Virtual Interfaces



  • Hello Pfsense world,

    Im very new to this and been having trouble understanding how to make this happen.

    I have two nic cards. one for wan the other lan.  I have a DD-Wrt wireless router that i set to AP. all working fine.

    I want to set up a Virtual Interfaces for my guess at the house on a different sub . I use 192.168.1…... which the pfsense router sets the DCHP. So i want the guess to be like 192.168.2........ what ever.

    I want to be able to control there BW so they not hogging it all up. At the same time I want to be able to have my personal wireless also. on the 192.168.1.....

    Could someone guide me in the right path to get this done?

    Thanks



  • I am not familiar with DD-Wrt but you need to make sure it is VLAN capable…do some research on this.

    Assuming you have a VLAN capable AP, you need to follow these steps:

    1. Go to "Interfaces -> Assignment -> VLANs -> "Add button", pick the parent(aka Trunk) interface(your LAN interface), give your VLANs Tags...say VLAN 10, VLAN 20, VLAN 30, etc...put descriptions for each VLAN.
    2. Go to "Interfaces -> Assignment -> Interface Assignments...you should now see "Add" buttons for each VLAN created. Add each VLAN...
    3. Go to "Interfaces -> you should see each new interface in drop-down...configure each VLAN with new IP
    4. Go to "Services -> DHCP Server"...enable each VLAN with a new IP and range...assuming you want each VLAN to be configured similarly to LAN
    5. Treat each VLAN like a seperate interface i.e. add rules to each VLAN interface, fixed leases, possible aliases, etc...

    Those VLAN Tag# you gave in step 1 are added to your VLAN capable AP so they can direct the traffic accordingly.

    I haven't dome BW mangement in pfSense but I believe this is relatively easy. I would suggest you setup the seperate interfaces first then dive into BW management.

    I hope that helps and good luck...not too hard.

    V

    (Updated with edits)



  • @V3lcr0:

    I am not familiar with DD-Wrt but you need to make sure it is VLAN capable…do some research on this.

    Assuming you have a VLAN capable AP, you need to follow these steps:

    1. Go to "Interfaces -> Assignment -> VLANs -> "Add button", pick the parent(aka Trunk) interface(your LAN interface), give your VLANs Tags...say VLAN 10, VLAN 20, VLAN 30, etc...put descriptions for each VLAN.
    2. Go to "Interfaces -> Assignment -> Interface Assignments...you should now see "Add" buttons for each VLAN created. Add each VLAN...
    3. Go to "Interfaces -> you should see each new interface in drop-down...configure each VLAN with new IP
      4) Go to "Services -> DHCP Server"…enable each VLAN with a new IP and range...assuming you want each VLAN to be configured similarly to LAN
    4. Treat each VLAN like a seperate interface i.e. add rules to each VLAN interface, fixed leases, possible aliases, etc…

    Those VLAN Tag# you gave in step 1 are added to your VLAN capable AP so they can direct the traffic accordingly.

    I haven't dome BW mangement in pfSense but I believe this is relatively easy. I would suggest you setup the seperate interfaces first then dive into BW management.

    I hope that helps and good luck...not too hard.

    V

    (Updated with edits)

    Thank you for your help..

    So  I got up to Steps 1-3..

    When I got to step 4 I got lost. I do not see the VLANS I created in DHCP Server tab.

    Am I suppose to add something there as well…

    Thanks



  • Did you check the "Enable interface" at the top?

    For "IPv4 Configuration Type" did you choose "Static IPv4"?

    Under "Static IPv4 Configuration" did you enter the new IPv4 Address(different to your LAN) and did you choose the "/24" from the drop down box to the right of your new IPv4?

    updates made



  • @V3lcr0:

    Did you check the "Enable interface" at the top?

    For "IPv4 Configuration Type" did you choose "Static IPv4"?

    Under "Static IPv4 Configuration" did you enter the new IPv4 Address(different to your LAN) and did you choose the "/24" from the drop down box to the right of your new IPv4?

    updates made

    I used a static IP and I used /32 because it said something else using /24

    I also checked the enable box ..
    Im using 2.3.4_1 pfsense also..



    • Using an incorrect subnet mask, such as /32, will prevent other hosts in VLAN from finding the VLAN to use as a gateway and vice versa

    https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

    "I used a static IP and I used /32 because it said something else using /24"

    It would help if you better define "it said something else using /24". If you are able to, I would suggest posting screen shots from steps 1-3.



