Having your vmkern on the same vswitch sharing your physical nic is not really best sort of setup.. If you have the spare nics in the host, break out your vmkern to its own physical nic..
Reading here, breaking out the vmkern to a separate physical nic is good practice so if I do anything weird with the default vswitch, management wouldn't be affected?
I've followed your advice and separated my vmkern to another nic (I have 8 available)(1st attached pic)But you have a lot of machines on that vswitch - what network are they in? Why would you be sending them all the tagged traffic if your just going to be on the untagged vlan.
So from what I understand, they are (or should be) on the untagged vlan. (192.168.1.1)
My goal is to have 4 vlan's. Maybe this will give you a better idea of what I'm trying to achieve. Sorry for any confusion, I'm only starting to learn about vlan's :'(
Home - vlan10 - It would house my PFSense, Plex Server, and File Servers etc. Basically my main network.
Users - vlan20 - I want regular users in here that cannot access the Home network other than the Plex Server.
Guest - vlan30 - Wireless network for guests that can only access the internet.
Lab - vlan 40 - Testing area.I want to try recreating that 'lab' vlan. With settings on ESXi, PFSense, and my Managed Switch I'm a bit lost on where and what settings to change.
PFSense
I created the 'LAB40' VLAN on PFsense, and tagged it as 40. (2nd attached pic)
I added the 'LAB40' interface and assigned it a static ip of 10.0.40.1/24 (3rd attached pic)
Then I enabled the DHCP server with a range of 10.0.40.101-254, leaving ~100 for static IP's.ESXi
I changed the LAN's portgroup to access all (4095) VLAN's. Afaik, this would allow LAN to access any VLAN? (4th attached pic)
Now I added additional portgroups on the same vswitch tagged as vlan20. (5th attached pic)Testing
I then added the firewall rules as per before.. (6th attached pic) and created a debian VM to try things out. It got an ip of 10.0.40.102 as per DHCP so I gave it a static IP of 10.0.40.10. I pinged google.com and got a response, then pinged something on 'LAN' and got nothing back. Everything seems to be working so far!Does everything look good? Just a newbie trying to learn.. Thank you for all the help so far!
 -
"this would allow LAN to access any VLAN?"
It doesn't work that way… vlans are at layer 2, to move between vlans you have to route (at layer 3)
Think of a vlan as way of just creating switches inside a bigger switch. A vlan you create is just a bunch or few if you want of ports that are now on the same layer 2.. Ie they can see each other broadcasts, etc. They will see arp requests from devices, they will answer them, etc.
The 4095 setting is just saying send all the tags through - do not strip them.. Now the devices connected to that vswitch/port group would need to weed out the vlans via the tags they are interested in..
Using 1 vswitch/port group with lots of vms on it means you have to setup all the devices on that vswitch to use the tag of the vlan they are suppose to be in. Vs doing the tag identification on the VMs just create port groups that are on the same vswitch that are in the different vlan - this is like an access port on as switch when you put it in a specific vlan.. Your portgroup now becomes a dumb switch in that vlan in a sense. And all devices connected to that portgroup would be on that specific vlan native without having to tag or understand tagging. The portgroup/vswitch and then the physical switch will handle the tagging.
The big thing you should familiarize yourself before playing with vlans is tagging and untagged/native traffic..
In your new switch setup.. you need to understand how those physical nics are connected and what vlans are setup on the switch they connect to if anything. If all connected to the same dumb switch they would all be in the same layer 2 network.. Which you sure wouldn't want to do for your wan/lan
And your vmkern would be in this same layer 2 network - which is fine if that is what you want.. Comes down to how you have your physical network setup..
Your 4 networks you want home, users, guest, lab is fine - when playing with that and esxi and then bringing that to the physical world is where you need to make decision on how your going to do it. How many physical nics do you have to play with on your esxi host. Does your switch have vlan support? Do you just have a bunch of dumb switches?
In the ultimate design you would also take into account the amount and speed of intervlan/network traffic your going to have. So for example you mention that you want user to have access to your plex that sits on the home network.
If you vlan this traffic on the same physical nic or vnic in pfsense via vlan on pfsense then you create a hairpin. Where traffic between user and home will flow over the same interface twice and therefore your bandwidth is /2 of what it could be depending on the interfaces speeds, etc.
So while your wifi bandwidth requirements are prob less since its only going to talk to the internet and no other local networks there really wouldn't be any hairpins - so this would be a good network to just vlan on a physical nic and could be setup with 4095 on the port group that has the pfsense vnic that will have a native untagged network and a vlan network. Or you could do it all on esxi and your physical switch and just create multiple untagged vnics in pfsense put into each vswitch/port group on esxi, etc.
The overall design you end up comes down to what you have to work with, and what exactly you want to accomplish. For example some people like only doing tagged traffic and don't really put any native/untagged networks on pfsense. They just create the vlans that sit on top of the physical interface and don't put a IP on the actual physical interface.
If you let me know what switching your working with any how many physical nics your host have - now that you have stated the 4 networks you want be happy to show you how I would do it and then we can discuss if that fits your needs or should do it a different way, etc.
