VLAN not working



  • I have pfSense with WAN and LAN (simplified).

    LAN interface is VLAN tagged for three subnetworks, LAN1, LAN2 and LAN3.

    Switch is a Ubiquity managed switch.  Everything supports 801.2q

    LAN1 has VLAN tag of 3, LAN2 is 4 and LAN3 is 5.  All three LANs are associated with different subnets.

    pfSense LAN is connected to port 1 of the switch, marked as All (i.e. not tagged to any VLANID).
    PC1 on LAN1 is connected to port 2 of the switch, marked as tagged VLANID 3.
    PC2 on LAN2 is connected to port 3 of the switch, marked as tagged VLANID 4.
    PC3 on LAN3 is connected to port 4 of the switch, marked as All (i.e. not tagged to any VLANID).

    PC1 can talk to PC2 just fine and vice versa.

    PC3 is Linux, using module 8012q, and VLAN set up on the interface.  Basically I have eth0.3 and eth0.5 (i.e. one VLAN IP on #3 and one on #5).

    I can talk from PC1 to PC3 on VLAN3 just fine.

    I can NOT talk from PC1 to PC3 on VLAN5.

    From pfSense, if I try to connect to PC3 on VLAN5 IP from the pfSense LAN3 IP, it works - I see Syn, Syn/Ack, Ack (as measured on the main interface on PC3)
    From pfSense, if I try to connect to PC3 on VLAN5 IP from the pfSense LAN1/LAN2 IP, it does NOT work - I see Syn but never any Syn/Ack on PC3.  PC3 has only on interface with the two VLANs.  By doing a tcpdump  with -e I can see the VLAN tag, and can see all traffic for #3 and #5, so it is not as if the Syn/Ack is being sent via VLAN3.  This applies to SSH, NC and anything that listens on PC3 VLAN5.

    What am I doing wrong?



  • Just an observation but it seems like a PC3/Linux config issue…I'll bet if you put PC3 on VLAN 3 and PC1 on VLAN5 you have the same issue...in the spirit of seeking to understand what are you trying to do? Not sure if I can help but your close on setting up VLANs if you aren't already there?

    Why this setup?:
    "PC3 is Linux, using module 8012q, and VLAN set up on the interface.  Basically I have eth0.3 and eth0.5 (i.e. one VLAN IP on #3 and one on #5)."

    Again willing to learn but why don't you name LAN1=VLAN3, LAN2=VLAN4 and LAN3...just use your LAN utilizing rules?



  • Once again I seem to have found an answer:

    https://www.linuxquestions.org/questions/linux-networking-3/server-on-multiple-vlans-server-not-responding-to-pings-from-non-local-subnets-819880/

    Now I just need to understand it.

    It has to do with traffic being dropped when leaving on a different interface than they arrive at.  I tried to work around a router on a LAN segment issue - but this will also not work.  I will need a dedicated router to make this work :S


Log in to reply