  • Ditto, post screen shots…I'll bet its a simple setting.



  • @V3lcr0:

    Ditto, post screen shots…I'll bet its a simple setting.

    First thinks guys for all your help and input… So here are some screen shots of the pf sense also the DD-WRT Ap

    I got all the steps from 1-4.
    I can see what you guys said now.

    So heres whats next.  Im not able to get internet service from the to different  as

    Physical Interface wl0 - SSID 192.168.1....  then i have a Virtual Interfaces wl0.1 SSID192.168.0.......

    I gave both of these interfaces static IPs in pf sense according to there Mac address giving in DD-WRT...

    Thanks










  • I don't know DD-WRT(I use a Unifi AP pro) which had a super simple setup of VLAN SSIDs…I simply created new SSIDs and entered the VLAN Tag, Name, Password and that was it.

    Not sure what "Im not able to get internet service from the to different  as" means but have you added rules to each VLAN interface?

    Go to Firewall -> Rules - > LAN. Assuming you haven't changed your default rule copy that rule into each of your VLANs interfaces(Use the "copy" icon on the far right of the default LAN rule. That will allow connectivity and internet access.

    Keep in mind this default rule will need to be hardened in order to keep your VLANs isolated...I posted my rules in an earlier post if you want to see how I have my network set up: https://forum.pfsense.org/index.php?topic=138623.msg757814#msg757814



  • @V3lcr0:

    I don't know DD-WRT(I use a Unifi AP pro) which had a super simple setup of VLAN SSIDs…I simply created new SSIDs and entered the VLAN Tag, Name, Password and that was it.

    Not sure what "Im not able to get internet service from the to different  as" means but have you added rules to each VLAN interface?

    Go to Firewall -> Rules - > LAN. Assuming you haven't changed your default rule copy that rule into each of your VLANs interfaces(Use the "copy" icon on the far right of the default LAN rule. That will allow connectivity and internet access.

    Keep in mind this default rule will need to be hardened in order to keep your VLANs isolated...I posted my rules in an earlier post if you want to see how I have my network set up: https://forum.pfsense.org/index.php?topic=138623.msg757814#msg757814

    Im still trying and trying to get this to work no luck what so ever. The DCHP is just not giving out a ip for the different sum nets…..

    Do I have to create a VLan for the AP that I want to have on my same network also .. I know I need one for the guess...



  • I am starting to get out of my realm of expertise but I'll share how my setup is and maybe suggest a similar setup…open to feedback if others have a different recommendation:

    My setup is as follows:

    WAN - Nic1
    LAN - Nic2 - connected to my AP

    VLAN - 10 (LAN as the parent interface I believe this is also called the "trunk") - SSID called "Cat1" - used for IOT devices
    VLAN - 20 (LAN as the parent interface) - SSID called "FBI2" - used for wife devices
    VLAN - 30 (LAN as the parent interface) - SSID called "Racecar3" - used for "admin" device to access pfSense
    VLAN - 40 (LAN as the parent interface) - SSID called "Horse4" - used for "work"

    As you can see my devices(clients) never really access the LAN directly(except for the AP, which shows up as a lease in my)....the seperate interfaces allow for simpler rule setup...

    Maybe share a screen shots of one of your VLAN interface rules in pfSense? Did you make sure that the LAN is the parent interface for your VLANs in pfSense(it defaults to WAN which won't work for your setup)? I have screwed up these 2 things before...

    Some good things to check in pfSense are:
    Status -> DHCP Leases....do you see your leases for any devices? Your AP clients? I assume you are looking for DHCP leases on pfSense?
    Interfaces -> VLANs -> click on the pencil icon for one of your VLANs -> Parent interface: is the LAN the "Parent Interface"?
    Services -> DHCP Server - "Enable"(Is there a check mark in this box?)

    I can help with pfSense but I suspect its a configuration in DD-WRT…



  • @V3lcr0:

    I am starting to get out of my realm of expertise but I'll share how my setup is and maybe suggest a similar setup…open to feedback if others have a different recommendation:

    My setup is as follows:

    WAN - Nic1
    LAN - Nic2 - connected to my AP

    VLAN - 10 (LAN as the parent interface I believe this is also called the "trunk") - SSID called "Cat1" - used for IOT devices
    VLAN - 20 (LAN as the parent interface) - SSID called "FBI2" - used for wife devices
    VLAN - 30 (LAN as the parent interface) - SSID called "Racecar3" - used for "admin" device to access pfSense
    VLAN - 40 (LAN as the parent interface) - SSID called "Horse4" - used for "work"

    As you can see my devices(clients) never really access the LAN directly(except for the AP, which shows up as a lease in my)....the seperate interfaces allow for simpler rule setup...

