Second Lan network same interface
-
I currently have a LAN network that uses the 10.1/16 range and I want to setup another that is 10.3/16 on the same interface.
Whats the best way of doing this ?
was looking at adding an IP alias https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses but it looks like I can't add a range with that.
-
You would do a vlan simple enough.. Do you have a vlan capable switch? Get 1!
-
So I add a new VLAN on my LAN interface and assign it my new network range.
I then configure the switch port that the lan interface is using to be tagged /trunked for all the vlans I want it to communicate to ?
-
Correct..
-
I was going to set this up by creating a new VLAN and giving it an ID of 10 and attach it to the same interface my LAN is on. This is currently connected to my switch into VLAN ID 1 but is all untagged traffic. (image attached)
If I change the port on the switch to tagged will my LAN continue to work?
If I change some other ports in the Switch to tagged for both VLAN 1 and 10 should the devices on the other end continue work? I'm currently running Xenserver which does seem to understand Vlans and lets me split out traffic to specific VM's based on it so i'm hoping this will work.
I'm Assuming a machine that does not understand tagged traffic defaults to 1 which would be my LAN in this case.
-
So heres the thing.. Normally interface on pfsense would not have any tag.. Does not have to be 1, its just whatever untagged vlan you setup on your switch that is connected to.. I have one that is vlan 20 on my switch for the untagged network. On top of that interface their are tagged vlans.
What ever vlan in your switch you want your lan to be on this would be untagged to pfsense lan port. Any vlans have setup on pfsense you want would be tagged on this port. IF your going to tag both vlans then you would need to change your lan to a vlan..
All your other ports that are going to connect to devices would normally be untagged in that vlan. Ports that are going to be uplinked to other switches or devices that will understand the tags would then tag all the vlans you want to send to that device.
Vlan 1 nothing more than the default untagged vlan on a switch.. But pfsense normal interface doesn't know or care about what vlan the switch calls it - its just the untagged traffic. You only ever have one vlan on any port or interface as untagged. Since if not tagged the device/switch has no way to know which traffic is on which vlan, etc.
-
One other question on this is routing between interfaces. I have the same configuration as the OP, with a LAN & VLAN on the same interface. While I can ping the pfSense VLAN interface from my notebook computer, I can't ping VLAN address on my desktop computer. I do see RAs on that VLAN though. When I ping from the desktop computer, that has the VLAN enabled, I can see the pings going out, but no response from pfSense.
Just to clarify, on the pfSense router, the main LAN is 172.16.0.1/24, VLAN3 is 172.16.3.1/24 My desktop system has both LAN (172.16.0.10) and VLAN (172.16.3.10) enabled, but my notebook computer LAN (172.16.0.40) only. From the notebook, I can ping 172.16.3.1, but not 172.16.3.10. From the desktop, when I ping 172.16.3.1, I get no response.
I'll worry about IPv6 later.
-
what are you rules on these interfaces?
-
At the moment, I don't have any rules. I had tried setting up rules to allow everything from one interface to the other, with one rule for each direction on each interface, but that didn't work. That's why I'm asking what is supposed to be used. Documentation on this appears to be very scarce.
-
I just created a single rule for VLAN3, based on what's on LAN. I've attached both.
-
well with those rules.. Then yes anything on lan should be able to ping anything on vlan3.. And vlan3 should be able to ping anything on lan
For sure the interface on pfsense be it lan or vlan3.
If you can not ping some client on the other network then is either that client has firewall or maybe it doesn't have pfsense set as its gateway.
are you saying a device on lan can ping the pfsense lan IP, but it can not ping the vlan3 pfsense interface IP? I would check your masks on your client and pfsense for your interface IPs.
-
A bit of change. After creating that single rule, I can now ping the firewall from the desktop via VLAN3 and the desktop from the firewall, but couldn't earlier. However, when I ping from the notebook to the desktop VLAN interface, I can the incoming ping, with Wireshark, but no response. However, the source of the incoming ping, from the notebook, is from 172.16.0.40. Yet I don't see a response on either VLAN or LAN. Not sure what's happening. Perhaps the desktop system is getting confused about having 2 routes to the notebook. I'll have to try creating a separate interface, instead of VLAN3, to see if that eliminates the problem.
There is a firewall, but turning it off doesn't make any difference. Both the desktop and notebook are running openSUSE 42.3.