    Maybe share a screen shots of one of your VLAN interface rules in pfSense? Did you make sure that the LAN is the parent interface for your VLANs in pfSense(it defaults to WAN which won't work for your setup)? I have screwed up these 2 things before...

    Some good things to check in pfSense are:
    Status -> DHCP Leases....do you see your leases for any devices? Your AP clients? I assume you are looking for DHCP leases on pfSense?
    Interfaces -> VLANs -> click on the pencil icon for one of your VLANs -> Parent interface: is the LAN the "Parent Interface"?
    Services -> DHCP Server - "Enable"(Is there a check mark in this box?)

    I can help with pfSense but I suspect its a configuration in DD-WRT…

    Thanks for the info.. For some reason when I create the VLans and I enable them its not showing up in the DHCP service section..


  • LAYER 8 Netgate

    You have to actually assign the VLAN to a pfSense interface in Interfaces > Assignments.

    You then have to edit the interface, enable it, and assign the layer 3 address/netmask to it.

    You will then be able to create firewall rules, DHCP servers, etc.



  • @Derelict:

    You have to actually assign the VLAN to a pfSense interface in Interfaces > Assignments.

    You then have to edit the interface, enable it, and assign the layer 3 address/netmask to it.

    You will then be able to create firewall rules, DHCP servers, etc.

    Thank you I did the steps you guys say but its not there heres some screen shots..







  • LAYER 8 Netgate

    Put something other than /32 on the OPT1 interface. There is no reason to run a DHCP server on a /32 interface. Try /24.



  • @Derelict:

    Put something other than /32 on the OPT1 interface. There is no reason to run a DHCP server on a /32 interface. Try /24.

    Thank you for you time and your help..
    So here's where I'm at now..  I change the interface to /24 like you said . It shows up now. I enable it great. Now the DCHP is not assign out the ips. but I read where I need to create rules for these two VLANs .

    What rules need to be placed.  someone said copy the lan rule. i did but it dont allow paste to the Vlans

    also when I type in the vlans ip that I gave  it comes up to log in the Pfsense. ….

    Thanks so much almost there. Also when I connect to the AP it trys but says no internet connection...



  • I believe that you may be barking up the wrong tree. Put a packet capture and see if there is any traffic.

    What did you do to configure your vlan on AP and switch?
    How did you verify that these are woking?


  • LAYER 8 Netgate

    You will get DHCP with zero rules on the interface but will not be able to pass any traffic. If the DHCP server is enabled and you are not getting assigned addresses, check that all your VLAN tagging, etc is correct at layer 2.



  • @V3lcr0:

    I am not familiar with DD-Wrt but you need to make sure it is VLAN capable…do some research on this.

    Assuming you have a VLAN capable AP, you need to follow these steps:

    1. Go to "Interfaces -> Assignment -> VLANs -> "Add button", pick the parent(aka Trunk) interface(your LAN interface), give your VLANs Tags...say VLAN 10, VLAN 20, VLAN 30, etc...put descriptions for each VLAN.
    2. Go to "Interfaces -> Assignment -> Interface Assignments...you should now see "Add" buttons for each VLAN created. Add each VLAN...
    3. Go to "Interfaces -> you should see each new interface in drop-down...configure each VLAN with new IP
    4. Go to "Services -> DHCP Server"...enable each VLAN with a new IP and range...assuming you want each VLAN to be configured similarly to LAN
    5. Treat each VLAN like a seperate interface i.e. add rules to each VLAN interface, fixed leases, possible aliases, etc...

    Those VLAN Tag# you gave in step 1 are added to your VLAN capable AP so they can direct the traffic accordingly.

    I haven't dome BW mangement in pfSense but I believe this is relatively easy. I would suggest you setup the seperate interfaces first then dive into BW management.

    I hope that helps and good luck...not too hard.

    V

    (Updated with edits)

    Thanks do I also have to make VLands in the Ap too Im  using the UNIFI pro also now..



  • Thats the $h1++y thing about Unifi AP…in order to configure the VLANs in a Unifi AP you need to use a computer. You can't setup VLANs using the App(at least IOS).

    Here is a post on how to set it up:
    https://forum.pfsense.org/index.php?topic=137134.msg750913#msg750913

    Hang in there!!


Log in to reply