-
Just to clarify, on the pfSense router, the main LAN is 172.16.0.1/24, VLAN3 is 172.16.3.1/24 My desktop system has both LAN (172.16.0.10) and VLAN (172.16.3.10) enabled, but my notebook computer LAN (172.16.0.40) only. From the notebook, I can ping 172.16.3.1, but not 172.16.3.10. From the desktop, when I ping 172.16.3.1, I get no response.
You will have asymmetry in that case.
When 172.16.0.40 has traffic for 172.16.3.10 it will send it to the default gateway and it will be routed out the 172.16.3.0 interface.
That traffic will arrive at 172.16.3.10 sourced from 172.16.0.40.
When 172.16.3.10 has reply traffic, the proper thing to happen would be for it to be sent back to the 172.16.3.1 for routing but that will not happen. 172.16.3.10 also has an interface in the laptop's local subnet so 172.16.0.10 will ARP for 172.16.0.40 (if necessary) and send the reply traffic directly. I wouldn't say it is confused. It is just doing as it has been told.
I generally have a few VLAN interfaces on my workstation, too, but I only use them to source connections from there to something else on the local subnet. That way reply traffic is always same-subnet and it works. I never expect it to be routed.
-
You will have asymmetry in that case.
That what I suspected and mentioned in the post above yours. I'll have to create another interface that I can experiment with. I just plugged in another NIC, but it doesn't seem to come up. I'll have to investigate why. I'm not sure if it's good or not, as it was given to me by a friend years ago. If not, I'll have to connect my Cisco router and use VLAN3 on it to experiment with.
Incidentally, that NIC, while listed in the dashboard, doesn't show a MAC or IP address. The ifconfig command shows a MAC but not IP address.
You will have asymmetry in that case.
That what I suspected and mentioned in the post above yours. I'll have to create another interface that I can experiment with. I just plugged in another NIC, but it doesn't seem to come up. I'll have to investigate why. I'm not sure if it's good or not, as it was given to me by a friend years ago. If not, I'll have to connect my Cisco router and use VLAN3 on it to experiment with.
Incidentally, that NIC, while listed in the dashboard, doesn't show a MAC or IP address. The ifconfig command shows a MAC but not IP address.
Here's what ifconfig shows.
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 90:e2:ba:4d:d6:b3
hwaddr 90:e2:ba:4d:d6:b3
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: activeAnd on Status > Interfaces I see this, which I find curious.
</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></broadcast,simplex,multicast>
-
No idea what you are showing us there. that is em0 and bge0.
A parent interface of a VLAN will show like that if it is not assigned to an interface and numbered.
igb1 is not assigned in interfaces > assignments:
igb1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:08:a2:0a:59:42
hwaddr 00:08:a2:0a:59:42
inet6 fe80::208:a2ff:fe0a:5942%igb1 prefixlen 64 scopeid 0x2
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: activeVLAN 223 is…
igb1_vlan223: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:08:a2:0a:59:42
inet 192.168.223.1 netmask 0xffffff00 broadcast 192.168.223.255
inet6 2600:dead:beef:cafe:208:a2ff:fe0a:5942 prefixlen 64
inet6 fe80::1:1%igb1_vlan223 prefixlen 64 scopeid 0xb
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 223 vlanpcp: 0 parent interface: igb1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast> -
I was showing the LAN4 interface, which doesn't appear to have a MAC address, though it does in ifconfig. I also don't know why it shows opvpns1 on it.
Curious. -
Because it is assigned to an OpenVPN instance. Look in Interfaces > (assign).
-
Openvpn was assigned, but I have absolutely no idea how that wound up on there. I deleted that assignment and created a new one as em0 and it came up.
-
I just came across something curious. I've set up the new interface for LAN4 and enabled both IPv4 and IPv6. The IPv6 prefix is within my /56. When I ping my desktop computer, on it global IPv6 address, it's successful. When I try on it's ULA, I get a "Destination unreachable: No route" error. Traceroute show the path ending at 2607:f798:10:10ac:0:690:6325:5193. I have no idea where that is, but it's certainly not on my network. Host lookup doesn't provide a host name. Why is pfSense trying to route a ULA off my network? Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.
-
Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?
Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.
Those block inbound connections, not outbound. You have to specifically block RFC1918 and ULA from egressing outbound using floating rules on WAN out. At least that's how I like to do it.
